KL 002.12.1 KSC Kes Student Guide Unit4 en v0.6

Download as pdf or txt
Download as pdf or txt
You are on page 1of 43

KL 002.12.1: Kaspersky Endpoint Security and Management.

Unit IV. EDR Optimum

KL 002.12.1

Kaspersky
Endpoint Security
and Management

Unit IV. EDR Optimum

Student Guide
1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum

ed
Table of contents

ut
1. General ................................................................................................................................................ 2
1.1 What EPP solutions lack .................................................................................................................. 2

ib
1.2 Expanding capabilities of Kaspersky Endpoint Security for Business ............................................. 3
1.3 Licensing........................................................................................................................................... 5

2. Deployment ....................................................................................................................................... 6

r
st
2.1 Deployment plan ............................................................................................................................... 6
2.2 Configure displaying EDR alerts in the Kaspersky Security Center Web Console .......................... 7
Configure report on threats............................................................................................................... 7

di
Enable displaying alerts .................................................................................................................... 8
Add a widget ..................................................................................................................................... 8
2.3 Modify the Kaspersky Endpoint Security components ..................................................................... 9

re
2.4 Activate EDR Optimum ...................................................................................................................10
2.5 Enable Kaspersky Endpoint Detection and Response ...................................................................11

3. Incident response ...........................................................................................................................11


or
3.1 How to respond to an alert .............................................................................................................11
3.2 Alert details .....................................................................................................................................13
Enriched events ..............................................................................................................................14
Requirements for creating an alert card .........................................................................................16
Information about the detected object ............................................................................................16
d

Information about created files .......................................................................................................18


Information about injections and network connections ..................................................................19
e

Information about registry changes ................................................................................................20


Information about the parent process .............................................................................................21
pi

3.3 Threat containment .........................................................................................................................22


Isolate the device ............................................................................................................................22
Prevent object execution ................................................................................................................26
co

Quarantine a file .............................................................................................................................29


3.4 Scan computers for indicators of compromise ...............................................................................31
Create an indicator of compromise ................................................................................................31
IoC scan task ..................................................................................................................................34
be

View the IoC scan results ...............................................................................................................35


Creating an IoC scan task ..............................................................................................................36
Configure an IoC scan task ............................................................................................................37
3.5 Eradication ......................................................................................................................................39
How to find an isolated device ........................................................................................................40
to

Disable host isolation......................................................................................................................41


t
No

1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum

ed
Acronyms and conventions

ut
Administration Server—Kaspersky Security Center Administration Server

ib
EDR—Endpoint Detection and Response

r
EPP—Endpoint Protection Platform

st
IoC—Indicator of compromise

KEA — Kaspersky EDR Optimum

di
KES — Kaspersky Endpoint Security

KSC — Kaspersky Security Center

KSC CC—Kaspersky Security Center Cloud Console

re
Network Agent—Kaspersky Security Center Network Agent
or
OpenTIP—Kaspersky Open Threat Intelligence Portal
e d
pi
co
be
to
t
No

1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum

ed
1. General

ut
ib
1.1 What EPP solutions lack

r
st
di
re
or
d

Since the early 2010s and up to the present day, we have seen exponential growth in the number of
e

targeted attacks on various companies throughout the world and in all industries
(https://securelist.com/apt-trends-report-q1-2023/109581/, https://securelist.com/apt-trends-report-q3-
2022/107787/, https://securelist.com/tag/apt/).
pi

A targeted attack is a cyberattack that adversaries carry out to compromise a particular system or object.
Targeted attacks may have various vectors, be executed in several stages, and use legal software.
co

It is extremely difficult to detect this type of threat.

Although cybercriminals rarely view an endpoint PC as their primary target, these user computers serve
as a great starting point for an attack. Cybercriminals who manage to compromise the computer of an
ordinary user gain opportunities to expand the attack.
be

Kaspersky Endpoint Security for Windows effectively protects an endpoint against direct attacks, but it
does not provide all of the necessary tools to counteract sophisticated multiphase attacks.

If endpoints are only protected with Kaspersky Endpoint Security, an administrator lacks:
to

— Visibility—events and reports only show that a malicious object was detected and what action
Kaspersky Endpoint Security did or did not perform on that object.
This information does not let you evaluate the attack vector and understand the stage at which it
was stopped.
t

For example, suppose Kaspersky Endpoint Security detects and blocks an encryption attempt.
No

The corresponding event indicates which program encrypted the file. It will be difficult for the
administrator to figure out whether this action was legitimate or malicious. It will also be
impossible for the administrator to track down the entire chain of events that preceded this
action.

2
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum

In this case, an attack vector is the sequence of actions and changes in the system that make up

ed
the attack.

