Professional Documents
Culture Documents
the organization’s network traffic that uses such technologies as Sandbox, IDS,
anti-malware scanning, reputation
lookup, YARA
• Nowadays, attackers often use tools built into the operating system and
popular programs. This complicates detecting traces of an attack to the
utmost extent. In general, only the organization’s IT and information security
officers can differentiate between legitimate and malicious use of
administration tools.
• No algorithm can do this accurately and efficiently enough. That is why
traditional protection solutions designed to be as autonomous as possible
and block threats without the help of IT and IS experts cannot stop such
attacks
• Higher-end solutions—such as KATA and KEDR—are needed that can detect
potentially dangerous activity on computers and on the network and provide
analysts with a wider context for quick and accurate incident classification
and understanding what they are dealing with: an attack or legitimate
activity.
The cybercriminals select the method of attack and prepare the tools to
execute it. Let it be a PDF document with a proposal for collaboration on a new
product. They know about the antimalware applications used to protect
endpoints and mail servers. Therefore, they need to prepare a malicious object
able to evade just one or a few particular security products, which simplifies
the task. The cybercriminals find an exploit kit and after a few test runs create
a PDF file that escapes detection by the anti-malware applications installed at
the victim company. When a company employee receives and opens the file, it
will exploit a vulnerability in the PDF
reader software to establish a connection to the C&C center over the internet
at an address registered in advance. The result will be full access to the
computer.
3. Delivery
• At the third stage, the malicious object is delivered to a company employee.
This is where social engineering comes into play. Through the corporate website
or social networks, or even by ringing the company’s call center, they make a list
of employees who deal with new suppliers. The cybercriminal phones one of
them, tells a “story,” and forwards a business proposal, that self same PDF file.
• If the cybercriminals are in luck, the malicious file will reach the recipient intact.
The user opens the file, inadvertently infecting the machine and establishing a
connection to the C&C center. If this does not occur, criminals will need to
phone the employee once more to find out what happened. If the file was
blocked by an anti-malware application or the message was not delivered, the
cybercriminal can cite problems with the mail system and offer to send the file
to the private mail account of the employee, who will then open it at the office
or at home on the work laptop. In this instance, there are fewer levels of
protection, so the chances of delivery are
• higher.
4. Installation and spreading
As soon as the employee receives the file and opens it, the system becomes
infected. Then the malware modules propagate throughout the network under
the criminals’ control and infect other
machines
7. Disappearance
The final stage is to erase all trace of the operation: Files, log records, etc. This
phase is optional and is not always carried out. One of specifics of targeted
attacks is that they pursue not only near-term, but also long-term aims. In this
case, a near-term objective is to steal a database with financial details of the
users. A long-term objective is to keep doing it in future.
• The only option here is to consider a new approach to protection using not
only tools for blocking certain malicious objects or network packages, but
ones able to detect indicators of targeted attacks against the organization. In
any event, company employees need to be made more aware of the IT
threats. The fight against targeted attacks involves a set of technical tools and
measures.
• KATA and KEDR help combat attacks from penetration to eradication. Almost any malicious
activity
leaves traces on the network endpoints and in the traffic. Our solutions are effective in
each phase:
— Penetration is most often performed through email or social networks: attackers send a
malicious module or link to a malicious resource KATA thoroughly checks links and files in
traffic and mail messages, analyzes the behavior of executable files in a virtual
environment and matches links and IP addresses against known resources that
participated in previous attacks of various cybercriminal groups
— At the Installation & Spreading stage, malefactors try to manually or automatically
ensure that
malicious modules are always present on the network endpoints There is a considerable
but limited number of methods to run a program in the operating system; KEDR agents
monitor all these methods
• — Malicious modules inevitably establish or accept network connections to
provide command and control KATA can detect connections to known
malicious resources and scan traffic for data typical of remote control
KEDR monitors network operations on endpoints and permits correlating
them with other activity.
