Kaspersky Threat Intelligence
Kaspersky threat
Intelligence
Tracking, analyzing, interpreting and mitigating constantly evolving IT security threats is a massive undertaking. Enterprises across all sectors are facing a shortage of the up-to-the-minute, relevant data they need to help them manage the risks associated with IT security threats.
Kaspersky Threat Intelligence Services include:
- Threat Data Feeds
- CyberTrace
- APT Intelligence Reporting
- Tailored Threat Intelligence Reporting
- Kaspersky Threat Intelligence Portal
- Kaspersky Cloud Sandbox
Threat Data Feeds
Cyber threats are constantly growing in frequency, complexity and obfuscation, as they try to compromise your defenses. Adversaries currently use complicated intrusion kill chains, campaigns and customized Tactics, Techniques and Procedures (TTPs) to disrupt your business or damage your clients. It’s now clear that protection requires new methods, based on threat intelligence.
By integrating up-to-the-minute threat intelligence feeds containing information on suspicious and dangerous IPs, URLs and file hashes, into existing security controls, like SIEM systems, security teams can automate the initial alert triage process while providing their triage specialists with enough context to immediately identify alerts that need to be investigated or escalated to Incident Response (IR) teams for further investigation and response.
First-tier security vendors and enterprises use time-honored and authoritative Kaspersky Threat Data Feeds to produce premium security solutions or to protect their business.
Figure 1. Operationalizing External Threat Intelligence
Figure 2. Kaspersky Threat Intelligence Sources
Kaspersky CyberTrace
The number of security alerts processed by Security Operations Center’s Tier 1 analysts every day is growing exponentially. With this amount of data being analyzed, effective alert prioritization, triage and validation becomes nearly impossible. There are too many blinking lights coming from numerous security products, leading to significant alerts getting buried in the noise, and analyst burnout. SIEMs, log management and security analytics tools aggregating security data and correlating related alarms all help to reduce the number of alerts warranting additional examination, but Tier 1 specialists remain extremely overloaded.
Kaspersky CyberTrace provides a set of instruments to operationalize threat intelligence for conducting effective alert triage and initial response:
- Demo threat data feeds from Kaspersky and OSINT feeds are available out-of-the-box
- SIEM connectors for a wide range of SIEM solutions to visualize and manage data about threat detections
- Feed usage statistics for measuring the effectiveness of the integrated feeds
- On-demand lookup of indicators (hashes, IP addresses, domains, URLs) for in-depth threat investigation
- A web user interface providing data visualization, access to configuration, feed management, log parsing rules, blacklists and whitelists
- Advanced filtering for feeds (based on the context provided with each of the indicators, including threat type, geolocation, popularity, time stamps and more) and log events (based on custom conditions)
- Export of lookup results matching data feeds to CSV format for integration with other systems (firewalls, network and host IDS, custom tools)
- Bulk scanning of logs and files
- Command-line interface for Windows and Linux platforms
Figure 3. Kaspersky CyberTrace statistics
Figure 4. Kaspersky CyberTrace integration scheme
APT Intelligence Reporting
Kaspersky APT Intelligence Reporting provides:
- Exclusive access to technical descriptions of cutting edge threats during the ongoing investigation, before public release.
- Insight into non-public APTs. Not all high profile threats are subject to public notification. Some, due to the victims who are impacted, the sensitivity of the data, the nature of the vulnerability-fixing process or associated law enforcement activity, are never made public. But all are reported to our customers.
- Detailed supporting technical data access. Includes an extended list of Indicators of Compromise (IOCs), available in standard formats including openIOC or STIX, and access to our Yara Rules.
- Continuous APT campaign monitoring. Access to actionable intelligence during the investigation (information on APT distribution, IOCs, C&C infrastructure).
- Addressing technical and nontechnical audiences. Each report contains an executive summary offering C-level oriented and easy to understand information describing the related APT. The executive summary is followed by a detailed technical description of the APT with the related IOCs and Yara rules, giving security researchers, malware analysts, security engineers, network security analysts and APT researchers actionable data to enable a fast, accurate response to the related threat.
- Retrospective analysis. Access to all previously issued private reports is provided throughout the period of your subscription.
- Threat actor profiles with summarized information on the specific threat actor, including suspected country of origin and main activity, malware families used, industries and geographies targeted, and descriptions of all TTPs used, with their mapping to the MITRE ATT&CK Framework.
- MITRE ATT&CK Framework. All TTPs described in the reports are mapped to the MITRE ATT&CK Framework, enabling improved detection and response through developing and prioritizing the corresponding security monitoring use cases, performing gap analyses and testing current defenses against relevant TTPs.
Tailored Threat Intelligence Reporting
Developed using open source intelligence (OSINT), deep analysis of Kaspersky’s expert systems and databases and our knowledge of underground cybercriminal networks, these reports cover areas including:
- Identification of threat vectors: Identification and status analysis of externally available critical components of your network –including ATMs, video surveillance and other systems using mobile technologies, employee social network profiles and personal email accounts – that are potential targets for attack.
- Malware and cyber-attack tracking analysis: Identification, monitoring and analysis of any active or inactive malware samples targeting your organization, any past or present botnet activity and any suspicious network based activity.
- Third-party attacks: Evidence of threats and botnet activity specifically targeting your customers, partners and subscribers, whose infected systems could then be used to attack you.
- Information leakage: through discreet monitoring of underground online forums and communities, we discover whether hackers are discussing attack plans with you in mind or, for example, if an unscrupulous employee is trading information.
- Current attack status: APT attacks can continue undetected for many years. If we detect a current attack affecting your infrastructure, we provide advice on effective remediation.
Threat Intelligence Portal
Service highlights:-
- Trusted Intelligence: A key attribute of Kaspersky Threat Intelligence Portal is the reliability of our threat intelligence data, enriched with actionable context. Kaspersky products lead the field in anti-malware tests1 , demonstrating the unequalled quality of our security intelligence by delivering the highest detection rates, with near-zero false positives.
- Threat Hunting: Be proactive in preventing, detecting and responding to attacks, to minimize their impact and frequency. Track and aggressively eliminate attacks as early as possible. The earlier you can discover a threat – the less damage is caused, the faster repairs take place and the sooner network operations can get back to normal.
- Sandbox Analysis: Detect unknown threats by running suspicious objects in a secure environment, and review the full scope of threat behavior and artifacts through easy-to-read reports.
- Wide Range of Export Formats: Export IOCs (Indicators of Compromise) or actionable context into widely used and more organized machine-readable sharing formats, such as STIX, OpenIOC, JSON, Yara, Snort or even CSV, to enjoy the full benefits of threat intelligence, automate operations workflow, or integrate into security controls such as SIEMs.
- Easy-to-use Web Interface or RESTful API: Use the service in manual mode through a web interface (via a web browser) or access via a simple RESTful API as you prefer.
Cloud Sandbox
Key Features:
- Loaded and run DLLs
- Created mutual extensions (mutexes)
- Modified and created registry keys Modified and created registry keys
- External connections with domain names and IP addresses
- HTTP and DNS requests and responses
- Processes created by the executed file
- Created, modified and deleted files
- Process memory dumps and network traffic dumps (PCAP)
- Screenshots
- Detailed threat intelligence with actionable context for every revealed indicator of compromise (IOC)
- RESTful API and much more
Key Benefits:
- Advanced detection of APTs, targeted and complex threats
- A workflow allowing the running of highly effective and complex incident investigations
- Scalability without the need to purchase costly appliances or worry about system resources
- Seamless integration and automation of your security operations
Need help to take the next step?
Leave us your contact information and we’ll get in touch.