— Analysis tools—to determine the priority of an incident and the response procedure, you have to
figure out at which stage the attack was detected by Kaspersky Endpoint Security (infiltration,

ut
propagation, or target execution). A cybersecurity expert will usually have to acquire information
from additional sources, such as logs from the attacked computer, third-party utilities, etc. This is
not very convenient and complicates incident response measures.
— Response mechanisms—Kaspersky Endpoint Security does not enable specialists to scrutinize

ib
an incident and quickly respond.

As a result, even if a threat is detected and blocked, the administrator cannot be fully confident that all is

r
well in the system, i.e. that the attack is completely neutralized, all its consequences have been
eliminated, there are no unauthorized changes in operating systems or applications, and no data has

st
leaked.

di
1.2 Expanding capabilities of Kaspersky Endpoint Security
for Business

re
or
e d
pi
co
be

Kaspersky Endpoint Detection and Response Optimum is a Kaspersky product that requires a
corresponding license.
to

Functionally, Kaspersky Endpoint Detection and Response Optimum extends the capabilities of the
Kaspersky Endpoint Security for Business solution.
Kaspersky EDR Optimum enables specialists to:
— Analyze the causes of an incident.
t

— Contain threats:
No

— Isolate hosts.
— Block suspicious objects.

3
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum

— Respond to threats in real time:

ed
— Get a file from an endpoint device for additional analysis.
— Delete a file.
— Quarantine a file.
— Remotely terminate a process.

ut
— Run a program to further clean up a computer.
— Create and search for indicators of compromise (IoC).

r ib
st
di
re
or
e d

Kaspersky EDR Optimum is a Kaspersky Endpoint Security component.


pi

Kaspersky Security Center provides centralized management, while Kaspersky Endpoint Security
installed on endpoints automatically detects and neutralizes threats.
co

Kaspersky EDR Optimum:


— Gathers additional information about the detection of a threat. Administrators and analysts can
analyze this information, which is presented as an incident card, through the Kaspersky Security
Center Web Console. This helps clarify what was happening on the endpoint device before the
be

detection event occurred, and whether additional response measures should be taken.
— Provides threat containment measures. The administrator can:
— Isolate the endpoint from the network.
— Quarantine detected objects for further analysis.

to

Prevents execution of executable files, scripts, or documents.


— Creates IoC Scan tasks to find indicators of compromise on managed devices. The administrator
can create IoCs based on data obtained from telemetry, or use external resources that publish
information about IoCs (for example, securelist.com or other public sources).

t

IoC Scan tasks let you configure automatic response actions that Kaspersky EDR Optimum will
perform if it detects indicators of compromise:
No

— Run an additional scan of the computer using Kaspersky Endpoint Security for Windows.
— Quarantine a file.
— Isolate the computer from the network.

4
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum

1.3 Licensing

ed
ut
r ib
st
di
re
or

Kaspersky EDR Optimum requires a corresponding license.


d

Kaspersky EDR Optimum offers the same capabilities as Kaspersky Endpoint Security for Business
e

Advanced and also includes EDR tools.


pi
co
be
t to
No

5
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum

2. Deployment

ed
ut
2.1 Deployment plan

r ib
st
di
re
or
If Kaspersky Endpoint Security for Business has already been deployed on the company's network, but
Kaspersky EDR Optimum 2.3 hasn’t been added to the installation package, deploy as follows:
1. Configure the Kaspersky Security Center Web Console:
d

— Add the Component and Open Alert fields to the Report on threats to display the
e

component that detected a threat and the button for proceeding to the incident card.
— Make EDR alerts displayed in the Monitoring & Reporting section of the side menu.
pi

— Add the Alerts widget to the dashboard.


2. Create the Change application components task to add the Endpoint Detection and
co

Response Optimum component to the already installed version.


3. Add the Kaspersky EDR Optimum activation code or key file to the storage on the KSC
Administration Server and enable automatic distribution for it.
4. Enable the Endpoint Detection and Response component in the Kaspersky Endpoint Security
policy.
be

If Kaspersky Endpoint Security for Business is not yet installed on the enterprise network, use this same
deployment plan but instead of creating the Change application components task at step 2, change the
contents of the Kaspersky Endpoint Security installation package and add the Endpoint Detection and
Response Optimum component. This procedure was discussed in the first part of this course.
to

To deploy Kaspersky EDR Optimum, you only need to install and configure the Endpoint Detection and
Response Optimum component; no other actions are required. For example, you do not need to open
additional ports on firewalls to ensure the solution is operational.
t
No

6
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum

2.2 Configure displaying EDR alerts in the Kaspersky

ed
Security Center Web Console

ut
Configure report on threats

r ib
st
di
re
or
d

You can find all detection events of Kaspersky Endpoint Security in the Report on threats. The
e

administrator can view the report under Monitoring & Reporting | Reports.
pi

After installation and activation of Kaspersky EDR Optimum, new detection events are enriched by
additional information.