— Attackers may aim at disrupting the organization’s operation, stealing data
or using the organization’s computational resources for their purposes
Activity of this kind is initiated by remote commands (KATA), implemented via
characteristic operations on endpoints (KEDR) and may result in sending data
outside the organization (KATA)
• — Finally, covering up the traces means deleting files from the drive, values
from the registry and log entries Kaspersky Endpoint Detection & Response
tracks all these actions
• Adaptive security strategy
- Prevent: a set of policies, products and processes that prevent an attack. The main
purpose of this category is to reduce the attack surface and block dangerous activity
before harm is done to the company.
- Detect: functionality for detecting attempted and actual intrusions missed by tools in
the previous
category due to the active use of masking techniques. The main purpose of this
category is to detect the spread of an attack to minimize the damage. Ideally, the
company should presume being under attack already, with systems having been
compromised.
- Respond: the skills and tools required for investigating and eliminating problems
detected by the solution in the previous category. The results of the investigation
should propose measures to avoid such situations in future.
- Predict: the ability of the organization to find out about new threats and trends from
external sources. Such information facilitates a proactive response to new threats and
changing priorities through modifications to the prevention and detection methods.
• Optimum vs expert framework
• Universal agent
• Kaspersky Endpoint Detection & Response:
• Sensors are used for integration with the customer’s network infrastructure.
Sensor receives network, web and mail traffic. Then performs preliminary
scanning analyzes network packets and links, extracts files from traffic and
forwards them together with metadata to Central Node for a more detailed
analysis
• Endpoint Agents are installed on workstations and servers running Microsoft
Windows. The program collects data about processes’ activities, file and
registry operations, as well as about the established connections. The
collected data is sent to Central Node for further analysis. Central Node can
command the Agents to perform containment actions to block dangerous
activity
• Central Node is the main component of the system. It retrieves data from
Sensors and Agents, performs in-depth analysis, detects anomalous activity
on endpoints, stores and publishes the results. It also interacts with the
Sandbox Servers by forwarding objects for payload analysis
• Sensor, Central Node and Sandbox are separate physical or virtual servers.
All connections between KATA/KEDR applications (components) are
protected by TLS. Connections between the Central Nodes and Sensors are
additionally protected with IPsec.
• Sandbox
• Sandbox is an individual device that “does not know” about other KATA/KEDR
servers. Sending objects and retrieving results of their analysis takes place on
the Central Node side. The KATA/KEDR Sandbox server only works with the
KATA/KEDR Central Node. There is also another Kaspersky Sandbox product
that can be integrated with other Kaspersky solutions.
• When a Central Node receives files extracted from corporate traffic and email
from Sensors, it sends executable files, office documents, scripts and
multimedia files to the Sandbox server for scanning.
• If Sandbox receives a link from mail traffic, it starts a web browser and pastes
the link there. If it receives a link from the network traffic, it downloads the
file and tries to start it.
• Endpoint Agents also perform the tasks that security officers send via the
Central Node web console:
• To add Endpoint Agent to Kaspersky Endpoint Security 11.1, run the task creation
wizard in Kaspersky Security Center and follow its steps:
1. Select the Change application components task of Kaspersky Endpoint
Security 11.4
2. Select Endpoint Agent in the list of components
3. Specify target computers for the task. This step may look differently or be
missing depending on the context where the task creation wizard was started.
4. Leave the Manually schedule. This task does not need to be started many
times
5. Name the task comprehensibly
6. Select the check box to run the task after the wizard completes and finish the
wizard
• You can install Kaspersky Endpoint Agent not only as part of Kaspersky
Endpoint Security, but also as a stand-alone application. This is appropriate if
the target computer has an older version of Kaspersky
• Endpoint Security, another Kaspersky protection application such as
Kaspersky Security for Windows Servers 10, or a third-party security
application installed.
• To install Kaspersky Endpoint Agent as a stand-alone application via Kaspersky
Security Center, create
• an installation package for Kaspersky Endpoint Agent and distribute it to the
target computers using a remote installation task.