Advanced Protection and

Threat Intelligence to
Mitigate the Risk
of Targeted Attacks
threat analysis and Kaspersky's solutions presentation
The growing risk of advanced
threats and targeted attacks
200% growth of the recovery initiated at the
same day and after week of discovering a
Enterprise Threats Landscape
security breach for Enterprises*.

*Results from Kaspersky Lab’s Corporate IT Security Risks

Survey 2019, conducted worldwide by Kaspersky Lab
15% of enterprises have experienced
a targeted attack, more than 53% losing sensitive
data as a result*.
Targeted attacks and advanced threats – including Advanced Persistent Threats (APTs) –
are some of the most dangerous risks to enterprise systems. However, while the threats
and techniques that cybercriminals use are constantly evolving, too many organisations
are relying on yesterday’s security technologies and an outmoded mindset to protect
against today’s and tomorrow’s threats.

*Kaspersky Global IT Security Risks Report 2019
Every corporation big enough to occupy
a significant place in its market is a potential
target. This doesn’t mean smaller businesses are
immune – in many cases, criminals view them as
an easy-to-breach stepping stone from which to
reach the bigger target. But when it comes to
market leaders, the odds in favour of becoming
a victim of such an attack increase substantially.
It’s not a case of ‘if’ but ‘when’…
Advanced, specially targeted threats can go undetected for weeks, months,
or even years, while their actors slowly and silently gather information and work
incrementally to exploit the unique vulnerabilities in their chosen targets’ systems. Unlike
regular malware, advanced, targeted threats are actively controlled and managed by the
perpetrators. The goal isn’t limited to malware delivery: the objective is to persist inside
the enterprise perimeter. These attacks are the result of patient, often painstaking
research by actors who are prepared to play a waiting game in the quest for their prize.
Average loss from a single targeted attack:
Average loss from a single targeted attack:

Additional Internal Staff Wages $126K

Damage to Credit Rating/Insurance Premiums Lost $116K

Businesses $106K

Compensation $92K

Extra PR (to repair brand damage) $91K $891K

Empoying External Professionals $86K

Improving Software & Infrastructure $119K

Training $79K

New Staff $77K

Who’s doing the attacking?

Cybercriminals – who sell data to the highest

Internal and External factors which leads
bidder or simply steal money. They usually
develop their cyber tools themselves or buy
to successful breach
them on the dark web.
Key factors contributing to the successful development of targeted attacks
Competitor businesses – looking for confidential
data or even committing sabotage. They will
on IT infrastructures include:
usually ‘buy in’ the services of cyber-
mercenaries. • Hidden and Shadow IT
• Uncontrolled connectivity of IoT devices
Cyber-mercenaries – masters of cyber- • Critical reliance on digitalisation
espionage, they develop their own tools and sell
their ‘services’ to the highest bidder. • Lack of preventive capabilities and an over-optimistic view of current perimeter
security
Hacktivists – claim to be working for • Low employees awareness of information security risks
a ‘greater good’, they’re inventive, use complex • Lack of visibility over the IT environment and particularly network routing
toolsets and present a serious problem for any
• Proprietary and outdated software and operating systems
organisation that attracts their attention
• Lack of security team qualification regarding malware research, digital forensics,
Government agencies – they may deny it, but incident response and threat intelliegence
it’s generally accepted that governments the
world over routinely track individuals, groups
and businesses. Their toolsets can be extremely
sophisticated, expensive and hard to detect.

1
What’s the risk?
Risks to all organisations:
• Unauthorised transactions
• Critical data theft or corruption
• Stealth process manipulation
• Undermining by Competitors
• Blackmail extortion
• Identity theft
Risks to key industry sectors:
Financial Services
• Unauthorised transactions
• ATM attacks with physical cash theft
• Identity theft
Targeted Attacks – Cybercrime
as a Business Profession
Most targeted attacks are overseen by highly experienced cybercriminals
and hackers who know how to adapt each phase of their attack to slip past traditional
defenses, exploit weaknesses and maximise the amount of valuables they can steal,
including money, confidential data and more.
The security geek attackers of the past have metamorphosed into professionals for whom
cybercrime is a business. Their sole motivation in targeting and attacking any enterprise is
optimum profit – calculated even before launching the attack, on the basis of the
associated costs and potential rewards. The objective is, of course, to minimise up-front
costs by attacking as cheaply as possible, with maximum financial outcomes.

