Professional Documents
Culture Documents
Threat Intelligence
Kaspersky Threat Intelligence
The challenge
Tracking, analyzing, interpreting Threat Intelligence from Kaspersky gives you access to the
and mitigating constantly intelligence you need to mitigate cyberthreats, provided by our
evolving IT security threats world-leading team of researchers and analysts.
is a massive undertaking.
Enterprises across all sectors
are facing a shortage of the up- Kaspersky’s knowledge, experience and deep intelligence on every
to-the-minute, relevant data aspect of cybersecurity has made it the trusted partner of the
they need to help them manage world’s premier law enforcement and government agencies, including
the risks associated with IT INTERPOL and leading CERTs. Kaspersky Threat Intelligence gives
security threats. you instant access to technical, tactical, operational and strategic
Threat Intelligence.
Threat
CyberTrace
Lookup
Kaspersky
Threat Threat Threat Analysis
Data Feeds
Intelligence
Takedown Service
Kaspersky Threat Data Feeds
Cyberattacks happen every day. Cyberthreats are constantly
growing in frequency, complexity and obfuscation, as they try to
compromise your defenses. Adversaries use complicated intrusion
kill chains, campaigns and customized Tactics, Techniques and
Procedures (TTPs) to disrupt your business or damage your
customers. It’s clear that protection requires new methods, based on
threat intelligence.
IP REPUTATION FEED
Contextual data
Every record in each Data Feed is enriched with actionable context
(threat names, timestamps, geolocation, resolved IP addresses of
infected web resources, hashes, popularity etc). Contextual data
helps reveal the ‘bigger picture’, further validating and supporting
the wide-ranging use of the data. Set in context, the data can more
readily be used to answer the 'who, what, where, when' questions
to identify your adversaries, and help you make quick decisions and
take action.
Highlights Collection and processing
Data Feeds are aggregated from fused, heterogeneous and highly
reliable sources, such as Kaspersky Security Network and our own
web crawlers, Botnet Monitoring service (24/7/365 monitoring of
botnets and their targets and activities), spam traps, research teams
and partners.
Data Feeds are automatically generated
in real time, based on findings across
the globe (Kaspersky Security Network Then, in real-time, all the aggregated data is carefully inspected and
provides visibility to a significant refined using multiple preprocessing techniques, such as statistical
percentage of all internet traffic, covering
tens of millions of end-users in more than criteria, sandboxes, heuristics engines, similarity tools, behavior
213 countries) providing high detection profiling, analyst validation and allowlisting verification.
rates and accuracy
Ease of implementation. Supplementary Simple lightweight dissemination formats Data Feeds littered with false positives
documentation, samples, a dedicated (JSON, CSV, OpenIoC, STIX) via HTTPS, are valueless, so very extensive tests
technical account manager and technical TAXII or ad-hoc delivery mechanisms and filters are applied before releasing
support from Kaspersky all combine to support easy integration of feeds into feeds, to ensure that 100% vetted data
enable straightforward integration security solutions is delivered
Hundreds of experts, including security All feeds are generated and monitored
analysts from across the globe, world- by a highly fault-tolerant infrastructure,
renowned security experts from GReAT ensuring continuous availability
and R&D teams contribute to generating
these feeds. Security officers receive
critical information and alerts generated
from the highest quality data, with no risk
of being deluged by superfluous indicators
and warnings
Benefits
Reinforce your network defense Improve and accelerate your incident Prevent the exfiltration of sensitive assets
solutions, including SIEMs, Firewalls, response and forensic capabilities by and intellectual property from infected
IPS/IDS, Security Proxy, DNS solutions, automating the initial triage process while machines to outside the organization.
Anti-APT, with continuously updated providing your security analysts with Detect infected assets fast to protect
Indicators of Compromise (IOCs) and enough context to immediately identify your brand reputation, maintain your
actionable context to deliver insights alerts that need to be investigated or competitive advantage and secure
into cyberattacks and provide a greater escalated to incident response teams for business opportunities
understanding of the intent, capabilities further investigation and response
and targets of your adversaries. Leading
SIEMs (including HP ArcSight, IBM
QRadar, Splunk etc.) and TI Platforms are
fully supported
As an MSSP, grow your business by providing industry-leading threat intelligence as a premium service to your customers. As a CERT, enhance
and extend your cyberthreat detection and identification capabilities
Kaspersky CyberTrace
By integrating up-to-the-minute machine-readable threat
intelligence into existing security controls like SIEM systems,
Security Operation Centers can automate the initial triage process
while providing their security analysts with enough context to
immediately identify alerts that need to be investigated or escalated
to incident response teams for further investigation and response.
