KL 002.12.1 KSC Kes Student Guide Unit4 en v0.6
KL 002.12.1 KSC Kes Student Guide Unit4 en v0.6
KL 002.12.1 KSC Kes Student Guide Unit4 en v0.6
KL 002.12.1
Kaspersky
Endpoint Security
and Management
Student Guide
1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum
ed
Table of contents
ut
1. General ................................................................................................................................................ 2
1.1 What EPP solutions lack .................................................................................................................. 2
ib
1.2 Expanding capabilities of Kaspersky Endpoint Security for Business ............................................. 3
1.3 Licensing........................................................................................................................................... 5
2. Deployment ....................................................................................................................................... 6
r
st
2.1 Deployment plan ............................................................................................................................... 6
2.2 Configure displaying EDR alerts in the Kaspersky Security Center Web Console .......................... 7
Configure report on threats............................................................................................................... 7
di
Enable displaying alerts .................................................................................................................... 8
Add a widget ..................................................................................................................................... 8
2.3 Modify the Kaspersky Endpoint Security components ..................................................................... 9
re
2.4 Activate EDR Optimum ...................................................................................................................10
2.5 Enable Kaspersky Endpoint Detection and Response ...................................................................11
1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum
ed
Acronyms and conventions
ut
Administration Server—Kaspersky Security Center Administration Server
ib
EDR—Endpoint Detection and Response
r
EPP—Endpoint Protection Platform
st
IoC—Indicator of compromise
di
KES — Kaspersky Endpoint Security
re
Network Agent—Kaspersky Security Center Network Agent
or
OpenTIP—Kaspersky Open Threat Intelligence Portal
e d
pi
co
be
to
t
No
1
KL 002.12.1: Kaspersky Endpoint Security and Management.
Unit IV. EDR Optimum
ed
1. General
ut
ib
1.1 What EPP solutions lack
r
st
di
re
or
d
Since the early 2010s and up to the present day, we have seen exponential growth in the number of
e
targeted attacks on various companies throughout the world and in all industries
(https://securelist.com/apt-trends-report-q1-2023/109581/, https://securelist.com/apt-trends-report-q3-
2022/107787/, https://securelist.com/tag/apt/).
pi
A targeted attack is a cyberattack that adversaries carry out to compromise a particular system or object.
Targeted attacks may have various vectors, be executed in several stages, and use legal software.
co
Although cybercriminals rarely view an endpoint PC as their primary target, these user computers serve
as a great starting point for an attack. Cybercriminals who manage to compromise the computer of an
ordinary user gain opportunities to expand the attack.
be
Kaspersky Endpoint Security for Windows effectively protects an endpoint against direct attacks, but it
does not provide all of the necessary tools to counteract sophisticated multiphase attacks.
If endpoints are only protected with Kaspersky Endpoint Security, an administrator lacks:
to
— Visibility—events and reports only show that a malicious object was detected and what action
Kaspersky Endpoint Security did or did not perform on that object.
This information does not let you evaluate the attack vector and understand the stage at which it
was stopped.
t
For example, suppose Kaspersky Endpoint Security detects and blocks an encryption attempt.
No
The corresponding event indicates which program encrypted the file. It will be difficult for the
administrator to figure out whether this action was legitimate or malicious. It will also be
impossible for the administrator to track down the entire chain of events that preceded this
action.
2
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum
In this case, an attack vector is the sequence of actions and changes in the system that make up
ed
the attack.
— Analysis tools—to determine the priority of an incident and the response procedure, you have to
figure out at which stage the attack was detected by Kaspersky Endpoint Security (infiltration,
ut
propagation, or target execution). A cybersecurity expert will usually have to acquire information
from additional sources, such as logs from the attacked computer, third-party utilities, etc. This is
not very convenient and complicates incident response measures.
— Response mechanisms—Kaspersky Endpoint Security does not enable specialists to scrutinize
ib
an incident and quickly respond.
As a result, even if a threat is detected and blocked, the administrator cannot be fully confident that all is
r
well in the system, i.e. that the attack is completely neutralized, all its consequences have been
eliminated, there are no unauthorized changes in operating systems or applications, and no data has
st
leaked.
di
1.2 Expanding capabilities of Kaspersky Endpoint Security
for Business
re
or
e d
pi
co
be
Kaspersky Endpoint Detection and Response Optimum is a Kaspersky product that requires a
corresponding license.
to
Functionally, Kaspersky Endpoint Detection and Response Optimum extends the capabilities of the
Kaspersky Endpoint Security for Business solution.