Government Most targeted attacks use a combination of social engineering and a customised toolset.
The cost of launching an effective targeted attack has fallen significantly, with a
• Data manipulation commensurate increase in the total number of attacks globally.
• Espionage
• Restricted availability of online services
• Identity theft So what’s at stake when an organisation like yours falls victim to a targeted attack?
• Hacktivism acts

Manufacturing and High Technology

• Espionage (know how) Direct damage Reactive spend

• Compromised critical technological
processes

Telecommunication

• Attack on corporate clients using

telecoms infrastructure
• Manipulation of mail servers
for social engineering Remediation Systems
• Billing control
• Manipulation of web resources + +
for phishing purposes
• Using compromised infrastructure
(devices/IoTs) for DDoS attacks

Energy and Utilities

• Manipulating with calculations data Lost opportunities Staffing

• Attacks on technological networks
with physical damage
+ +
Mass media

• Hacktivism
• Compromised web site (deface, phishing) and
spreading attacks on mass audience
Downtime Training
Healthcare

• Theft of patient information To prevent further

• Attacks on telemedicine equipment breaches

Direct financial losses. Attackers may try to commit cyber-fraud by stealing banking
credentials in order to access corporate accounts and conduct fraudulent transactions.

Disruption of key business processes. While some attacks may – merely

as a by-product – impair or slow down critical business processes, others
may deliberately set out to sabotage them. Even if an attack is discovered, there’s likely to
be a further period of disruption while the targeted business conducts investigations and
recovers its operations, during which further business opportunities may be lost.

Clean-up costs. After an attack, you can be faced with having to cover a whole host of
expenses that haven’t been budgeted for. Recovering systems and processes is likely to
involve both capital expenditure and operational expenses – like hiring security and
systems consultants.

2

• Gather data
• Prepare strategy
Attack Delivery
preparation
• Non-malware
• Hidden
• Encrypted
Targeted attacks are long-term processes that
compromise security and give
the attacker unauthorised control over
the victim’s IT – helping the attacker
to avoid detection by traditional security
technologies.
Although some attacks may use Advanced
Persistent Threats (APTs) – which can be very
effective, but expensive to implement – others
may use a single technique, such as advanced
malware or a zero-day exploit.
Anatomy of a Targeted Attack
In theory, the targeted attack kill chain seems pretty straightforward: Reconnaissance &
Testing, Penetration, Propagation, Execution, Outcome. This might suggest that by
automatically blocking the first steps of a multi-stage attack, the attack itself can be
thwarted.
• New domain • Rapid
• «Gray domain» • Silent
• Payload/command delivery • No immediate damage
C&C Lateral Execution Damage
movement & silent leave
• Hide inside normal activities • Hide the traces
• Steal credentials • Erase from logs
• Non violation of anything • Leave a backdoor
But in reality, targeted attacks are highly sophisticated and nonlinear in terms of their
progression and execution. So automated detection capabilities, continuous monitoring and
threat hunting should all be in place as part of a multi-stage defense strategy.
A targeted attack is a lengthy process that violates security and allows a cybercriminal
bypassing authorisation procedures and interacting with the IT infrastructure, so avoiding
detection by traditional means.
So first of all, it’s a process – an ongoing activity, a project, rather than a one-off malicious
action. According to our experience in monitoring global attacks, such operations tend to
last at least 100 days, and for government agencies, large market players and critical
infrastructures, the time can be calculated in years.
Secondly, the process is aimed at a specific infrastructure, designed to overcome specific
security mechanisms, and may well initially involve targeting named employees through
email or social media . This is a very different approach from the mass mailings of standard
malicious software based attackers, who are pursuing completely different goals. In the
case of a targeted attack, the methodology and kill chain stages are built around the
specific victim.
Thirdly, this operation is usually managed by an organised group or team of professionals,
sometimes international, armed with sophisticated technical tools. Their activities could be
said to be not just a project: more of a multi-combat operation. For example, attackers
might typically compile a list of employees who can potentially become the ‘gateway’ to
the target organisation, networks, and study their online profiles and social media activity.
After that, the task of gaining control over the victim’s working computer is virtually solved.
On the employees computer is infected, and intruders go on to seize control of the network
from where they can direct their criminal activities.
3

