Advanced Protection and Threat Intelligence For Targeted Attacks
Advanced Protection and Threat Intelligence For Targeted Attacks
Threat Intelligence to
Mitigate the Risk
of Targeted Attacks
threat analysis and Kaspersky's solutions presentation
The growing risk of advanced
threats and targeted attacks
200% growth of the recovery initiated at the
same day and after week of discovering a
Enterprise Threats Landscape
security breach for Enterprises*.
*Kaspersky Global IT Security Risks Report 2019 Advanced, specially targeted threats can go undetected for weeks, months,
or even years, while their actors slowly and silently gather information and work
incrementally to exploit the unique vulnerabilities in their chosen targets’ systems. Unlike
Every corporation big enough to occupy regular malware, advanced, targeted threats are actively controlled and managed by the
a significant place in its market is a potential perpetrators. The goal isn’t limited to malware delivery: the objective is to persist inside
target. This doesn’t mean smaller businesses are
immune – in many cases, criminals view them as the enterprise perimeter. These attacks are the result of patient, often painstaking
an easy-to-breach stepping stone from which to research by actors who are prepared to play a waiting game in the quest for their prize.
reach the bigger target. But when it comes to
market leaders, the odds in favour of becoming
a victim of such an attack increase substantially.
It’s not a case of ‘if’ but ‘when’…
Average loss from a single targeted attack:
Average loss from a single targeted attack:
Businesses $106K
Compensation $92K
Training $79K
1
What’s the risk?
Targeted Attacks – Cybercrime
Risks to all organisations:
as a Business Profession
• Unauthorised transactions
• Critical data theft or corruption Most targeted attacks are overseen by highly experienced cybercriminals
• Stealth process manipulation
• Undermining by Competitors and hackers who know how to adapt each phase of their attack to slip past traditional
• Blackmail extortion defenses, exploit weaknesses and maximise the amount of valuables they can steal,
• Identity theft including money, confidential data and more.
Risks to key industry sectors:
The security geek attackers of the past have metamorphosed into professionals for whom
Financial Services cybercrime is a business. Their sole motivation in targeting and attacking any enterprise is
optimum profit – calculated even before launching the attack, on the basis of the
• Unauthorised transactions associated costs and potential rewards. The objective is, of course, to minimise up-front
• ATM attacks with physical cash theft costs by attacking as cheaply as possible, with maximum financial outcomes.
• Identity theft
Government Most targeted attacks use a combination of social engineering and a customised toolset.
The cost of launching an effective targeted attack has fallen significantly, with a
• Data manipulation commensurate increase in the total number of attacks globally.
• Espionage
• Restricted availability of online services
• Identity theft So what’s at stake when an organisation like yours falls victim to a targeted attack?
• Hacktivism acts
Telecommunication
• Hacktivism
• Compromised web site (deface, phishing) and
spreading attacks on mass audience
Downtime Training
Healthcare
Direct financial losses. Attackers may try to commit cyber-fraud by stealing banking
credentials in order to access corporate accounts and conduct fraudulent transactions.
Clean-up costs. After an attack, you can be faced with having to cover a whole host of
expenses that haven’t been budgeted for. Recovering systems and processes is likely to
involve both capital expenditure and operational expenses – like hiring security and
systems consultants.
2
Anatomy of a Targeted Attack
In theory, the targeted attack kill chain seems pretty straightforward: Reconnaissance &
Testing, Penetration, Propagation, Execution, Outcome. This might suggest that by
automatically blocking the first steps of a multi-stage attack, the attack itself can be
thwarted.
But in reality, targeted attacks are highly sophisticated and nonlinear in terms of their
progression and execution. So automated detection capabilities, continuous monitoring and
threat hunting should all be in place as part of a multi-stage defense strategy.
A targeted attack is a lengthy process that violates security and allows a cybercriminal
Targeted attacks are long-term processes that bypassing authorisation procedures and interacting with the IT infrastructure, so avoiding
compromise security and give detection by traditional means.
the attacker unauthorised control over
the victim’s IT – helping the attacker
to avoid detection by traditional security So first of all, it’s a process – an ongoing activity, a project, rather than a one-off malicious
technologies. action. According to our experience in monitoring global attacks, such operations tend to
last at least 100 days, and for government agencies, large market players and critical
Although some attacks may use Advanced infrastructures, the time can be calculated in years.