Kaspersky EDR Optimum enables specialists to:
— Analyze the causes of an incident.
t
— Contain threats:
No
— Isolate hosts.
— Block suspicious objects.
3
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum
ed
— Get a file from an endpoint device for additional analysis.
— Delete a file.
— Quarantine a file.
— Remotely terminate a process.
ut
— Run a program to further clean up a computer.
— Create and search for indicators of compromise (IoC).
r ib
st
di
re
or
e d
Kaspersky Security Center provides centralized management, while Kaspersky Endpoint Security
installed on endpoints automatically detects and neutralizes threats.
co
detection event occurred, and whether additional response measures should be taken.
— Provides threat containment measures. The administrator can:
— Isolate the endpoint from the network.
— Quarantine detected objects for further analysis.
—
to
IoC Scan tasks let you configure automatic response actions that Kaspersky EDR Optimum will
perform if it detects indicators of compromise:
No
— Run an additional scan of the computer using Kaspersky Endpoint Security for Windows.
— Quarantine a file.
— Isolate the computer from the network.
4
KL 002.12.1: Kaspersky Endpoint Security and Management. 1. General
Unit IV. EDR Optimum
1.3 Licensing
ed
ut
r ib
st
di
re
or
Kaspersky EDR Optimum offers the same capabilities as Kaspersky Endpoint Security for Business
e
5
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum
2. Deployment
ed
ut
2.1 Deployment plan
r ib
st
di
re
or
If Kaspersky Endpoint Security for Business has already been deployed on the company's network, but
Kaspersky EDR Optimum 2.3 hasn’t been added to the installation package, deploy as follows:
1. Configure the Kaspersky Security Center Web Console:
d
— Add the Component and Open Alert fields to the Report on threats to display the
e
component that detected a threat and the button for proceeding to the incident card.
— Make EDR alerts displayed in the Monitoring & Reporting section of the side menu.
pi
If Kaspersky Endpoint Security for Business is not yet installed on the enterprise network, use this same
deployment plan but instead of creating the Change application components task at step 2, change the
contents of the Kaspersky Endpoint Security installation package and add the Endpoint Detection and
Response Optimum component. This procedure was discussed in the first part of this course.
to
To deploy Kaspersky EDR Optimum, you only need to install and configure the Endpoint Detection and
Response Optimum component; no other actions are required. For example, you do not need to open
additional ports on firewalls to ensure the solution is operational.
t
No
6
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum
ed
Security Center Web Console
ut
Configure report on threats
r ib
st
di
re
or
d
You can find all detection events of Kaspersky Endpoint Security in the Report on threats. The
e
administrator can view the report under Monitoring & Reporting | Reports.
pi
After installation and activation of Kaspersky EDR Optimum, new detection events are enriched by
additional information.
To be able to open event details from the Report on threats, add the Open alert field to the report:
co
7. Use the Move up button to move the added fields to the top of the list.
In the Open alert column, you will see the View alert link for enriched events. You can follow this link and
view the detection event details.
t
In the Component column, you can see the component that detected the threat.
No
Old detection events—those that had been logged before Kaspersky EDR Optimum was activated or
installed—will not be enriched.
7
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
All detection events are also displayed in Monitoring & Reporting | Alerts. However, this section is
d
1. Open KSC\<<User name under which you have connected to the administration server>> |
pi
Interface options.
2. Enable the Show EDR alerts option.
co
The list will contain all events, including enriched ones. In the Enrichment and response column, an
enriched event will have a More details link. Click it to view the detection details.
Add a widget
be
You can also display the Alerts widget on the Kaspersky Security Center dashboard. The widget
displays:
— Total event counter
— Number of enriched events
— Number of simple events
to
Unit IV of this course provides details on how to work with the dashboard and how to add widgets.
t
No
8
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
2.3 Modify the Kaspersky Endpoint Security components
e d
pi
co
be
t to
To install Kaspersky EDR Optimum on computers where Kaspersky Endpoint Security for Business is
No
9
KL 002.12.1: Kaspersky Endpoint Security and Management. 2. Deployment
Unit IV. EDR Optimum
Then open its properties, go to Application settings, and select the Endpoint Detection and Response
ed
Optimum component. Then start the task and wait for it to complete successfully.