A word on sandboxes
Many ‘targeted attack detection solutions’ on
the market simply comprise a standalone
sandbox. Even vendors with no track record in
new, advanced threat discovery claim to offer
sandboxes that are often little more than an
extension of their anti-malware engines – and
have no significant threat intelligence behind
them.
Kaspersky Lab’s advanced sandbox is just another
part of our integrated detection capabilities. It’s
been developed directly
out of our in-lab sandbox complex, the
technology we’ve been using for more than a
decade. Its capabilities have been honed on
statistics gathered from ten years of threat
analysis, making it more mature and more
focused on targeted threats than the silver bullet
sandbox solutions currently of offer.
Enterprise Security challenges
With the risk of sophisticated threats growing exponentially, many enterprises already
implement technologies and services in the hope of achieving the next level of visibility and
protection against current threats. But without a multi-faceted approach and strategic
planning, these efforts can fall short of expectations.
Disappointing outcomes of ‘patchy’ or unstructured security investment can include:
1. Major investment in a sandbox, in standalone technologies, or in the construction
of a SOC, any of which then fail to generate commensurate improvements in security
outcome.
Perimeter security techniques like firewalls and anti-malware software can hold their own
against some of the more opportunistic attacks. But targeted attacks are a different matter.
Some vendors have sought to address APTs using a variety of standalone, discrete products:
sandboxes, network anomaly analysis or even endpoint-focused monitoring. While these
individual elements all can – and do – offer some protection and blocking of the cybercriminal’s
toolset, they’re not enough in themselves to uncover a targeted, coordinated attack.
To achieve this requires the detection of multiple events occurring across all levels
of the enterprise infrastructure. The information gained can then be processed using a multi-
layered analysis system, followed by interpretation applying real-time security intelligence from a
trusted source. In other words, your best investment is an approach that integrates the best of
many technologies, including sandboxing with network anomalies analysis and endpoint events
analysis into an overall, end-to-end process.
2. Current solutions generate too many security events for your SOC team
to process, analyse, triage, and respond to within a reasonable timeframe.
3. Lack of security skills appropriate to current levels of threat sophistication. Security
experts may be skilled in incident detection and fast remediation
(golden image, blacklisting URLs/files, building some rules) but not fully qualified to
implement a full circle response process (qualifying risk levels, performing initial
analyses, investigation, containment, forensics).
4. Lack of operational visibility. During a targeted attack, cybercriminals can easily evade
traditional security solutions by using stolen credentials and legitimate software, so that
they are not apparently creating any systems violations.
Because attackers do their utmost to hide their malicious activities, it can be very difficult
for an in-house IT security team to spot an attack – and that means the attackers can
continue to cause damage over an extended period.
The reality is that malware is responsible for only 40% of breaches – as we’ve seen, threat
actors use a variety of techniques to access company systems, even when malware is used,
70-90% of it is is unique to the organisation it’s found in (Verizon: Data Breach Investigation
Report).
5. Difficulty in knowing what expertise to employ and grow in-house, what security
tasks to outsource, and what can safely be left to automated systems.
With the growing severity of security incidents and their potential impact on overall business
effectiveness, one of the main security department challenges is that of fielding a sufficient
number and range of appropriately qualified experts. A fully effective security strategy requires
not just continuous monitoring and detection capabilities but a fast response and qualified
remediation, with appropriate forensic processes in place.
Conventional SOC teams tend to focus on only part of this task – detection and response. The
implementation of automated solutions helps free up experts to undertake the next steps in
the incident management process, but few enterprises are ready to perform every high level
task in-house. So the challenge is in identifying which elements of the overall process
(management, qualifying the risk, prioritisation, fast recovery) should be undertaken by the
in-house team and which (malware research, digital forensic, incident response, threat
hunting) may be more effectively outsourced to specialists.
4
 The Intelligence-driven Enterprise SOC
Cybercriminals have adapted their techniques to sidestep traditional defenses and lurk
undetected in systems for months, or even years. It’s time for enterprise security to adapt
in its turn, by taking an intelligence-driven, multi-layered approach to IT security.

