— Kaspersky Anti Targeted Attack (KATA) Platform is a tool for deep analysis of

the organization’s network traffic that uses such technologies as Sandbox, IDS,
anti-malware scanning, reputation
lookup, YARA

— Kaspersky Endpoint Detection and Response (KEDR) helps to collect and

analyze data about activities on the network endpoints, identify dangerous
activities, contain an attack and eradicate indicators of compromise with
remote response tools .
• KATA Platform includes the
• following servers:
• — Central Node
• — Sensor
• — Sandbox

— Kaspersky Security Center (KSC) 12—because it provides the most

convenient ways to install and configure Kaspersky Endpoint Agent. We use the
KSC MMC console in our course, since connection to the Central Node is only
implemented in the MMC plug-in for KEA

— Kaspersky Endpoint Security (KES) for Windows 11.4—because KEA 3.9 is

supplied within KES 11.4 and the main Endpoint Agents’ deployment scenario
for many customers will be to install KEA 3.9 as a part of KES 11.4
• Why solutions like KATA and KEDR are necessary?

• Nowadays, attackers often use tools built into the operating system and
popular programs. This complicates detecting traces of an attack to the
utmost extent. In general, only the organization’s IT and information security
officers can differentiate between legitimate and malicious use of
administration tools.
• No algorithm can do this accurately and efficiently enough. That is why
traditional protection solutions designed to be as autonomous as possible
and block threats without the help of IT and IS experts cannot stop such
attacks
• Higher-end solutions—such as KATA and KEDR—are needed that can detect
potentially dangerous activity on computers and on the network and provide
analysts with a wider context for quick and accurate incident classification
and understanding what they are dealing with: an attack or legitimate
activity.

• In today's world, it is extremely difficult to keep the internal infrastructure of

a company secret. Malefactors can easily find out what protection a company
has. Attackers can manipulate the code of their tools until they become
invisible to the security solutions used in the target organization. After that,
network penetration is a matter of delivering malicious modules to the
employees’ mailboxes. Finding employees, finding out their role at the
company and creating plausible messages that would attract their attention
• Endpoint protection solutions are not enough to counter these attacks. The
capability of endpoint protection solutions to employ sophisticated threat
analysis is limited by the resources of a personal computer. Detection of
exclusive malware requires more powerful analysis tools such as the
Sandbox, which is included with KATA and KEDR. The ability to match activity
of unknown programs against known techniques employed by cyber criminals
is also required.

• Officers need an effective strategy for detecting indicators of attack within

the framework of their overall security strategy to be able to efficiently
counter these threats. And this strategy must be backed up by effective tools
like KATA and KEDR that gather and analyze information about the activity
that takes place on the network and endpoints.
• The Kill Chain attack model
• To understand how dedicated solutions help to detect targeted attacks, we
need to investigate the stages involved in the attack. Imagine cybercriminals
who have been hired to steal bank card numbers. To retrieve the numbers,
they decide to attack a chain of fast-food restaurants or supermarkets. The
high number of outlets, customers and bankcard transactions looks
attractive.
• 1. Reconnaissance

• The cybercriminals begin by gathering information about the organization

from open sources, social networks, etc. They are interested in everything to
do with business processes, IT/IS systems and company problems. On the
company’s website or a job search website, they find information about
vacancies in the IT or IS department with a description of the systems that
candidates need to know. On LinkedIn, there are details of IT staff, including
their skills and successfully completed projects. Next they find these people
in Facebook and learn even more about what they do at the company. It is
possible to go even further and find ex-employees who have been fired and
feel offended: They are likely to tell a lot of interesting details. Finally, using
free tools such as DNS lookup etc., they get information about the company’s
IP addresses and external resources.
• Now the cybercriminals know everything they need about the operating
systems, applications, anti-malware and anti-spam protection, firewalls,
DBMS and other systems used by the organization. In short, know what to
attack and what security mechanisms need to be bypassed.
2-Weaponization