To install Kaspersky EDR Optimum on computers where Kaspersky Endpoint Security for Business is not
yet deployed, modify the installation package. Open the installation package of Kaspersky Endpoint
ut
Security and select the Endpoint Detection and Response Optimum component.
ib
2.4 Activate EDR Optimum
r
st
di
re
or
e d
pi
Kaspersky EDR Optimum requires a special license. You can activate it with a key or code. This is
described in more detail in Unit I of this course.
co
be
t to
No
10
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
Kaspersky Endpoint Detection and Response is disabled in the Kaspersky Endpoint Security policy by
d
default. Therefore, after installing the component on the managed devices, you need to:
1. Open the properties of the Kaspersky Endpoint Security policy.
e
2. Switch to the Application Settings tab and open Detection and Response.
pi
3. Open the Endpoint Detection and Response settings and enable the component.
co
3. Incident response
be
What to do next
11
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
However, this only shows a general scenario of response actions. In practice, each organization must
have its own plans and scenarios for handling security incidents. These plans must account for a
multitude of details, including:
— Event type and classification
d
— Threat containment
— Scanning other computers on the network for indicators of compromise
— Threat eradication and network recovery
— Closing the incident
When analyzing detection details, you need to:
be
Determine the incident priority—depending on the incident priority, you must determine a plan
of action and assign an expert or group of experts who will investigate and handle the incident.
Experts begin the investigation by studying the gathered detection details, and use the detected
indicators of compromise to gather more information.
t
During their investigation, experts contain the threat by doing the following:
No
12
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
After the investigation, the workgroup decides whether they can close the incident or if they first need to
ed
eliminate threats and recover from the attack by doing the following:
— Kill malicious processes.
— Delete objects.
— Run certain commands on hosts.
ut
— Restore the connectivity of isolated hosts.
— Restore legitimate files from quarantine.
— Take other recovery actions.
ib
3.2 Alert details
r
st
di
re
or
e d
pi
co
You can find all Kaspersky Endpoint Security detection events in the Report on threats in Monitoring &
Reporting | Reports. As soon as the Endpoint Detection and Response Optimum component is
installed and enabled, new detection events will be enriched with additional information. The View alert
be
link appears in the Open alert column. Click it to view the detection details.
Old detection events—those that had been logged before the Endpoint Detection and Response
Optimum component was enabled or installed—will not be enriched.
to
All detection events are also displayed in Monitoring & Reporting | Alerts. In the Enrichment and
response column, an enriched event will have a More details link. Click it to view the detection details.
t
No
13
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
Enriched events
ed
ut
r ib
st
di
re
or
The upper part of the card displays the threat status, i.e. whether it has been blocked.
Below the action, there is a graph that visualizes the chain of detected malicious processes. The graph
shows the activity of these processes, such as creating files, establishing connections, or modifying the
registry. The object originally detected by a protection technology is marked with a red icon.
be
t to
No
14
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
The incident card located below provides various information about the detected object, such as:
or
— Name of the object and its location on the target device
— Category
— Detection time
d
— IP address
— MAC address
pi
— Operating system
— Device location in the hierarchy of groups in Kaspersky Security Center
You can view details about the process responsible for the malicious object:
co
— Execution parameters
— Process identifier (ID)
— Privilege level and other information
The incident card displays concise information on the detected object from the Kaspersky Open Threat
be
Intelligence portal. You can click the Look up on the portal link and proceed to the portal to view
additional details.
At the bottom of the incident card, there is information indicating where the malicious file was downloaded
from (if available).
to
Detection details are stored on the administration server for 30 days and then deleted.
You can view alert details regardless of whether the device for which the enriched event was generated is
currently online.
t
If the size of the details of a detection event does not exceed 1 MB, they will be stored on the
administration server. If it exceeds 1 MB, some of the information will be stored on the administration
No
15
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
The Endpoint Detection and Response Optimum component does not generate detection events. It
or
enriches detection events of other Kaspersky Endpoint Security components with telemetry data and
creates an alert card.
Kaspersky EDR Optimum creates an incident card for detection events generated by the following
d
components:
— File Threat Protection
e
Exploit Prevention
— Behavior Detection
— Host Intrusion Prevention
— Remediation Engine
co
Kaspersky EDR Optimum also creates an incident card if an object was detected by the Malware scan
task.
be
Kaspersky EDR Optimum version 2.3 does not require any other Kaspersky Endpoint Security
components to be installed. All the necessary drivers are installed on the system with the Endpoint
Detection and Response Optimum component.