To be able to open event details from the Report on threats, add the Open alert field to the report:
co

1. Switch to Monitoring & Reporting | Reports.


2. Select Report on threats and click Open report template properties.
3. Switch to the Fields tab
4. Click Add
be

5. On the Field name drop-down list, select Open alert.


If the list does not contain the corresponding field, this means that it was already added and
should appear in the report.
6. Add the Component field in a similar manner.
to

7. Use the Move up button to move the added fields to the top of the list.

In the Open alert column, you will see the View alert link for enriched events. You can follow this link and
view the detection event details.
t

In the Component column, you can see the component that detected the threat.
No

Old detection events—those that had been logged before Kaspersky EDR Optimum was activated or
installed—will not be enriched.

7
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum

Enable displaying alerts

ed
ut
r ib
st
di
re
or

All detection events are also displayed in Monitoring & Reporting | Alerts. However, this section is
d

hidden in the Kaspersky Security Center Web Console interface by default.

To enable displaying the Alerts section:


e

1. Open KSC\<<User name under which you have connected to the administration server>> |
pi

Interface options.
2. Enable the Show EDR alerts option.
co

The list will contain all events, including enriched ones. In the Enrichment and response column, an
enriched event will have a More details link. Click it to view the detection details.

Add a widget
be

You can also display the Alerts widget on the Kaspersky Security Center dashboard. The widget
displays:
— Total event counter
— Number of enriched events
— Number of simple events
to

Unit IV of this course provides details on how to work with the dashboard and how to add widgets.
t
No

8
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
2.3 Modify the Kaspersky Endpoint Security components
e d
pi
co
be
t to

To install Kaspersky EDR Optimum on computers where Kaspersky Endpoint Security for Business is
No

running already, create a Change application components task.

9
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum

Then open its properties, go to Application settings, and select the Endpoint Detection and Response

ed
Optimum component. Then start the task and wait for it to complete successfully.

To install Kaspersky EDR Optimum on computers where Kaspersky Endpoint Security for Business is not
yet deployed, modify the installation package. Open the installation package of Kaspersky Endpoint

ut
Security and select the Endpoint Detection and Response Optimum component.

ib
2.4 Activate EDR Optimum

r
st
di
re
or
e d
pi

Kaspersky EDR Optimum requires a special license. You can activate it with a key or code. This is
described in more detail in Unit I of this course.
co
be
t to
No

10
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

2.5 Enable Kaspersky Endpoint Detection and Response

ed
ut
r ib
st
di
re
or

Kaspersky Endpoint Detection and Response is disabled in the Kaspersky Endpoint Security policy by
d

default. Therefore, after installing the component on the managed devices, you need to:
1. Open the properties of the Kaspersky Endpoint Security policy.
e

2. Switch to the Application Settings tab and open Detection and Response.
pi

3. Open the Endpoint Detection and Response settings and enable the component.
co

3. Incident response
be

3.1 How to respond to an alert


We’ve got an enriched detection event and learned where you can view its details in the Kaspersky
to

Security Center Web Console.


Before we get into the details of a detection event, let's first examine the response diagram. This diagram
will help us clearly understand the following:
— Where we are
t

— What has happened already



No

What to do next

11
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
However, this only shows a general scenario of response actions. In practice, each organization must
have its own plans and scenarios for handling security incidents. These plans must account for a
multitude of details, including:
— Event type and classification
d

— Specifics of the company’s business processes


— Nuances of network architecture

e

Capabilities of IT security specialists


— Security applications in use
pi

A response to a detection event includes the following stages:


— Analysis of alert details
— Investigation
co

— Threat containment
— Scanning other computers on the network for indicators of compromise
— Threat eradication and network recovery
— Closing the incident
When analyzing detection details, you need to:
be

— Classify the incident—determine whether the detected activity is legitimate.


If the activity is not legitimate and therefore is potentially malicious:
— Identify the source of the attack and the stage when it was detected.
— Identify the devices that have already been affected or could be affected by this attack.

to

Determine the incident priority—depending on the incident priority, you must determine a plan
of action and assign an expert or group of experts who will investigate and handle the incident.
Experts begin the investigation by studying the gathered detection details, and use the detected
indicators of compromise to gather more information.
t

During their investigation, experts contain the threat by doing the following:
No

— Isolate hosts where suspicious activity was detected.