Until recently, it was enough to defend the corporate perimeter using commonly available
security technologies that prevented malware infections or unauthorised access to the
corporate network. However, today, with the rise of targeted attacks, this simple approach
is no longer adequate.

If your security department is going to guard against new dangers, you’ll need
a multi-faceted, highly adaptable approach to security, based around a conventional SOC
empowered with threat intelligence and multi-layered security solutions.

Intellegence-Driven
Security Operations Center

Advanced Countermeasure Constant Operation

Analytics Capabilities Adaptation Automation

Threat Knowledge Incident

Threat Hunting
Intelligence Management Response

Aggregation
Log collection Ticketing Reporting
& Correlation

Adaptive Security Strategy

Prevent Detect Respond Predict

Improving enterprise security processes

The Information Security Department is responsible for the organisational and technical
protection of critical information and business processes in often complex IT environments.
This includes, for example, the increasing adoption of automated solutions and software
components, and the transition to electronic document management.

The avalanche-like growth in the number of advanced threats and targeted attacks has
generated increasing numbers of solutions. In order to collect, store and process the
unstructured data generated, in order to identify and prioritise complex multi-level attacks,
existing processes must be upgraded. These include:

• the manual prioritisation of threats and the evaluation of factors potentially

indicative of a possible targeted attack
• information collecting about targeted attacks and advanced statistics threats
• identification of and response to incidents
• analysis of suspicious objects in network traffic and email attachments
• detection of abnormal / unusual activity within the protected infrastructure

Large enterprises are responding to today’s advanced threats by moving to centralised

information security management, consolidating data from disparate Security solutions
(through automating data collection and correlation of events – SIEM) and unifying its
presentation through the construction of security monitoring centers (SOC) . But for this
approach to be effective against targeted attacks and advanced threats, a comprehensive
understanding of security problems and the deep knowledge of cyberthreat analysis is
required.

5

Kaspersky Lab was the first technology
company to establish a dedicated advanced
threat lab, back in 2008.
That’s how they uncovered more advanced,
targeted threats than any other security
vendor. When you hear in the news about
the latest advanced persistent threat, the
chances are that it was detected by
Kaspersky Lab’s elite Global Research and
Analysis Team (GReAT).
With an enviable track record in detecting
targeted attacks and APTs, GReAT team is
renowned for its threat intelligence. The
team has played a major role in discovering
many of the most sophisticated attacks, like:
• Stuxnet • DarkHotel
• RedOctober • Duqu
• Flame • Carbanak
• Miniduke • Equation
• Epic Turla … and many more.
Threat Management
and Defense solution
Kaspersky Lab’s understanding of the inner workings of some of the world’s most
sophisticated threats has enabled us to develop a strategic portfolio of technologies and
services capable of delivering a fully integrated, adaptive security approach. Their expertise
has seen Kaspersky Lab achieve more first place rankings in independent threat detection
and mitigation tests than any other IT security company. Now, they brought this targeted
attack detection expertise together into one standalone solution – the culmination of two
decade’ s worth of threat research and analysis, generating mature, proven technologies.
While the majority of simple cyberthreats can be blocked by traditional, signature-based
and heuristics-enhanced security products, today’s cybercriminals
and hackers are using increasingly sophisticated attacks – to target specific organisations.
Targeted attacks – including Advanced Persistent Threats (APTs) – are now one of the most
dangerous risks that enterprises have to deal with. However, while the threats – and the
techniques that cybercriminals and hackers employ – are constantly evolving, many
businesses are failing to adapt their security strategies.
By combining multi-layered detection from the Kaspersky Anti Targeted Attack Platform and
rapid reactions in Kaspersky Endpoint Detection and Response
with Cybersecurity Intelligence Services and Premium Support – Kaspersky Threat
Management and Defense provides a unified solution with centralised administration,
helping to automate and facilitate the whole advanced threat management cycle.

