Kaspersky has released its new threat intelligence solution aimed at helping SOC analysts and incident responders attribute malware samples to previously revealed APT groups. Using its proprietary method, Kaspersky Threat Attribution Engine matches a discovered malicious code against one of the biggest databases of malware in the industry, and, based on the code similarities, links it to a specific APT group or campaign. This information helps security experts prioritize high-risk threats over less serious incidents.
By knowing who is attacking their company, and for what purpose, security teams can quickly come up with the most tailored incident response plan for the attack. However, unveiling the actor who is behind an attack is a challenging task, which requires not only a large amount of collected threat intelligence (TI) but also the right skills to interpret it. To automate the classification and identification of sophisticated malware, Kaspersky presents its new Kaspersky Threat Attribution Engine.
The solution has evolved from an internal tool used by Kaspersky’s Global Research and Analysis Team (GReAT), a world-renowned team of experienced threat hunters. For example, Kaspersky Threat Attribution Engine was leveraged in the investigation of the iOS implant LightSpy, TajMahal, ShadowHammer, ShadowPad and Dtrack campaigns.
In order to determine if a threat is related to a known APT group or campaign and identify which one, Kaspersky Threat Attribution Engine automatically decomposes a newly found malicious file into small binary pieces. After that, it compares these pieces with the ones from Kaspersky’s collection of more than 60,000 APT-related files. For more accurate attribution, the solution also incorporates a large database of whitelisted files. This significantly improves the quality of the malware triage and attack identification and facilitates incident response.
Depending on how similar the analyzed file is to the samples in the database, Kaspersky Threat Attribution Engine calculates its reputational score and highlights its possible origin and author with a short description and links to both private and public resources, outlining the previous campaigns. Kaspersky APT Intelligence Reporting subscribers can see a dedicated report on tactics, techniques and procedures used by the identified threat actor, as well as further response steps.
Kaspersky Threat Attribution Engine is designed to be deployed on a customer’s network, “on premise”, rather than in a third-party cloud environment. This approach grants a customer control over data sharing.
In addition to the threat intelligence available “out of the box”, customers can create their own database and fill it with malware samples found by in-house analysts. That way, Kaspersky Threat Attribution Engine will learn to attribute malware analogous with those in a customer’s database while keeping this information confidential.
“There are several ways to reveal who is behind an attack. For example, analysts can rely on artifacts in the malware, which can determine attackers’ native language, or IP addresses that suggest where they might be located. However, it’s not a problem for a skilled attacker to manipulate these, leading a researcher to become bogged down in an investigation, as we have already seen in many cases. Our experience shows that the best way is to look for shared code that the samples have in common with others identified in previous incidents or campaigns. Unfortunately, such manual investigation may take days or even months. To automate and speed up this task, we created Kaspersky Threat Attribution Engine, which is now available for the company’s customers,” comments Costin Raiu, Director Global Research & Analysis Team at Kaspersky.
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
© Press Release 2020
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