— Prevent execution of suspicious executable files, documents, or scripts on network computers.
— Send suspicious files to Quarantine so that they cannot cause more harm before the investigation
is complete.

12
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

After the investigation, the workgroup decides whether they can close the incident or if they first need to

ed
eliminate threats and recover from the attack by doing the following:
— Kill malicious processes.
— Delete objects.
— Run certain commands on hosts.

ut
— Restore the connectivity of isolated hosts.
— Restore legitimate files from quarantine.
— Take other recovery actions.

ib
3.2 Alert details

r
st
di
re
or
e d
pi
co

You can find all Kaspersky Endpoint Security detection events in the Report on threats in Monitoring &
Reporting | Reports. As soon as the Endpoint Detection and Response Optimum component is
installed and enabled, new detection events will be enriched with additional information. The View alert
be

link appears in the Open alert column. Click it to view the detection details.

Old detection events—those that had been logged before the Endpoint Detection and Response
Optimum component was enabled or installed—will not be enriched.
to

All detection events are also displayed in Monitoring & Reporting | Alerts. In the Enrichment and
response column, an enriched event will have a More details link. Click it to view the detection details.
t
No

13
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Enriched events

ed
ut
r ib
st
di
re
or

An enriched event or incident card includes the following:


d

— Action that Kaspersky Endpoint Security applied to the threat


— Chain of malicious events in the form of a graph
e

— Information about the detection


— Information about the device where the threat was detected

pi

Information about the malicious process


— Information about the detected object
— Data from Kaspersky Open Threat Intelligence Portal
— History of files appearing on the device
co

The upper part of the card displays the threat status, i.e. whether it has been blocked.

Below the action, there is a graph that visualizes the chain of detected malicious processes. The graph
shows the activity of these processes, such as creating files, establishing connections, or modifying the
registry. The object originally detected by a protection technology is marked with a red icon.
be
t to
No

14
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
The incident card located below provides various information about the detected object, such as:
or
— Name of the object and its location on the target device
— Category
— Detection time
d

Information about the device is also included:


— Domain name of the computer
e

— IP address
— MAC address
pi

— Operating system
— Device location in the hierarchy of groups in Kaspersky Security Center

You can view details about the process responsible for the malicious object:
co

— Execution parameters
— Process identifier (ID)
— Privilege level and other information

The incident card displays concise information on the detected object from the Kaspersky Open Threat
be

Intelligence portal. You can click the Look up on the portal link and proceed to the portal to view
additional details.

At the bottom of the incident card, there is information indicating where the malicious file was downloaded
from (if available).
to

Detection details are stored on the administration server for 30 days and then deleted.
You can view alert details regardless of whether the device for which the enriched event was generated is
currently online.
t

If the size of the details of a detection event does not exceed 1 MB, they will be stored on the
administration server. If it exceeds 1 MB, some of the information will be stored on the administration
No

server, and some on the managed device.

15
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Requirements for creating an alert card

ed
ut
r ib
st
di
re
The Endpoint Detection and Response Optimum component does not generate detection events. It
or
enriches detection events of other Kaspersky Endpoint Security components with telemetry data and
creates an alert card.

Kaspersky EDR Optimum creates an incident card for detection events generated by the following
d

components:
— File Threat Protection
e

— Web Threat Protection


— Mail Threat Protection

pi

Exploit Prevention
— Behavior Detection
— Host Intrusion Prevention
— Remediation Engine
co

— Adaptive Anomaly Control

Kaspersky EDR Optimum also creates an incident card if an object was detected by the Malware scan
task.
be

Kaspersky EDR Optimum version 2.3 does not require any other Kaspersky Endpoint Security
components to be installed. All the necessary drivers are installed on the system with the Endpoint
Detection and Response Optimum component.

Information about the detected object


to

The first thing to pay attention to is the threat status. In our case, we can see that Kaspersky Endpoint
Security successfully blocked the threat because the status is Success: Blocked.

Next, analyze which executable files were involved in the attack.


t
No

To simplify incident analysis, the detected object icon is colored red.

Click an object in the threat formation chain to view detailed information about the file.

16
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
The following data is displayed:
re
or
— Execution date and time
— Used command line parameters. This part can be useful if a script was executed implicitly
through PowerShell or other interpreters.
— Process identifier (PID)
d

— Process’s integrity level reveals the privileges it was run with. The High integrity level means that
the process was started with full administrator permissions.
e

— Information about the user who started the detected object


— MD5 and SHA256 checksums of the file
pi

— Trust group of the file according to the Kaspersky classification

To view information about a detected file in the OpenTIP portal, click its MD5 or SHA256 checksum or the
co

Look up on the portal link.