Kaspersky Anti Targeted Attack:
Protection from Complex Threats
Harder to detect and – often – even harder to eliminate, targeted attacks and advanced threats
call for a comprehensive, adaptive security strategy. Kaspersky Threat Management and
Defense solution is founded on the most viable security architecture as described by Gartner.
TKaspersky's approach is to provide a cycle of activities in four key areas: Prevent, Detect,
Respond, and Predict.

• Prevent – reduce the risk of advanced threats and targeted attacks

• Detect – identify activities that could signal a targeted attack
• Respond – close security gaps and investigate attacks
• Predict – where and how new targeted attacks could appear

Kaspersky Kaspersky Essentially, this assumes that traditional prevention systems should function in
Cybersecurity Endpoint coordination with detection technologies, threat analytics, response capabilities
Services: Detection and predictive security techniques. This helps to create
Security Insights and Response:
or Outsourcing Full Visibility a cybersecurity system that continuously adapts and responds to emerging
enterprise challenges.

Predict Prevent
• Analyse the potential security gaps • Mitigate the risks
• Adjust the countermeasure accordingly • Raise the awareness
• Empower SOC with Threat Intelligence • Harden target systems and assets
• Proactive Threat Hunting • Improving qualification and
current solution effectiveness against
modern threats

Respond Detect
• Incident Management • Continuous monitoring
• Investigate the incident • Incident Discovery
• Neutralise with immediate steps to • Qualifying Incidents severity
mitigate the consequences and risk level
• Recover

6

For targeted attacks, prevention technologies
are valuable in filtering out unnecessary
incidents, common malicious objects and
irrelevant communications.
But comprehensive system hardening with
targeted security solutions, security
education and by raising awareness is also of
value – increasing the amount of time and
investment necessary for attackers to invest
in penetrating your controlled perimeter,
and rendering you no longer cost-effective
to attack.
Prevention – using award-winning
security technologies to decrease
the risk of targeted attacks
Prevention-based security products can be very effective in protecting against common
threats – including malware, network attacks, data leakage and more. But even these
technologies are not sufficient to protect a business against
the targeted attacks. During a targeted attack, conventional, prevention-based security
technologies may spot some incidents but will usually fail to determine that individual
incidents are part of a much more dangerous and complex attack that could be causing
severe damage to your business… and will continue to inflict damage over the long term.
However, multi-layered, prevention-based technologies are still a key element in the new,
proactive approach to guarding against targeted attacks.

Machine learning, Threat Intelligence, 1% – targeted and unique

advanсed sandboxing $$$

Heuristics and behaviour analysis, cloud

reputation $++ 9% – sophisticated attacks

Signature and rules based 90% –genetic malwares and

approach Cheap $ common threats

Addressing different threats with security technologies

80% of targeted attacks start with a malicious It’s essential for enterprise organisations to continue using ‘traditional’ security
email containing an attachment or link. technologies to:

Preferred penetration targets for cybercriminals
include HR, call centers, personal assistants to
senior management and outsourced areas of
the business. These are seen as the least
prepared areas of the organisation.
1. Automate the filtering and blocking of events and incidents not related to Targeted attacks,
which will help to avoid unnecessary distractions to relevant incident discovery.
2. Harden IT infrastructure against cheap and easy-to-perform techniques (social
engineering, removable devices, mobile devices, malware and malicious email delivery
etc.). In fact all past spending to perimeter and endpoint security, along with controls
implemented, helps to increase the amount of effort and investment required by
cybercriminals in order to penetrate your network.

But if the attacker is sufficiently highly motivated, and perhaps even hired by a third
party to conduct a successful attack, a prevention-only approach will not be enough.