Persistent Threats (APTs) – which can be very
effective, but expensive to implement – others
may use a single technique, such as advanced Secondly, the process is aimed at a specific infrastructure, designed to overcome specific
malware or a zero-day exploit. security mechanisms, and may well initially involve targeting named employees through
email or social media . This is a very different approach from the mass mailings of standard
malicious software based attackers, who are pursuing completely different goals. In the
case of a targeted attack, the methodology and kill chain stages are built around the
specific victim.
3
Enterprise Security challenges
With the risk of sophisticated threats growing exponentially, many enterprises already
implement technologies and services in the hope of achieving the next level of visibility and
protection against current threats. But without a multi-faceted approach and strategic
planning, these efforts can fall short of expectations.
A word on sandboxes Disappointing outcomes of ‘patchy’ or unstructured security investment can include:
Many ‘targeted attack detection solutions’ on 1. Major investment in a sandbox, in standalone technologies, or in the construction
the market simply comprise a standalone
sandbox. Even vendors with no track record in of a SOC, any of which then fail to generate commensurate improvements in security
new, advanced threat discovery claim to offer outcome.
sandboxes that are often little more than an
extension of their anti-malware engines – and Perimeter security techniques like firewalls and anti-malware software can hold their own
have no significant threat intelligence behind
against some of the more opportunistic attacks. But targeted attacks are a different matter.
them.
Kaspersky Lab’s advanced sandbox is just another Some vendors have sought to address APTs using a variety of standalone, discrete products:
part of our integrated detection capabilities. It’s sandboxes, network anomaly analysis or even endpoint-focused monitoring. While these
been developed directly individual elements all can – and do – offer some protection and blocking of the cybercriminal’s
out of our in-lab sandbox complex, the
technology we’ve been using for more than a toolset, they’re not enough in themselves to uncover a targeted, coordinated attack.
decade. Its capabilities have been honed on
statistics gathered from ten years of threat To achieve this requires the detection of multiple events occurring across all levels
analysis, making it more mature and more of the enterprise infrastructure. The information gained can then be processed using a multi-
focused on targeted threats than the silver bullet
layered analysis system, followed by interpretation applying real-time security intelligence from a
sandbox solutions currently of offer.
trusted source. In other words, your best investment is an approach that integrates the best of
many technologies, including sandboxing with network anomalies analysis and endpoint events
analysis into an overall, end-to-end process.
2. Current solutions generate too many security events for your SOC team
to process, analyse, triage, and respond to within a reasonable timeframe.
4. Lack of operational visibility. During a targeted attack, cybercriminals can easily evade
traditional security solutions by using stolen credentials and legitimate software, so that
they are not apparently creating any systems violations.
Because attackers do their utmost to hide their malicious activities, it can be very difficult
for an in-house IT security team to spot an attack – and that means the attackers can
continue to cause damage over an extended period.
The reality is that malware is responsible for only 40% of breaches – as we’ve seen, threat
actors use a variety of techniques to access company systems, even when malware is used,
70-90% of it is is unique to the organisation it’s found in (Verizon: Data Breach Investigation
Report).
5. Difficulty in knowing what expertise to employ and grow in-house, what security
tasks to outsource, and what can safely be left to automated systems.
With the growing severity of security incidents and their potential impact on overall business
effectiveness, one of the main security department challenges is that of fielding a sufficient
number and range of appropriately qualified experts. A fully effective security strategy requires
not just continuous monitoring and detection capabilities but a fast response and qualified
remediation, with appropriate forensic processes in place.
Conventional SOC teams tend to focus on only part of this task – detection and response. The
implementation of automated solutions helps free up experts to undertake the next steps in
the incident management process, but few enterprises are ready to perform every high level
task in-house. So the challenge is in identifying which elements of the overall process
(management, qualifying the risk, prioritisation, fast recovery) should be undertaken by the
in-house team and which (malware research, digital forensic, incident response, threat
hunting) may be more effectively outsourced to specialists.
4
The Intelligence-driven Enterprise SOC
Cybercriminals have adapted their techniques to sidestep traditional defenses and lurk
undetected in systems for months, or even years. It’s time for enterprise security to adapt
in its turn, by taking an intelligence-driven, multi-layered approach to IT security.
Until recently, it was enough to defend the corporate perimeter using commonly available
security technologies that prevented malware infections or unauthorised access to the
corporate network. However, today, with the rise of targeted attacks, this simple approach
is no longer adequate.
If your security department is going to guard against new dangers, you’ll need
a multi-faceted, highly adaptable approach to security, based around a conventional SOC
empowered with threat intelligence and multi-layered security solutions.