If the file has been detected for the first time or little information is available about it, it may mean that the
file is either a source of a targeted attack or a new, previously unknown threat. Lack of information about
a threat is always extremely dangerous. If your incident investigation results in the detection of files that
be

were never previously encountered by Kaspersky experts, you are advised to elevate its priority to the top
level.

If you doubt whether a file is legitimate, consult the OpenTIP portal.

If a file is a known threat, the OpenTIP portal will show the following detailed information:
to

— When the file was discovered for the first time


— File format
— File size
— Threat name
t
No

17
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
Information about created files re
or
e d
pi
co
be
to

As you continue to explore details of the detected malicious activity, you can see what files it created. To
do so, click the File drop icon. The list of created files will open. Each file can be examined individually.

You should analyze these files too, because they can spread the threat within the organization, facilitate
data leaks, or start a malicious file when the system boots.
t
No

18
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Information about injections and network connections

ed
Information about injections typically shows executable files related to the attack. This information can be
useful when checking if any of these files remain on the target device.

ut
r ib
st
di
re
or

The network connections that were established during the attack are also important. To view them, click
d

the Network connection icon.

You can check:


e

— Date and time when each connection was established


pi

— Local and remote address and connection port. You can analyze the network connection log on
the proxy server to find out which other devices connected to the same address and the same
port. This will give you a list of devices that may have been compromised.
co

The web address, referrer, user agent, and request type (GET/POST) will only be displayed if the request
was made using HTTP.

You can find additional information about a detected address in the OpenTIP portal:

be

Reputation of the remote address


— Popularity of the remote address
— When it first appeared on the internet
— Who registered it and where

A bad reputation means that the address has already been involved in illegitimate activities. Detailed
to

information about an address will help you understand the spectrum of threats that were implemented
through this resource. This will help you promptly estimate the risks related to this malicious activity for
your corporate assets and network.

Pay special attention to the time when the address first appeared on the internet. All newly created
t

addresses should be treated with particular care, because they may indicate a targeted attack for which
No

the address was specifically created.

19
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
Information about registry changes
re
or
Detection details also include information about the created keys and changes in the registry performed
by malicious processes. To open a list of all changes, click the Registry icon. You can click each object
to view detailed information.
e d
pi
co
be
t to
No

A lot of places in the registry may contain instructions to run objects at all stages of the operating system
start.

20
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

When analyzing changes in the registry, we recommend that you pay the utmost attention to keys that

ed
have the yes value in the Autorun point field. This key ensures that the file starts automatically. Malware
often modifies the registry to launch its objects.

These objects may even be legitimate software with a good reputation. Cybercriminals exploit their good

ut
reputation to conduct a specific stage of an attack and make it as difficult as possible for protection tools
to detect any malicious activity.

Information about the parent process

r ib
st
di
re
or
e d
pi

When investigating details of a detection event, you can also check whether parent processes are related
co

to the attack and whether they are suspicious or malicious.

If the parent process is Windows Explorer, a web browser, or an email application, the user most likely
carelessly executed a malicious file.
be

If the parent process is a file about which little is known, it may indicate a new unknown threat and be a
reason to proceed to threat containment.
t to
No

21
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

3.3 Threat containment

ed
ut
r ib
st
di
re
or

After completing a threat analysis, the next stage is threat containment.


d

To prevent a threat from moving on to other corporate devices, we recommend that you perform the
e

following actions:
— Isolate the compromised devices from the network.
pi

— Prevent execution of the objects related to the attack.


— Quarantine suspicious files.
— If necessary, retrieve objects for further analysis.
co

In practice, some containment actions should be taken almost immediately, before detailed analysis is
completed.
For example, if initial analysis of event details shows that the device is attempting to establish numerous
network connections, or download or upload something, it makes sense to immediately isolate the device
from the network and prevent the execution of objects. Endpoint Detection and Response Optimum
be

lets you do this quickly and easily right from the alert card.

Isolate the device


to

The administrator does not need to use third-party tools or switch between consoles to begin containing a
threat, because the most important commands are available in the detection card.

The Isolate computer from the network button enables isolation of a device and maximally restricts its
network activity. Isolation is performed by the tools available in Endpoint Detection and Response
t

Optimum. On the isolated device, Kaspersky Endpoint Security will show the user a notification indicating
that the computer has been isolated from the network.
No

22
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
Endpoint Detection and Response Optimum does not block all connections.
or
The component contains a set of exclusions for the following:
— DNS requests
— DHCP protocol
d

— Requests sent to the RPC Endpoint Mapper service


— MADCAP protocol
e

— Processes that pertain to the following Kaspersky applications:


— Kaspersky Security Center
pi

— Kaspersky Security Center Network Agent


— Kaspersky Endpoint Security
co

The administrator can also add custom exclusions.