7

The Kaspersky Anti Targeted Attack
platform includes:
• Multi-layered sensor architecture
– to give ‘all round’ visibility. Through
a combination of network, web & email,
and endpoint sensors, KATA provides
advanced detection at every level
of your corporate IT infrastructure
• Advanced Sandbox – to assess new threats.
The result of over a decade of continuous
development, our Advanced Sandbox
offers an isolated, virtual environment
where suspicious objects can be safely
executed so their behaviour can be
observed
• Powerful analytical engines – for rapid
verdicts and fewer false positives.
Our Targeted Attack Analyzer assesses
data from network and endpoint sensors
and rapidly generates threat detection
verdicts for the security team.
Global reputation,
Intelligence Services
and threat statistics
Kaspersky Security Network traffic
Network analysis
+ data and events analysis
Kaspersky
Managed Protection
(Active Threat Hunting)
HTTP(S)/SMTP/FTP/DNS/ICAP,
endpoint agents
Detection – multi-vector advanced threat
discovery before the damage occurs
The earlier you detect an attack, the lower your financial losses and the less
disruption your organisation will suffer. So the quality and effectiveness of
detection is paramount.
Because targeted attacks are both compound and complex, detecting them
calls for a deep practical knowledge about how advanced and targeted attacks
work. Simple anti-malware solutions are not able to defend against these types
of attack. Instead, you’ll need detection technologies that can access up-to-the-
minute threat intelligence data – and can perform detailed analyses of suspicious
behaviour that may be occurring at different levels of your corporate network.
The ability to detect targeted attacks consists of connected solutions
and services able to deliver:
• Training
• Targeted Attack Discovery expertise – one-time audit of infrastructure in
order to find traces of compromise
• Specialised solution – Kaspersky Anti Targeted Attack platform +
Kaspersky Endpoint Detection and Response
• Threat Data Feeds for real-time threat exchange and updates about new threats
• Custom and APT reports for better understanding of threat sources and methods
• 24/7 Threat Hunting Kaspersky Managed Protection Service
Based on leading security intelligence and advanced machine learning
technologies, the Kaspersky Anti Targeted Attack Platform combines network and
endpoint data, sandbox and intelligent analysis to correlate incidents, search for
Indicators of Compromise and help uncover the most complex targeted attacks.
Connecting up of the various pieces of an incident provides a comprehensive view
of the entire attack chain, increasing confidence in assigned threat scores and
reducing false positives to zero.
Endpoint Detection
and Response
Targeted Attack Analyzer (EDR)
Advanced Threat Visualisation/
Machine Learning Sandboxing Hunting/Reaction
Clustering
8

Product platform:
Anti Targeted Attack
Forensic Data Discover
Related services:
Kaspersky Endpoint Detection and
Response delivers:
• Advanced Detection – with
Machine Learning – Targeted Attack
Analyzer (TAA) – creates a baseline
of endpoint behaviour. This enables
a historical record that can be
used to discover how a breach
occurred
• Proactive Threat Hunting with
fast-search, using a centralised
database – plus Indicators of
Compromise (IoC) search to help
security team actively hunt for
threats – proactively scanning
endpoints to spot anomalies and
security breaches
• Adaptive Threat Response which
includes a vast array of automated
responses that help enterprises
to avoid the use of traditional
remediation processes – such as
wiping and reimaging – that can
result in expensive downtime and
loss of productivity
Response – helping businesses
to recover from attacks
Of course, achieving a higher rate of detection is only part of the battle. The best
detection technologies are not much use if you don’t have the tools and
expertise needed to respond rapidly to the ‘live’ threat that’s potentially damaging
your organisation
After detecting an attack, it’s important to have access to recognised security
experts with the skills and experience to help:
• Assess and rectify the damage
• Rapidly recover your operations
• Receive actionabale intelligence after Incident Investigation process
• Plan actions to prevent further repeat of the same attack scenarios
Kaspersky Kaspersky Endpoint Detection and Response
platform
Qualify Investigate Neutralise Recover
Kaspersky Cybersecurity Services
Once Kaspersky Anti Targeted Attack Platform of other 3rd party security
solution identifies that your business is being attacked then Kaspersky Endpoint
Detection and Response takes over. It is the next vital component of the
Threat Management and Defense solution, allows companies to speed up their
incident response process and improve the quality of cybersecurity incidents
investigation.
Kaspersky EDR provides centralised management of incidents across all
endpoints on the corporate network – giving a seamless workflow and
integration with network detection via Kaspersky Anti Targeted Attack platform.
A wide range of automated responses helps avoid the expensive downtime and
lost productivity inherent in traditional remediation processes, like wiping and
reimaging. By monitoring and controlling a vast range of functions via a single
interface, security tasks can be performed more effectively and efficiently – with
no switching between multiple tools and consoles.
9
 Kill process
Prevention