Intellegence-Driven
Security Operations Center
Aggregation
Log collection Ticketing Reporting
& Correlation
The avalanche-like growth in the number of advanced threats and targeted attacks has
generated increasing numbers of solutions. In order to collect, store and process the
unstructured data generated, in order to identify and prioritise complex multi-level attacks,
existing processes must be upgraded. These include:
5
Threat Management
and Defense solution
Kaspersky Lab was the first technology Kaspersky Lab’s understanding of the inner workings of some of the world’s most
company to establish a dedicated advanced sophisticated threats has enabled us to develop a strategic portfolio of technologies and
threat lab, back in 2008.
services capable of delivering a fully integrated, adaptive security approach. Their expertise
That’s how they uncovered more advanced, has seen Kaspersky Lab achieve more first place rankings in independent threat detection
targeted threats than any other security and mitigation tests than any other IT security company. Now, they brought this targeted
vendor. When you hear in the news about attack detection expertise together into one standalone solution – the culmination of two
the latest advanced persistent threat, the decade’ s worth of threat research and analysis, generating mature, proven technologies.
chances are that it was detected by
Kaspersky Lab’s elite Global Research and While the majority of simple cyberthreats can be blocked by traditional, signature-based
Analysis Team (GReAT).
and heuristics-enhanced security products, today’s cybercriminals
With an enviable track record in detecting and hackers are using increasingly sophisticated attacks – to target specific organisations.
targeted attacks and APTs, GReAT team is Targeted attacks – including Advanced Persistent Threats (APTs) – are now one of the most
renowned for its threat intelligence. The dangerous risks that enterprises have to deal with. However, while the threats – and the
team has played a major role in discovering techniques that cybercriminals and hackers employ – are constantly evolving, many
many of the most sophisticated attacks, like: businesses are failing to adapt their security strategies.
• Stuxnet • DarkHotel
• RedOctober • Duqu By combining multi-layered detection from the Kaspersky Anti Targeted Attack Platform and
• Flame • Carbanak rapid reactions in Kaspersky Endpoint Detection and Response
• Miniduke • Equation with Cybersecurity Intelligence Services and Premium Support – Kaspersky Threat
• Epic Turla … and many more. Management and Defense provides a unified solution with centralised administration,
helping to automate and facilitate the whole advanced threat management cycle.
Kaspersky Anti Targeted Attack: Harder to detect and – often – even harder to eliminate, targeted attacks and advanced threats
Protection from Complex Threats call for a comprehensive, adaptive security strategy. Kaspersky Threat Management and
Defense solution is founded on the most viable security architecture as described by Gartner.
TKaspersky's approach is to provide a cycle of activities in four key areas: Prevent, Detect,
Respond, and Predict.
Kaspersky Kaspersky Essentially, this assumes that traditional prevention systems should function in
Cybersecurity Endpoint coordination with detection technologies, threat analytics, response capabilities
Services: Detection and predictive security techniques. This helps to create
Security Insights and Response:
or Outsourcing Full Visibility a cybersecurity system that continuously adapts and responds to emerging
enterprise challenges.
Predict Prevent
• Analyse the potential security gaps • Mitigate the risks
• Adjust the countermeasure accordingly • Raise the awareness
• Empower SOC with Threat Intelligence • Harden target systems and assets
• Proactive Threat Hunting • Improving qualification and
current solution effectiveness against
modern threats
Respond Detect
• Incident Management • Continuous monitoring
• Investigate the incident • Incident Discovery
• Neutralise with immediate steps to • Qualifying Incidents severity
mitigate the consequences and risk level
• Recover
6
Prevention – using award-winning
security technologies to decrease
For targeted attacks, prevention technologies the risk of targeted attacks
are valuable in filtering out unnecessary
incidents, common malicious objects and Prevention-based security products can be very effective in protecting against common
irrelevant communications. threats – including malware, network attacks, data leakage and more. But even these
technologies are not sufficient to protect a business against
But comprehensive system hardening with the targeted attacks. During a targeted attack, conventional, prevention-based security
targeted security solutions, security technologies may spot some incidents but will usually fail to determine that individual
education and by raising awareness is also of incidents are part of a much more dangerous and complex attack that could be causing
value – increasing the amount of time and
investment necessary for attackers to invest
severe damage to your business… and will continue to inflict damage over the long term.
in penetrating your controlled perimeter,
and rendering you no longer cost-effective However, multi-layered, prevention-based technologies are still a key element in the new,
to attack. proactive approach to guarding against targeted attacks.