You can create exclusions in several places in Kaspersky Security Center Web Console:
— In the Kaspersky Endpoint Security for Windows policy
— In the device tasks

be

Kaspersky EDR Optimum applies exclusions from the policy when the device is isolated during
an automatic response action.
— For example, this can happen if you have started an IoC scan task and configured isolation as a
response action. If Kaspersky EDR Optimum detects an indicator of compromise on a device, it
isolates the device from the network and allows only the connections that are configured in the
Kaspersky Endpoint Security policy.
to

— We will discuss how to work with IoC scan tasks later in this unit.
t
No

23
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
If you isolate a device from the network by clicking the Isolate computer from the network button in the
or
incident card or in the device properties, Kaspersky EDR Optimum allows the device to establish the
connections that are configured in the Network isolation task for this device.
e d
pi
co
be
t to
No

The policy and the network isolation task provide the same user interface for configuring exclusion rules.

24
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
You can change or delete any rules that the exclusion list contains by default. You can also add new
rules:

— Add a set of rules from a profile


— Configure new rules
d

To add rules from a profile, click Add from profile.


e

The set of exclusion rules preconfigured in a profile is based on Microsoft recommendations for various
pi

Microsoft services and solutions, such as Active Directory Domain Services, Microsoft SQL Server,
Hyper-V, Remote Desktop Services, etc.
co

If you need to connect to an isolated device using RDP or run a program on it when investigating an
incident, simply add Remote Desktop Services and Remote Procedure Call exclusions to the profile.

If the predefined rules are insufficient, you can create custom exclusions for connections over specific
protocols and ports or for all connections established by the specified applications. To do so, click Add.
be

A rule lets you configure the following settings:


— Connection direction—inbound, outbound, or inbound/outbound.
— Protocol—select a protocol from the list. Alternatively, you can apply the rule to any protocols or
specify a custom protocol.
to

— Set local and remote ports and a remote connection address.


— Create a list of applications that the rule will be applied to.
t
No

25
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
The Kaspersky Endpoint Security policy determines the duration of device isolation if the device is
isolated during an automatic response action.

If the device is manually isolated, the duration of isolation is determined in the settings of the Network
isolation task for the device.
d

By default, a device is isolated for 8 hours. We recommend that you do not decrease this time so that a
e

device remains isolated until specialists complete their investigation and handle the threat.
pi

Prevent object execution


co
be
t to
No

26
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Files that were detected during an attack can be prevented from running on endpoint devices. This is

ed
accomplished by clicking the Prevent execution button in the file details pane, which will create the
relevant prevention rule in the Kaspersky Endpoint Security policy.

A rule created from an alert card has the prefix “[KillChain] md5” in its name. By default, a prevention
rule uses the file’s MD5 checksum.

ut
In this example, the prevention rule makes sense even though the protection solution detected and killed
the process.

ib
The malicious activity detection details show that the executable file sw_test.exe (not detected) is the
parent process that started the plzib.exe child process, which was detected.

r
This means that the protection application detects a malicious file only when it performs suspicious

st
activities rather than every time it starts. Since this file can perform malicious actions, it is best not to let it
run at all.

di
re
or
e d
pi

To ensure that a prevention rule works properly:


co

1. Enable Execution prevention in the Kaspersky Endpoint Security policy.


2. Select Block and write to report.
3. Close the lock in the Exploit Prevention area.

By default, execution prevention is disabled and the Log events only option is selected.
be

To create custom prevention rules, click Add in the Execution Prevention area.

Existing rules can be deleted, disabled, enabled, and modified.


t to
No

27
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
A rule lets you block:
re
or
— Executable files
— Scripts
— Microsoft Office documents
d

You can block an object based on its checksum (MD5, SHA256) and/or path.
e
pi
co
be
t to

If a user attempts to run a file that matches a prevention rule, Kaspersky Endpoint Security shows a
No

blocking message and the operating system shows a notification indicating that the file cannot be
accessed.

28
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Quarantine a file

ed
ut
r ib
st
di
re
or
It makes sense to quarantine files that the security application does not consider to be dangerous but
which appear to be neither a part of the operating system nor well-known software.
d

Typically, these files lack a digital signature and are unpopular according to the OpenTIP portal.
e

When you quarantine a file, it is moved from its original folder to a special encrypted local storage of
Kaspersky Endpoint Security. This prevents the user and any process from running it again. However, if
pi

the investigation shows that the file is not dangerous, you can restore it from the quarantine to the original
folder.
co

To quarantine a file from an alert card:


1. Click the file name to open the details pane.
2. Click Move to Quarantine.

Only files that have a checksum can be quarantined in this manner.


be

Kaspersky Endpoint Security calculates checksums only for executable files. To copy or move non-
executable files to the quarantine, you can manually create and run the Get file and Move file to
Quarantine tasks respectively.