Delete object
Advanced
Detection Quarantine/Recover

Prevent
Collect Visibility & Incident
Forensic Data Monitoring Response Run a script/program

Threat Hunting

Full visibility and accurate detection are only a part of the battle. The very nature of
targeted attacks means that attackers will come back with new tools and techniques.
If an emergency occurs, the cybersecurity team might need a trusted partner with the
relevant skills and experience, as well as honing in-house skills.

Kaspersky's Incident Response Service includes:

• Incident assessment. Initial analysis of an incident – rapidly delivered to help

you minimise the damage to your business (the analysis can be performed on-
site or remotely).

• Evidence collection. For example, gathering hard disk drive images, memory
dumps, network traces and other information that’s relevant to the incident

• Forensic analysis. Detailed analysis to help establish information about:

–– What was attacked
–– Who carried out the attack
–– The period during which your business was attacked
–– Where the attack originated
–– Why your business was attacked
–– How the attack was implemented

• Malware analysis. Detailed analysis of malware that was used as part of the attack.

• Remediation plan. A detailed plan that will help your business to prevent the
malware propagating across more of your network – plus help you create
an uninstallation plan.

• Investigation report. A detailed report that includes information about

the incident investigation and remediation.

If your own security team is able to carry out many of the incident response
tasks, you may wish to use one of Kaspersky's other services:

• Malware Analysis Service – subjects the malware your team has isolated
to detailed analysis.

• Digital Forensics Service – analyses digital evidence & incident effects

gathered by your team.

10
 Prediction – doing more to guard
against future threats
With the threat landscape constantly changing, your security strategy must
continually evolve to meet new challenges.

Security isn’t a ‘one-off activity’ – it’s an ongoing process that calls for
continuous assessment of:

• The latest threats

• The effectiveness of your IT security

… so your business can adapt to new risks and changing demands.

Global Threat Intelligence Access with Kaspersky Lab

Intelligence A provider Context-rich, Delivery formats

with a global with a track record immidiately and mechanisms
reach providing in spotting new actionable that allow
the broadest Threat indicators intelligence easy integration
attack visibility early into existing
security controls

Having access to experts that can keep you updated on the global threat landscape – and
help you to test your systems and your existing defenses – is a vital element in helping
your organisation to adapt and keep pace with new security threats.

Over the years, our global security experts have amassed a vast amount of knowledge
about how advanced and targeted attacks work – and they’re constantly analysing new
attack techniques. This hard-won expertise means they’re uniquely placed to predict
new attack methods and help you to be ready to combat them.

In addition, they can offer specialised services to help you ‘harden’ your IT infrastructure:
• Penetration Testing Services – to help you assess the effectiveness of your
current security provisions
• Application Security Assessment Services – to help you find software
vulnerabilities… before the cybercriminals do
• Advanced Cybersecurity Training – to help train your own experts and build
your own Security Operations Center
• Intelligence Reporting and Customised Threat Reporting – to help keep you
updated on today’s constantly changing threat landscape
• Threat Lookup portal – access to Kaspersky Lab intelligence global database
to help empower your malware researches.

11
Kaspersky Adaptive Security Strategy founded on the most viable security architecture
described by Gartner. Kaspersky Lab approach providing cycle of activities in four key
areas: Prevent, Detect, Respond and Predict. Essentially, it assumes that traditional
prevention systems should function in connection with detection technologies,
threat analytics, response capabilities and predictive security techniques. This
helps to create a cybersecurity system that continuously adapts and responds
to the emerging enterprise challenges.