The first thing to pay attention to is the threat status. In our case, we can see that Kaspersky Endpoint
Security successfully blocked the threat because the status is Success: Blocked.
Click an object in the threat formation chain to view detailed information about the file.
16
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
The following data is displayed:
re
or
— Execution date and time
— Used command line parameters. This part can be useful if a script was executed implicitly
through PowerShell or other interpreters.
— Process identifier (PID)
d
— Process’s integrity level reveals the privileges it was run with. The High integrity level means that
the process was started with full administrator permissions.
e
To view information about a detected file in the OpenTIP portal, click its MD5 or SHA256 checksum or the
co
If the file has been detected for the first time or little information is available about it, it may mean that the
file is either a source of a targeted attack or a new, previously unknown threat. Lack of information about
a threat is always extremely dangerous. If your incident investigation results in the detection of files that
be
were never previously encountered by Kaspersky experts, you are advised to elevate its priority to the top
level.
If a file is a known threat, the OpenTIP portal will show the following detailed information:
to
17
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
Information about created files re
or
e d
pi
co
be
to
As you continue to explore details of the detected malicious activity, you can see what files it created. To
do so, click the File drop icon. The list of created files will open. Each file can be examined individually.
You should analyze these files too, because they can spread the threat within the organization, facilitate
data leaks, or start a malicious file when the system boots.
t
No
18
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
Information about injections typically shows executable files related to the attack. This information can be
useful when checking if any of these files remain on the target device.
ut
r ib
st
di
re
or
The network connections that were established during the attack are also important. To view them, click
d
— Local and remote address and connection port. You can analyze the network connection log on
the proxy server to find out which other devices connected to the same address and the same
port. This will give you a list of devices that may have been compromised.
co
The web address, referrer, user agent, and request type (GET/POST) will only be displayed if the request
was made using HTTP.
You can find additional information about a detected address in the OpenTIP portal:
—
be
A bad reputation means that the address has already been involved in illegitimate activities. Detailed
to
information about an address will help you understand the spectrum of threats that were implemented
through this resource. This will help you promptly estimate the risks related to this malicious activity for
your corporate assets and network.
Pay special attention to the time when the address first appeared on the internet. All newly created
t
addresses should be treated with particular care, because they may indicate a targeted attack for which
No
19
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
Information about registry changes
re
or
Detection details also include information about the created keys and changes in the registry performed
by malicious processes. To open a list of all changes, click the Registry icon. You can click each object
to view detailed information.
e d
pi
co
be
t to
No
A lot of places in the registry may contain instructions to run objects at all stages of the operating system
start.
20
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
When analyzing changes in the registry, we recommend that you pay the utmost attention to keys that
ed
have the yes value in the Autorun point field. This key ensures that the file starts automatically. Malware
often modifies the registry to launch its objects.
These objects may even be legitimate software with a good reputation. Cybercriminals exploit their good
ut
reputation to conduct a specific stage of an attack and make it as difficult as possible for protection tools
to detect any malicious activity.
r ib
st
di
re
or
e d
pi
When investigating details of a detection event, you can also check whether parent processes are related
co
If the parent process is Windows Explorer, a web browser, or an email application, the user most likely
carelessly executed a malicious file.
be
If the parent process is a file about which little is known, it may indicate a new unknown threat and be a
reason to proceed to threat containment.
t to
No
21
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
To prevent a threat from moving on to other corporate devices, we recommend that you perform the
e
following actions:
— Isolate the compromised devices from the network.
pi
In practice, some containment actions should be taken almost immediately, before detailed analysis is
completed.
For example, if initial analysis of event details shows that the device is attempting to establish numerous
network connections, or download or upload something, it makes sense to immediately isolate the device
from the network and prevent the execution of objects. Endpoint Detection and Response Optimum
be
lets you do this quickly and easily right from the alert card.
The administrator does not need to use third-party tools or switch between consoles to begin containing a
threat, because the most important commands are available in the detection card.
The Isolate computer from the network button enables isolation of a device and maximally restricts its
network activity. Isolation is performed by the tools available in Endpoint Detection and Response
t
Optimum. On the isolated device, Kaspersky Endpoint Security will show the user a notification indicating
that the computer has been isolated from the network.