However, the continuing growth in the number of threat data feeds
and available threat intelligence sources makes it difficult for
organizations to determine what information is relevant for them.
Threat intelligence is provided in different formats and includes a
huge number of Indicators of Compromise (IoCs), making it hard for
SIEMs or network security controls to digest them.
SIEM aggregates logs from different network devices CyberTrace rapidly matches incoming
and IT systems and sends the events with URLs, events with feeds and sends detected
hashes and IPs to the correlation service for analysis events to SIEM and CyberTrace Web
Forwarded
events
2
1 Kaspersky
Log sources Raw logs
3 Threat Data Feeds,
Detection commercial feeds, OSINT
SIEM events CyberTrace
feeds, custom feeds
Objects Sources
to analyze
Kaspersky Security
Network
Files CONTEXTUAL
LOOKUP RAW DATA
INTELLIGENCE
Web crawlers
URLs
Spam traps
Automated
Correlation Botnet monitoring
Domains
Passive DNS
Web Service
IP addresses • Is it malicious?
• Are we under threat? Sensors
INCIDENT
RESPONSE • What is it designed to do?
• What relationships does it have? Security partners
Hashes
Highlights
Trusted Intelligence: A key attribute Threat hunting: Be proactive in preventing, Incident investigations: A Research
of Kaspersky Threat Lookup is the detecting and responding to attacks, Graph boosts incident investigations
reliability of our threat intelligence to minimize their impact and frequency. by letting you visually explore data and
data, enriched with actionable context. Track and aggressively eliminate attacks detections stored in Threat Lookup. It
Kaspersky leads the field in anti-malware as early as possible. The earlier you can provides a graphic visualization of the
tests1, demonstrating the unequalled discover a threat, the less damage is relationship between URLs, domains, IPs,
quality of our security intelligence by caused, the faster repairs take place and files and other contexts so you can better
delivering the highest detection rates, the sooner network operations can get understand the full scope of an incident
with near-zero false positives back to normal and identify its root cause.
Master search: Search for information Easy-to-use Web interface or RESTful API: Wide range of export formats: Export
across all active threat intelligence Use the service in manual mode through IOCs (Indicators of Compromise) or
products and external sources (including a web interface (via a web browser) or actionable context into widely used and
OSINT IoCs, Dark Web and Surface Web) access via a simple RESTful API as you more organized machine-readable sharing
in a single and powerful interface. prefer formats, such as STIX, OpenIOC, JSON,
Yara, Snort or even CSV, to reap the full
benefits of threat intelligence, automate
operations workflow, or integrate with
security controls such as SIEMs
Benefits
Conduct deep searches into threat Diagnose and analyze security incidents Boost your incident response and threat
indicators with highly-validated threat on hosts and the network more efficiently hunting capabilities to disrupt the kill
context that lets you prioritize attacks and and effectively, and prioritize signals from chain before critical systems and data are
focus on mitigating the threats that pose internal systems against unknown threats compromised
the most risk to your business
1
kaspersky.com/top3
Now you can
Look up threat indicators from Examine advanced details Check whether the discovered
a web-based interface or via including certificates, object is widespread or unique
the RESTful API commonly used names, file
paths, or related URLs to
discover new suspicious
objects
Default and
advanced settings
for optimized
performance
Advanced detection of
Advanced APTs, targeted and
analysis of files in complex threats
various formats
Kaspersky
Cloud Scalability, with no need to
purchase costly appliances
Sandbox
Advanced
anti-evasion and
human simulation
techniques
Proactive threat detection and mitigation
Comprehensive Malware uses a variety of methods to disguise its execution
from being detected. If the system does not meet the required
reporting parameters, the malicious program will almost certainly destroy
itself, leaving no trace. For the malicious code to execute, the
sandboxing environment must be capable of accurately mimicking
normal end-user behavior.
Our experts will also alert you immediately to any changes they
detect in the tactics of cybercriminal groups. You will also have
access to Kaspersky’s complete APT reports database, another
powerful research and analysis component in your security defenses.
Benefits
Kaspersky Digital Footprint Intelligence The product is available on the Kaspersky Search the Surface and Dark Web for near
uses OSINT techniques combined with Threat Intelligence Portal. You can real-time information on global security
automated and manual analysis of the purchase four quarterly reports with events that are threatening your assets
Surface, Deep and Dark Web, plus the annual real-time threat alerts or purchase as well as for exposed sensitive data on
internal Kaspersky knowledge base a single report with alerts active for six restricted underground communities
to provide actionable insights and months. and forums. Annual license includes 50
recommendations. searches a day across external sources
and Kaspersky's knowledge base.