80% of targeted attacks start with a malicious It’s essential for enterprise organisations to continue using ‘traditional’ security
email containing an attachment or link. technologies to:
Preferred penetration targets for cybercriminals 1. Automate the filtering and blocking of events and incidents not related to Targeted attacks,
include HR, call centers, personal assistants to
senior management and outsourced areas of
which will help to avoid unnecessary distractions to relevant incident discovery.
the business. These are seen as the least
prepared areas of the organisation. 2. Harden IT infrastructure against cheap and easy-to-perform techniques (social
engineering, removable devices, mobile devices, malware and malicious email delivery
etc.). In fact all past spending to perimeter and endpoint security, along with controls
implemented, helps to increase the amount of effort and investment required by
cybercriminals in order to penetrate your network.
But if the attacker is sufficiently highly motivated, and perhaps even hired by a third
party to conduct a successful attack, a prevention-only approach will not be enough.
7
Detection – multi-vector advanced threat
discovery before the damage occurs
The Kaspersky Anti Targeted Attack The earlier you detect an attack, the lower your financial losses and the less
platform includes: disruption your organisation will suffer. So the quality and effectiveness of
detection is paramount.
• Multi-layered sensor architecture
– to give ‘all round’ visibility. Through
a combination of network, web & email, Because targeted attacks are both compound and complex, detecting them
and endpoint sensors, KATA provides calls for a deep practical knowledge about how advanced and targeted attacks
advanced detection at every level work. Simple anti-malware solutions are not able to defend against these types
of your corporate IT infrastructure
of attack. Instead, you’ll need detection technologies that can access up-to-the-
• Advanced Sandbox – to assess new threats. minute threat intelligence data – and can perform detailed analyses of suspicious
The result of over a decade of continuous behaviour that may be occurring at different levels of your corporate network.
development, our Advanced Sandbox
offers an isolated, virtual environment
The ability to detect targeted attacks consists of connected solutions
where suspicious objects can be safely
executed so their behaviour can be and services able to deliver:
observed
• Training
• Powerful analytical engines – for rapid • Targeted Attack Discovery expertise – one-time audit of infrastructure in
verdicts and fewer false positives.
Our Targeted Attack Analyzer assesses order to find traces of compromise
data from network and endpoint sensors • Specialised solution – Kaspersky Anti Targeted Attack platform +
and rapidly generates threat detection Kaspersky Endpoint Detection and Response
verdicts for the security team. • Threat Data Feeds for real-time threat exchange and updates about new threats
• Custom and APT reports for better understanding of threat sources and methods
• 24/7 Threat Hunting Kaspersky Managed Protection Service
HTTP(S)/SMTP/FTP/DNS/ICAP, Clustering
endpoint agents
8
Response – helping businesses
to recover from attacks
Of course, achieving a higher rate of detection is only part of the battle. The best
detection technologies are not much use if you don’t have the tools and
expertise needed to respond rapidly to the ‘live’ threat that’s potentially damaging
your organisation
Kaspersky Endpoint Detection and Once Kaspersky Anti Targeted Attack Platform of other 3rd party security
Response delivers: solution identifies that your business is being attacked then Kaspersky Endpoint
Detection and Response takes over. It is the next vital component of the
• Advanced Detection – with
Machine Learning – Targeted Attack Threat Management and Defense solution, allows companies to speed up their
Analyzer (TAA) – creates a baseline incident response process and improve the quality of cybersecurity incidents
of endpoint behaviour. This enables investigation.
a historical record that can be
used to discover how a breach
occurred
Kaspersky EDR provides centralised management of incidents across all
endpoints on the corporate network – giving a seamless workflow and
• Proactive Threat Hunting with integration with network detection via Kaspersky Anti Targeted Attack platform.
fast-search, using a centralised A wide range of automated responses helps avoid the expensive downtime and
database – plus Indicators of
lost productivity inherent in traditional remediation processes, like wiping and
Compromise (IoC) search to help
security team actively hunt for reimaging. By monitoring and controlling a vast range of functions via a single
threats – proactively scanning interface, security tasks can be performed more effectively and efficiently – with
endpoints to spot anomalies and no switching between multiple tools and consoles.
security breaches
9
Kill process
Prevention
Delete object
Advanced
Detection Quarantine/Recover
Prevent
Collect Visibility & Incident
Forensic Data Monitoring Response Run a script/program
Threat Hunting
Full visibility and accurate detection are only a part of the battle. The very nature of
targeted attacks means that attackers will come back with new tools and techniques.