No
22
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
Endpoint Detection and Response Optimum does not block all connections.
or
The component contains a set of exclusions for the following:
— DNS requests
— DHCP protocol
d
You can create exclusions in several places in Kaspersky Security Center Web Console:
— In the Kaspersky Endpoint Security for Windows policy
— In the device tasks
—
be
Kaspersky EDR Optimum applies exclusions from the policy when the device is isolated during
an automatic response action.
— For example, this can happen if you have started an IoC scan task and configured isolation as a
response action. If Kaspersky EDR Optimum detects an indicator of compromise on a device, it
isolates the device from the network and allows only the connections that are configured in the
Kaspersky Endpoint Security policy.
to
— We will discuss how to work with IoC scan tasks later in this unit.
t
No
23
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
If you isolate a device from the network by clicking the Isolate computer from the network button in the
or
incident card or in the device properties, Kaspersky EDR Optimum allows the device to establish the
connections that are configured in the Network isolation task for this device.
e d
pi
co
be
t to
No
The policy and the network isolation task provide the same user interface for configuring exclusion rules.
24
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
You can change or delete any rules that the exclusion list contains by default. You can also add new
rules:
The set of exclusion rules preconfigured in a profile is based on Microsoft recommendations for various
pi
Microsoft services and solutions, such as Active Directory Domain Services, Microsoft SQL Server,
Hyper-V, Remote Desktop Services, etc.
co
If you need to connect to an isolated device using RDP or run a program on it when investigating an
incident, simply add Remote Desktop Services and Remote Procedure Call exclusions to the profile.
If the predefined rules are insufficient, you can create custom exclusions for connections over specific
protocols and ports or for all connections established by the specified applications. To do so, click Add.
be
25
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
The Kaspersky Endpoint Security policy determines the duration of device isolation if the device is
isolated during an automatic response action.
If the device is manually isolated, the duration of isolation is determined in the settings of the Network
isolation task for the device.
d
By default, a device is isolated for 8 hours. We recommend that you do not decrease this time so that a
e
device remains isolated until specialists complete their investigation and handle the threat.
pi
26
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
Files that were detected during an attack can be prevented from running on endpoint devices. This is
ed
accomplished by clicking the Prevent execution button in the file details pane, which will create the
relevant prevention rule in the Kaspersky Endpoint Security policy.
A rule created from an alert card has the prefix “[KillChain] md5” in its name. By default, a prevention
rule uses the file’s MD5 checksum.
ut
In this example, the prevention rule makes sense even though the protection solution detected and killed
the process.
ib
The malicious activity detection details show that the executable file sw_test.exe (not detected) is the
parent process that started the plzib.exe child process, which was detected.
r
This means that the protection application detects a malicious file only when it performs suspicious
st
activities rather than every time it starts. Since this file can perform malicious actions, it is best not to let it
run at all.
di
re
or
e d
pi
By default, execution prevention is disabled and the Log events only option is selected.
be
To create custom prevention rules, click Add in the Execution Prevention area.
27
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
A rule lets you block:
re
or
— Executable files
— Scripts
— Microsoft Office documents
d
You can block an object based on its checksum (MD5, SHA256) and/or path.
e
pi
co
be
t to
If a user attempts to run a file that matches a prevention rule, Kaspersky Endpoint Security shows a
No
blocking message and the operating system shows a notification indicating that the file cannot be
accessed.
28
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
Quarantine a file
ed
ut
r ib
st
di
re
or
It makes sense to quarantine files that the security application does not consider to be dangerous but
which appear to be neither a part of the operating system nor well-known software.
d
Typically, these files lack a digital signature and are unpopular according to the OpenTIP portal.
e
When you quarantine a file, it is moved from its original folder to a special encrypted local storage of
Kaspersky Endpoint Security. This prevents the user and any process from running it again. However, if
pi
the investigation shows that the file is not dangerous, you can restore it from the quarantine to the original
folder.
co
Kaspersky Endpoint Security calculates checksums only for executable files. To copy or move non-
executable files to the quarantine, you can manually create and run the Get file and Move file to
Quarantine tasks respectively.
The Get file and Move file to Quarantine tasks have similar settings, but they produce different results:
to
— Get file puts a copy of the file into quarantine leaving the original file in place.
— Move file to Quarantine relocates the original file to quarantine, i.e. the task removes it from its
original location.
t
29
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
Links to quarantined files are displayed on the Operations | Repositories | Quarantine page of the
or
Kaspersky Security Center web console. You can download these files to examine them or send them to
Kaspersky for analysis.