Your
unstructured
data
• IP addresses
• Company domains
• Brand names
Network perimeter inventory • Keywords
(including cloud)
• Available services
• Service fingerprinting
• Identification of vulnerabilities
• Exploit analysis
• Scoring and risk analysis
Real-time search
across Kaspersky’s, Analytical 10 takedown
reports Threat alerts
Surface and Dark requests a year
Web sources
Kaspersky ICS Threat Intelligence
Reporting
Kaspersky ICS Threat Intelligence Reporting provides in-depth
intelligence and greater awareness of malicious campaigns targeting
industrial organizations, as well as information on vulnerabilities
found in the most popular industrial control systems and underlying
technologies. Reports are delivered via a web-based portal, which
means you can start using the service immediately.
1. APT reports. Reports on new APT and high- 3. Vulnerabilities found. Reports on
volume attack campaigns targeting industrial vulnerabilities identified by Kaspersky in the
organizations, and updates on active threats. most popular products used in industrial control
systems, the industrial internet of things, and
2. The threat landscape. Reports on significant infrastructures in various industries.
changes to the threat landscape for industrial
control systems, newly discovered critical 4. Vulnerability analysis and mitigation. Our
factors affecting ICS security levels and ICS advisories provide actionable recommendations
exposure to threats, including regional, country- from Kaspersky experts to help identify and
and industry-specific information. mitigate vulnerabilities in your infrastructure.
Perform Leverage
a vulnerability assessment of your industrial information on attack technologies, tactics
environments and assets based on accurate and procedures, recently discovered
assessments of the vulnerability scope and vulnerabilities and other important threat
severity, to make informed decisions on landscape changes to:
patch management and implement other
preventative measures recommended by • Identify and assess the risks posed by the reported
Kaspersky threats and other similar threats
• Plan and design changes to industrial
infrastructure to ensure the safety of production
and the continuity of technological process
• Perform security awareness activities based on
analysis of real-world cases to create personnel
training scenarios and plan red team vs. blue team
exercises
• Make informed strategic decisions to invest in
cybersecurity and ensure resilience of operations
Kaspersky Ask the Analyst
Continuous Cybercriminals are constantly developing sophisticated ways of
attacking businesses. Today’s volatile and fast-growing threat
threat research landscape features increasingly agile cybercrime techniques.
enables Kaspersky Organizations face complex incidents caused by non-malware
to discover, infiltrate and attacks, fileless attacks, living-off-the-land attacks, zero-day
monitor closed communities exploits — and combinations of all of these built into complex threats,
and dark forums worldwide APT-like and targeted attacks.
frequented by adversaries
and cybercriminals.
Our analysts leverage this
access to proactively detect
and investigate the most
damaging and notorious In an age of business-crippling cyberattacks,
threats, as well as threats cybersecurity professionals are more important
tailored to target specific
organizations
than ever, but finding and retaining them isn’t
easy. And even if you have a well-established
cybersecurity team, your experts can’t
always be expected to fight the war against
sophisticated threats alone — they need to be
able to call on expert third-party assistance.
External expertise can shed light on the likely
paths of complex attacks and APTs, and deliver
actionable advice on the most decisive way
Ask the Analyst to eliminate them.
Deliverables
(Unified request-based
subscription)
The Kaspersky Ask the Analyst service extends our Threat
Intelligence portfolio, enabling you to request guidance and insights
into specific threats you’re facing or interested in. The service tailors
Kaspersky’s powerful threat intelligence and research capabilities
to your specific needs, enabling you to build resilient defenses
against threats targeting your organization.
Solution
Kaspersky blocks more than 15 000 phishing/scam URLs and
prevents over a million attempts clicking such URLs every single day.
Global coverage Our many years of experience in analyzing malicious and phishing
domains means we know how to collect all the necessary evidence
It doesn’t matter where a malicious
or phishing domain is registered, to prove that they are malicious. We'll take care of your takedown
Kaspersky will request its takedown from management and enable swift action to minimize your digital risk
the regional organization with the relevant so your team can focus on other priority tasks.
legal authority.
Complete visibility
How it works
You will be notified at each stage of the
process, from registration of your request
You can submit your requests via Kaspersky Company Account,
to a successful takedown. our corporate customer support portal. We will prepare all the
necessary documentation and will send the request for takedown
to the relevant local/regional authority (CERT, registrar, etc.) that has
the necessary legal rights to shut down the domain. You will receive
notifications at every step of the way until the requested resource
is successfully taken down.
www.kaspersky.com