If an emergency occurs, the cybersecurity team might need a trusted partner with the
relevant skills and experience, as well as honing in-house skills.
• Evidence collection. For example, gathering hard disk drive images, memory
dumps, network traces and other information that’s relevant to the incident
• Malware analysis. Detailed analysis of malware that was used as part of the attack.
• Remediation plan. A detailed plan that will help your business to prevent the
malware propagating across more of your network – plus help you create
an uninstallation plan.
If your own security team is able to carry out many of the incident response
tasks, you may wish to use one of Kaspersky's other services:
• Malware Analysis Service – subjects the malware your team has isolated
to detailed analysis.
10
Prediction – doing more to guard
against future threats
With the threat landscape constantly changing, your security strategy must
continually evolve to meet new challenges.
Security isn’t a ‘one-off activity’ – it’s an ongoing process that calls for
continuous assessment of:
Having access to experts that can keep you updated on the global threat landscape – and
help you to test your systems and your existing defenses – is a vital element in helping
your organisation to adapt and keep pace with new security threats.
Over the years, our global security experts have amassed a vast amount of knowledge
about how advanced and targeted attacks work – and they’re constantly analysing new
attack techniques. This hard-won expertise means they’re uniquely placed to predict
new attack methods and help you to be ready to combat them.
In addition, they can offer specialised services to help you ‘harden’ your IT infrastructure:
• Penetration Testing Services – to help you assess the effectiveness of your
current security provisions
• Application Security Assessment Services – to help you find software
vulnerabilities… before the cybercriminals do
• Advanced Cybersecurity Training – to help train your own experts and build
your own Security Operations Center
• Intelligence Reporting and Customised Threat Reporting – to help keep you
updated on today’s constantly changing threat landscape
• Threat Lookup portal – access to Kaspersky Lab intelligence global database
to help empower your malware researches.
11
Kaspersky Adaptive Security Strategy founded on the most viable security architecture
described by Gartner. Kaspersky Lab approach providing cycle of activities in four key
areas: Prevent, Detect, Respond and Predict. Essentially, it assumes that traditional
prevention systems should function in connection with detection technologies,
threat analytics, response capabilities and predictive security techniques. This
helps to create a cybersecurity system that continuously adapts and responds
to the emerging enterprise challenges.
3. One integrated platform reduces the security alerts that overwhelm most
security teams by providing threat intelligence-based context and prioritisation
to alerts as well as improving tactical responses by sharing threats knowledge,
deep expertise and providing security intelligence services.
4. This environment provides security analysts with visibility of all attack stages in
a unified way, enabling seamless threat analysis and confident investigation of
both known and unknown threats before they impact the business.
5. Global Threat Intelligence sharing through APT and threat intelligence portals
provides unique proactive insights into the motives and intentions of your
adversaries so you can prioritise policies and security investment planning
accordingly.
12
Proven solution against advanced threats
During 2019, our Kaspersky Anti-Targeted Attack Platform (as a part of Threat Management
and Defense solution) has continued to participate in ICSA Lab tests.
The latest tests lasted for 37 days and consisted of 585 attacks and 519 clean files. KATA
demonstrated excellent results:
Here are a few quotes from the resulting report issued by ICSA on 7th July 2019:
NOTE: ICSA testing methodology is dynamic and changes from quarter to quarter. The
test itself is a continuously evolving simulation of a real environment and attack
methods. The level of security is not measured at one given moment but over an
extensive period (more than 30 days) of continuous operation under numerous attacks.
In this way, the test aims to showcase the efficiency and effectiveness of
a solution from a user standpoint.
For several years the Radicati Group conduct independent analysis of the Market for
APT Protection Solutions Revealing Top Players, Trail Blazers, Specialists
and Mature Players. In the result of the market analysis, Kaspersky Lab’s approach of
countering targeted attacks and advanced threats were evaluated with an excellent
side.
In 2019 Kaspersky solution significantly improved its position with a major move from
Specialists to Trail Blazing leader.
Trail Blazing vendors offer advanced, best of breed technology, in some areas
of their solutions, but don’t necessarily have all the features and functionality
that would position them as Top Players. Trail Blazers, however, have the potential for
“disrupting” the market with new technology or new delivery models. In time, these
vendors are most likely to grow into Top Players.
«The Kaspersky Anti Targeted Attack Platform provides advanced threat and targeted
attack detection across all layers of a targeted attack – initial infection, command and
control communications, and lateral movements and data exfiltration»
13