Adopting Kaspersky Lab’s Threat Management and Defense solution means:

1. Moving from a reactive security model to a proactive model based on risk

management, continuous monitoring, more informed incident response and
threat hunting capabilities

2. Your operational framework streamlines day-to-day security processes and

boosts security effectiveness through a multi-layered defense model that
prevents and detects advanced threats at each stage of the attack.

3. One integrated platform reduces the security alerts that overwhelm most
security teams by providing threat intelligence-based context and prioritisation
to alerts as well as improving tactical responses by sharing threats knowledge,
deep expertise and providing security intelligence services.

4. This environment provides security analysts with visibility of all attack stages in
a unified way, enabling seamless threat analysis and confident investigation of
both known and unknown threats before they impact the business.

5. Global Threat Intelligence sharing through APT and threat intelligence portals
provides unique proactive insights into the motives and intentions of your
adversaries so you can prioritise policies and security investment planning
accordingly.

A world of expertise in Kaspersky Lab

Technologies
The effectiveness of Kaspersky Lab products is proven on a regular basis
by the results of independent testing. In 2019, the company headed the Top 3
rating of security solution manufacturers. According to the results of 86 different
tests performed by respected test organisations in several countries,
Kaspersky Lab solutions finished in the Top 3 in 91% of tests and topped the rating
on 72 occasions. This is undeniable proof that Kaspersky Lab provides the industry’s
best protection.

12
Proven solution against advanced threats
During 2019, our Kaspersky Anti-Targeted Attack Platform (as a part of Threat Management
and Defense solution) has continued to participate in ICSA Lab tests.

The latest tests lasted for 37 days and consisted of 585 attacks and 519 clean files. KATA
demonstrated excellent results:

• Perfect detection rate – 100% (ZERO missed samples)

• Lowest possible false positive rate – 0%
• Achieved ‘Certified’ status

Here are a few quotes from the resulting report issued by ICSA on 7th July 2019:

• ‘Kaspersky’s solution did remarkably well during this test cycle’

• ‘The Kaspersky Lab KATA platform detected 100.0% of the threats it encountered during
testing, considerably better than the percentage required for certification.’
• ‘Kaspersky Labs’ KATA demonstrated excellent threat detection effectiveness against nearly
600 new and little-known threats.’
• ‘Regardless of how new or how old the threat, the Kaspersky KATA platform detected all
new and little-known malicious threats.’
• ‘The Kaspersky KATA platform had zero false positives during this test cycle, which is
excellent.’
• ‘Kaspersky Labs’ KATA advanced threat defense solution passed all the test cases to retain
ICSA Labs Advanced Threat Defense Certification. Successful completion of this test cycle
marks Kaspersky Labs’ 3rd consecutive quarter having met the ICSA Labs ATD certification
testing criteria.’

NOTE: ICSA testing methodology is dynamic and changes from quarter to quarter. The
test itself is a continuously evolving simulation of a real environment and attack
methods. The level of security is not measured at one given moment but over an
extensive period (more than 30 days) of continuous operation under numerous attacks.
In this way, the test aims to showcase the efficiency and effectiveness of
a solution from a user standpoint.

For several years the Radicati Group conduct independent analysis of the Market for
APT Protection Solutions Revealing Top Players, Trail Blazers, Specialists
and Mature Players. In the result of the market analysis, Kaspersky Lab’s approach of
countering targeted attacks and advanced threats were evaluated with an excellent
side.

In 2019 Kaspersky solution significantly improved its position with a major move from
Specialists to Trail Blazing leader.

Trail Blazing vendors offer advanced, best of breed technology, in some areas
of their solutions, but don’t necessarily have all the features and functionality
that would position them as Top Players. Trail Blazers, however, have the potential for
“disrupting” the market with new technology or new delivery models. In time, these
vendors are most likely to grow into Top Players.

«The Kaspersky Anti Targeted Attack Platform provides advanced threat and targeted
attack detection across all layers of a targeted attack – initial infection, command and
control communications, and lateral movements and data exfiltration»

13