The cybercriminals select the method of attack and prepare the tools to
execute it. Let it be a PDF document with a proposal for collaboration on a new
product. They know about the antimalware applications used to protect
endpoints and mail servers. Therefore, they need to prepare a malicious object
able to evade just one or a few particular security products, which simplifies
the task. The cybercriminals find an exploit kit and after a few test runs create
a PDF file that escapes detection by the anti-malware applications installed at
the victim company. When a company employee receives and opens the file, it
will exploit a vulnerability in the PDF
reader software to establish a connection to the C&C center over the internet
at an address registered in advance. The result will be full access to the
computer.
3. Delivery
• At the third stage, the malicious object is delivered to a company employee.
This is where social engineering comes into play. Through the corporate website
or social networks, or even by ringing the company’s call center, they make a list
of employees who deal with new suppliers. The cybercriminal phones one of
them, tells a “story,” and forwards a business proposal, that self same PDF file.
• If the cybercriminals are in luck, the malicious file will reach the recipient intact.
The user opens the file, inadvertently infecting the machine and establishing a
connection to the C&C center. If this does not occur, criminals will need to
phone the employee once more to find out what happened. If the file was
blocked by an anti-malware application or the message was not delivered, the
cybercriminal can cite problems with the mail system and offer to send the file
to the private mail account of the employee, who will then open it at the office
or at home on the work laptop. In this instance, there are fewer levels of
protection, so the chances of delivery are
• higher.
4. Installation and spreading

As soon as the employee receives the file and opens it, the system becomes
infected. Then the malware modules propagate throughout the network under
the criminals’ control and infect other
machines

5. Command and control

The infected computers establish a connection to the C&C server. Now the
cybercriminals have control over the computers, including systems used to
perform banking operations.
6. Accomplish the task

The cybercriminals achieve the objective: Obtain the details of thousands of

bank cards and sell them to the customer who ordered the crime.

7. Disappearance
The final stage is to erase all trace of the operation: Files, log records, etc. This
phase is optional and is not always carried out. One of specifics of targeted
attacks is that they pursue not only near-term, but also long-term aims. In this
case, a near-term objective is to steal a database with financial details of the
users. A long-term objective is to keep doing it in future.
• The only option here is to consider a new approach to protection using not
only tools for blocking certain malicious objects or network packages, but
ones able to detect indicators of targeted attacks against the organization. In
any event, company employees need to be made more aware of the IT
threats. The fight against targeted attacks involves a set of technical tools and
measures.
• KATA and KEDR help combat attacks from penetration to eradication. Almost any malicious
activity
leaves traces on the network endpoints and in the traffic. Our solutions are effective in
each phase:
— Penetration is most often performed through email or social networks: attackers send a
malicious module or link to a malicious resource KATA thoroughly checks links and files in
traffic and mail messages, analyzes the behavior of executable files in a virtual
environment and matches links and IP addresses against known resources that
participated in previous attacks of various cybercriminal groups
— At the Installation & Spreading stage, malefactors try to manually or automatically
ensure that
malicious modules are always present on the network endpoints There is a considerable
but limited number of methods to run a program in the operating system; KEDR agents
monitor all these methods
• — Malicious modules inevitably establish or accept network connections to
provide command and control KATA can detect connections to known
malicious resources and scan traffic for data typical of remote control
KEDR monitors network operations on endpoints and permits correlating
them with other activity.
— Attackers may aim at disrupting the organization’s operation, stealing data
or using the organization’s computational resources for their purposes
Activity of this kind is initiated by remote commands (KATA), implemented via
characteristic operations on endpoints (KEDR) and may result in sending data
outside the organization (KATA)

• — Finally, covering up the traces means deleting files from the drive, values
from the registry and log entries Kaspersky Endpoint Detection & Response
tracks all these actions
• Adaptive security strategy
- Prevent: a set of policies, products and processes that prevent an attack. The main
purpose of this category is to reduce the attack surface and block dangerous activity
before harm is done to the company.
- Detect: functionality for detecting attempted and actual intrusions missed by tools in
the previous
category due to the active use of masking techniques. The main purpose of this
category is to detect the spread of an attack to minimize the damage. Ideally, the
company should presume being under attack already, with systems having been
compromised.
- Respond: the skills and tools required for investigating and eliminating problems
detected by the solution in the previous category. The results of the investigation
should propose measures to avoid such situations in future.
- Predict: the ability of the organization to find out about new threats and trends from
external sources. Such information facilitates a proactive response to new threats and
changing priorities through modifications to the prevention and detection methods.
• Optimum vs expert framework
• Universal agent
• Kaspersky Endpoint Detection & Response:

• Collects endpoint activity data (telemetry)

• Automatically checks telemetry for suspicious activity using the Targeted
Attack Analyzer technology
• Publishes detected suspicious activity in the web console
• Enables information security officers to actively hunt for threats using the
telemetry database
• Provides tools to remotely respond to an incident:
• Isolate the host from the network
• Prevent file execution
• Delete a file
• Quarantine a file
• Upload a file to the centralized storage
• Kill a process
• Run a program

• Applies various detection technologies to files in the centralized storage:

anti-malware scanning, reputation check, digital signature check, emulation
in a virtual environment, YARA
• Permits searching Kaspersky Threat Intelligence Portal for additional
information about the detected objects
• Permits searching the telemetry database and endpoints for indicators of
compromise
• KATA/KEDR include the following applications:

• Sensors are used for integration with the customer’s network infrastructure.
Sensor receives network, web and mail traffic. Then performs preliminary
scanning analyzes network packets and links, extracts files from traffic and
forwards them together with metadata to Central Node for a more detailed
analysis
• Endpoint Agents are installed on workstations and servers running Microsoft
Windows. The program collects data about processes’ activities, file and
registry operations, as well as about the established connections. The
collected data is sent to Central Node for further analysis. Central Node can
command the Agents to perform containment actions to block dangerous
activity
• Central Node is the main component of the system. It retrieves data from
Sensors and Agents, performs in-depth analysis, detects anomalous activity
on endpoints, stores and publishes the results. It also interacts with the
Sandbox Servers by forwarding objects for payload analysis

• Sandbox Server is a special hypervisor with a set of virtual machines running

several different versions of operating systems and most common
applications. The virtual machines are started when Central Node sends a
task to analyze an object’s behavior. The file or link is transferred to a virtual
machine and run. All actions are logged and then analyzed. Sandbox runs
executable files, office documents, scripts and multimedia files
• Web interface is the main security tool for monitoring and studying the
results of analysis performed by the KATA and KEDR products. The
component is implemented as a web server on Central Node; you can
connect to it using any popular web browser

• Sensor, Central Node and Sandbox are separate physical or virtual servers.
All connections between KATA/KEDR applications (components) are
protected by TLS. Connections between the Central Nodes and Sensors are
additionally protected with IPsec.
• Sandbox
• Sandbox is an individual device that “does not know” about other KATA/KEDR
servers. Sending objects and retrieving results of their analysis takes place on
the Central Node side. The KATA/KEDR Sandbox server only works with the
KATA/KEDR Central Node. There is also another Kaspersky Sandbox product
that can be integrated with other Kaspersky solutions.
• When a Central Node receives files extracted from corporate traffic and email
from Sensors, it sends executable files, office documents, scripts and
multimedia files to the Sandbox server for scanning.
• If Sandbox receives a link from mail traffic, it starts a web browser and pastes
the link there. If it receives a link from the network traffic, it downloads the
file and tries to start it.
• Endpoint Agents also perform the tasks that security officers send via the
Central Node web console:

• Isolate a computer from the network (with exceptions)