The Get file and Move file to Quarantine tasks have similar settings, but they produce different results:
to

— Get file puts a copy of the file into quarantine leaving the original file in place.
— Move file to Quarantine relocates the original file to quarantine, i.e. the task removes it from its
original location.
t

Specify the following parameters for these tasks:


No

— Devices where the task will run


— Full path to the file (or full path and the checksum)

29
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
Links to quarantined files are displayed on the Operations | Repositories | Quarantine page of the
or
Kaspersky Security Center web console. You can download these files to examine them or send them to
Kaspersky for analysis.

To download a file, select it and click Download.


e d
pi
co
be
t to
No

30
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

3.4 Scan computers for indicators of compromise

ed
ut
r ib
st
di
re
or

Once a suspicious file is quarantined and its execution is prevented, you no longer need to worry about
d

attempts to run it on this machine.


e

However, you do need to check whether this suspicious file is present on other networked machines and,
if so, get rid of it.
pi

The following tools serve this purpose:


— The Indicator of Compromise (IoC) Scan task searches computers for such files and can
automatically quarantine them.
co

— The Delete file, Kill process and Run program tasks allow you to deal with a dangerous object
in a targeted manner. In particular, the Run program task lets you supplement the response
tools with any third-party utilities.
— The Web Control component of Kaspersky Endpoint Security lets you block specific
be

connections. You can use it to block access to addresses contacted by a dangerous file (after
examining their reputation in the OpenTIP portal).

Create an indicator of compromise


to

IoC scanning is a very powerful tool that can help you find signs of malicious activity on your network
computers. You can create an IoC from an alert card, generate from open-source data (securelist.com),
or receive a ready file from a third-party IoC provider.
t

An Indicator of Compromise (IoC) is an object (file, registry key, etc.) that indicates that the system has
been compromised. These indicators are used to detect malicious activity at its early stages and to
No

prevent known threats.

31
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

For example, an incident card can contain information about created files and registry keys (indicators of

ed
compromise). It is also important to understand whether these indicators of compromise are currently
present on other computers. The presence of indicators of compromise could mean that a malicious file
has already been run on other computers in the network. For instance, these computers may have lacked
a correctly configured protection tool for recognizing and stopping such an attack.

ut
r ib
st
di
re
or
e d

You can easily create a description for an indicator of compromise in OpenIOC format right from the alert
card:
pi

1. Switch to All alert events.


2. Select the objects that should be considered signs of malicious activity.
3. Click the Create IOC button.
co

Not all of the files displayed on an alert card are indicators of compromise. Standard Windows files may
be displayed there as well.

Kaspersky EDR Optimum automatically generates indicators of compromise in OpenIOC format from the
be

selected files and registry keys. A file is searched for by its MD5 checksum, while the search criteria for a
registry key include its full path, name, and value in the registry. If the console does not let you select
certain files on the All alert events list, that means that Kaspersky Security Center has no information
about their MD5 checksums.
t to
No

32
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
If you select multiple objects, a single indicator will be generated for them. It will consist of separate
conditions for each object. You can combine the conditions with logical OR or AND:
— OR means that the computer will be considered compromised if it contains even one of the
selected objects.
d

— AND means that the computer will be considered compromised only if all of the selected objects
(files and registry keys) are found on it.
e

You can export the generated IoC to a file or immediately create an IoC scan task for the network
pi

computers.

When you create a task, you can choose which actions to perform when an IoC is detected:
co

— Isolate the device from the network—use this response action cautiously, since sudden isolation
may disrupt the user’s work and even the whole organization if an IoC is detected on a server.
— Scan critical areas.
— Quarantine the file.
be
t to
No

33
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

IoC scan task

ed
ut
r ib
st
di
re
or
An IoC scan task created from an alert card is applied to the administration group of the host where the
threat was detected. The task’s name will start with IoC Scan from alert <threat name> <threat
d

detection time>.

You can create multiple tasks from a single alert card. For example, select a group of indicators that have
e

high validity and make a task that will quarantine the relevant files. For indicators with low validity, you
can create a task that will make the security solution scan the relevant computers for threats. All tasks
pi

created from the same card get the same name by default: rename them to avoid confusion.

If an IoC scan task is created from an alert card, it scans only critical areas (temporary folders and
co

download folders of all device users) by default. You can redefine the scan area in the task properties and
select to scan specific folders on a drive, the system drive, or all drives of the device.