• Prohibit access to the specified files
• Send a file to the Central Node for analysis
• Delete or quarantine a file
• Kill process
• Run a command or program with parameters
2.1 System requirements
The minimum configuration of a KEDR Central Node for production use is as
follows:
— Memory: 64GB
— Processor: 8 logical cores
— Operating system drive: 1TB RAID 1 or RAID 10
The minimum configuration of a Central Node for production use of KATA and
KEDR together is as
follows:
— Memory: 96GB
— Processor: 12 logical cores
— Operating system drive: 1.9TB RAID 1
• A Central Node can run on either a physical or a virtual server. Installation on a
virtual server is only supported for VMware hypervisor ESXi 6.5 or 6.7
• — Outbound connections
— KATA and KEDR
— TCP 80 for downloading updates from Kaspersky servers or from a user-defined source
— TCP 443 for downloading updates from Kaspersky servers, KSN requests and
connections to the Sandbox server
— SMTP port for email notification
— SIEM port for sending alerts and information about components’ status to SIEM
— UDP 161 for requesting Sensors’ status data
— In a distributed installation:
— TCP 443 for authentication requests to the primary Central Node in a distributed
installation
— TCP 5432 for data exchange between the Central Nodes in a distributed installation
— TCP 8444 for requesting additional data from secondary Central Nodes in a distributed
installation
Connections between Sensors and the Central Node, as well as between Central Nodes are
protected with IPSec in a distributed installation. To allow these connections on the firewall,
configure allow rules for UDP ports 500 and 4500, as well as for ESP protocol (IP protocol 50)
and authentication headers (IP protocol 51)
• When planning the installation, take into account the network connections that the Central Node will need
to establish:
— Inbound connections
— KATA and KEDR
— TCP 22 for SSH connections to the server
— TCP 443 for connection requests from Sensors
— TCP 8443 for viewing analysis results in the web interface
— TCP 80 for distributing updates to the Sandbox servers and Sensors
— Only KATA
— TCP 443 for connections from KSMG, KLMS, KWTS and external systems that use API
— TCP 6379 for synchronizing cache of scanned objects with Sensors
— TCP 8081 for retrieving files, messages and URLs from Sensors
— TCP 10000 for receiving network traffic metadata from Sensors (for targeted attack
analyzer)
— Only KEDR
— TCP 443 for connections from Endpoint Agents
— TCP 4443 for proxied connections from Endpoint Agents via Sensor that acts as a proxy
— In a distributed installation with several Central Nodes
— TCP 5432 for data exchange between the Central Nodes in a distributed installation
— TCP 8444 for providing additional data to the primary Central Node in a distributed
installation
• Minimum hardware requirements for a Sensor (for processing mirrored traffic 100 Mbps):
• — RAM: 16GB
• — Processor: 4 logical cores
• — Drive: RAID 1 300 GB
• — Network adapter: 1Gbps for management, communications with the Central Node
• The ‘standard’ Sandbox configuration is supposed to run 48 virtual machines concurrently
and is as
• follows:
• — RAM: 80 GB
• — Processor: Intel Xeon with 8 cores and Hyperthreading (16 logical cores)
• — Two 300GB disks
• — Network adapter: 1Gbps for management and communications with the Central Node
• — Another network adapter: 1Gbps for accessing the internet from within virtual
machines
• The equivalent ‘standard’ configuration for a Sandbox installed on a virtual
machine requires
• approximately half as much computing resources (processor and memory)
again:
• — RAM: 128 GB
• — Processor: 48 logical cores (2.6GHz or faster)
• — Virtualization parameters:
• — Support for nested virtualization
• — Reserved CPU and memory resources
• — High latency sensitivity
• Computer requirements for Kaspersky Endpoint Agent installation
• Supported client OS:
• — Windows 10
• — Windows 8.1 x32, x64
• — Windows 7 x32, x64
• Supported server OS:
• — Windows Server 2019
• — Windows Server 2016
• — Windows Server 2012 R2 x64
• — Windows Server 2012 x64
• — Windows Server 2008 R2 x64
• Minimum hardware requirements:
• — For 32-bit systems
• — 1.4GHz processor
• — 256MB of RAM
• — 500MB of free drive space
• — For 64-bit systems
• — Intel Pentium 1.4GHz or equivalent processor
• — 512GB of RAM
• — 500MB of free drive space
• Recommended hardware requirements:
• — 2.4GHz processor
• — 1GB of free RAM
• — 1GB of free drive space for the product installation and storing service data (queues, quarantined
• files, settings, etc.)
• Kaspersky Endpoint Agent 3.9 supports installation on virtual machines. The
application was tested on the following hypervisors:

• — Microsoft Hyper-V Server 2016

• — VMware ESXi
• — 6.5
• — 6.7
• — Citrix XenServer 7.1 LTSR
• — KVM on the following operating systems:
• — Ubuntu Server 18.04 LTS
• — Ubuntu Server 16.04 LTS
• — Red Hat Enterprise Linux 7.5
• — CentOS 7.5
• Compatibility with Kaspersky endpoint protection solutions
• Kaspersky Endpoint Agent 3.9 is included and can be installed with Kaspersky
Endpoint Security 11.4 and newer, as well as with Kaspersky Security for
Windows Server 11.
• You can also install KEA 3.9 (and 3.8) as a standalone application alongside
other versions of Kaspersky security applications developed for servers and
workstations. KEA 3.9 (3.8) was tested with the following applications:
• 1.7. If you are using older versions of Kaspersky Endpoint Security, it is best to
use a stand-alone version of Kaspersky Endpoint Agent (3.8 or 3.9) instead of
the built in Endpoint Sensor
• If Kaspersky Endpoint Security 11.4 is already deployed on the network
computers, you can add the Endpoint Agent component using the KES task
‘Change application components’.

• To add Endpoint Agent to Kaspersky Endpoint Security 11.1, run the task creation
wizard in Kaspersky Security Center and follow its steps:
1. Select the Change application components task of Kaspersky Endpoint
Security 11.4
2. Select Endpoint Agent in the list of components
3. Specify target computers for the task. This step may look differently or be
missing depending on the context where the task creation wizard was started.
4. Leave the Manually schedule. This task does not need to be started many
times
5. Name the task comprehensibly
6. Select the check box to run the task after the wizard completes and finish the
wizard
• You can install Kaspersky Endpoint Agent not only as part of Kaspersky
Endpoint Security, but also as a stand-alone application. This is appropriate if
the target computer has an older version of Kaspersky
• Endpoint Security, another Kaspersky protection application such as
Kaspersky Security for Windows Servers 10, or a third-party security
application installed.
• To install Kaspersky Endpoint Agent as a stand-alone application via Kaspersky
Security Center, create
• an installation package for Kaspersky Endpoint Agent and distribute it to the
target computers using a remote installation task.