An IoC scan task created from an incident card is applied to the administration group of the computer
where Kaspersky Endpoint Security detected the threat.
be

IoC scan tasks created from an alert card are run once as soon as they are created.
t to
No

34
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

View the IoC scan results

ed
ut
r ib
st
di
re
or
To check the task status and whether the indicators have been found on the computers, in the task
properties, switch to the Application Settings tab and open the IOC Scan Results section. There you
can find detailed results of IoC scans, i.e. the devices where indicators were detected.
d

Click the IOC detected link to open the list of results for the respective computer. It contains all the
e

indicators specified in the task. If an indicator was detected, the State column contains the matched link.
Click it to open a detailed detection card with the names of detected files (or other objects).
pi

The detection card shows which objects on the computer matched the IoC conditions. If the IoC consists
of several groups of conditions combined with the logical OR operator, the group whose conditions match
co

the found files (or other objects) will be highlighted.


be
t to
No

35
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
Creating an IoC scan task
re
or
e d
pi
co
be
to

As we discussed earlier, you can also use the incident card to create an IoC scan task for the
t

administration group of the computer where Kaspersky Endpoint Security detected the threat.
No

However, this may not always be convenient if you want to scan all computers on the network rather than
only computers in a specific group.

36
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

To configure an IoC scan task flexibly, create it manually.

ed
To create an IoC scan task, in the Kaspersky Security Center task creation wizard, select Kaspersky
Endpoint Security for Windows in the Application drop-down list and select IoC Scan for the task type.

ut
Configure an IoC scan task

r ib
st
di
re
or
e d
pi

You can import indicators of compromise in OpenIOC format into the task properties. It can be an IoC file
exported from an incident card or third-party indicators of compromise.

You can import multiple IoC files into a single task.


co

To add IoC files:


1. Click Redefine IOC files.
2. In the window that opens, click Add IoC files and specify the OpenIoC files.
be
t to
No

37
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

ed
ut
r ib
st
di
re
or
An IoC scan task automatically recognizes what type of data to look for.

To modify the scan scope:


1. Switch to the Advanced section.
d

2. Click IoC documents under the FileItem type.


e

3. Select the Scan custom areas checkbox.


4. Click Add and specify the new scan areas.
pi

With the default settings, the task scans critical areas on the device, meaning the temporary folders and
download folders of all users.
co

In this section, you can also specify a period when events were logged under the EventLogItem data
type. To do so, click the Logs and dates link and configure the relevant period. You can even select
specific Kaspersky EDR Optimum logs to be analyzed.

In the Advanced section, you can disable scanning for specific types of indicators of compromise.
be

However, this is not recommended because a task with this setting may fail to find certain malicious files
and the threat will remain in your network.
t to
No

38
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

3.5 Eradication

ed
ut
r ib
st
di
re
or

The process of eradicating the effects of an infection and restoring operation of the device depends on
d

many factors, including the following:


— Destructive impact of the malicious activity
e

— Internal regulations of the company


pi

Eradication and recovery may require a full reinstallation of the operating system and software, or a
specific set of actions, such as deleting malicious objects or cleaning the registry.

Consider the following scenario:


co

1. We’ve taken some actions to eliminate an infection without reinstalling the operating system.
2. We isolated the device from the enterprise network before we began conducting a detailed
analysis and subsequent response.
3. Now we are certain that the threat has been eliminated, so we want to restore the device's
be

connection to the network.


t to
No

39
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

How to find an isolated device

ed
ut
r ib
st
di
re
or

A computer can be isolated from the network:


d

— Manually from an alert card or from the device properties


— Automatically by an IoC scan task
e

In both cases, the Isolated from network tag is assigned to the computer.
pi

To find all isolated computers, open Devices | Tags | Device tags and select the Isolated from network
tag. Click the View devices link to see the list of devices isolated from the network.
co

Note that removing the tag from the device properties is not enough to release the device! You must
disable isolation in the alert card or in the properties of Kaspersky Endpoint Security installed on the
device.
be
t to
No

40
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum

Disable host isolation

ed
ut
r ib
st
di
re
or

To release a device, go to its properties, open Kaspersky Endpoint Security application settings, switch to
d

Application settings | Detection and Response, click Endpoint Detection and Response and then
click the Unblock computer isolated from the network button.
e

After an incident has been investigated, consider how to use the obtained information to improve network
security and streamline investigation and response processes.
pi

For example, IoC scan tasks created when investigating various incidents might accumulate in the
Kaspersky Security Center console. Once an incident has been closed and indicators of compromise
co

have been removed from computers, it makes little sense to store a separate task for them. You can
export an IoC from a task to a file and add it to a general IoC scan task that runs once a week at a
relatively free time.
be
t to
No

41

You might also like