30
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
Once a suspicious file is quarantined and its execution is prevented, you no longer need to worry about
d
However, you do need to check whether this suspicious file is present on other networked machines and,
if so, get rid of it.
pi
— The Delete file, Kill process and Run program tasks allow you to deal with a dangerous object
in a targeted manner. In particular, the Run program task lets you supplement the response
tools with any third-party utilities.
— The Web Control component of Kaspersky Endpoint Security lets you block specific
be
connections. You can use it to block access to addresses contacted by a dangerous file (after
examining their reputation in the OpenTIP portal).
IoC scanning is a very powerful tool that can help you find signs of malicious activity on your network
computers. You can create an IoC from an alert card, generate from open-source data (securelist.com),
or receive a ready file from a third-party IoC provider.
t
An Indicator of Compromise (IoC) is an object (file, registry key, etc.) that indicates that the system has
been compromised. These indicators are used to detect malicious activity at its early stages and to
No
31
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
For example, an incident card can contain information about created files and registry keys (indicators of
ed
compromise). It is also important to understand whether these indicators of compromise are currently
present on other computers. The presence of indicators of compromise could mean that a malicious file
has already been run on other computers in the network. For instance, these computers may have lacked
a correctly configured protection tool for recognizing and stopping such an attack.
ut
r ib
st
di
re
or
e d
You can easily create a description for an indicator of compromise in OpenIOC format right from the alert
card:
pi
Not all of the files displayed on an alert card are indicators of compromise. Standard Windows files may
be displayed there as well.
Kaspersky EDR Optimum automatically generates indicators of compromise in OpenIOC format from the
be
selected files and registry keys. A file is searched for by its MD5 checksum, while the search criteria for a
registry key include its full path, name, and value in the registry. If the console does not let you select
certain files on the All alert events list, that means that Kaspersky Security Center has no information
about their MD5 checksums.
t to
No
32
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
If you select multiple objects, a single indicator will be generated for them. It will consist of separate
conditions for each object. You can combine the conditions with logical OR or AND:
— OR means that the computer will be considered compromised if it contains even one of the
selected objects.
d
— AND means that the computer will be considered compromised only if all of the selected objects
(files and registry keys) are found on it.
e
You can export the generated IoC to a file or immediately create an IoC scan task for the network
pi
computers.
When you create a task, you can choose which actions to perform when an IoC is detected:
co
— Isolate the device from the network—use this response action cautiously, since sudden isolation
may disrupt the user’s work and even the whole organization if an IoC is detected on a server.
— Scan critical areas.
— Quarantine the file.
be
t to
No
33
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
An IoC scan task created from an alert card is applied to the administration group of the host where the
threat was detected. The task’s name will start with IoC Scan from alert <threat name> <threat
d
detection time>.
You can create multiple tasks from a single alert card. For example, select a group of indicators that have
e
high validity and make a task that will quarantine the relevant files. For indicators with low validity, you
can create a task that will make the security solution scan the relevant computers for threats. All tasks
pi
created from the same card get the same name by default: rename them to avoid confusion.
If an IoC scan task is created from an alert card, it scans only critical areas (temporary folders and
co
download folders of all device users) by default. You can redefine the scan area in the task properties and
select to scan specific folders on a drive, the system drive, or all drives of the device.
An IoC scan task created from an incident card is applied to the administration group of the computer
where Kaspersky Endpoint Security detected the threat.
be
IoC scan tasks created from an alert card are run once as soon as they are created.
t to
No
34
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
To check the task status and whether the indicators have been found on the computers, in the task
properties, switch to the Application Settings tab and open the IOC Scan Results section. There you
can find detailed results of IoC scans, i.e. the devices where indicators were detected.
d
Click the IOC detected link to open the list of results for the respective computer. It contains all the
e
indicators specified in the task. If an indicator was detected, the State column contains the matched link.
Click it to open a detailed detection card with the names of detected files (or other objects).
pi
The detection card shows which objects on the computer matched the IoC conditions. If the IoC consists
of several groups of conditions combined with the logical OR operator, the group whose conditions match
co
35
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
Creating an IoC scan task
re
or
e d
pi
co
be
to
As we discussed earlier, you can also use the incident card to create an IoC scan task for the
t
administration group of the computer where Kaspersky Endpoint Security detected the threat.
No
However, this may not always be convenient if you want to scan all computers on the network rather than
only computers in a specific group.
36
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
To create an IoC scan task, in the Kaspersky Security Center task creation wizard, select Kaspersky
Endpoint Security for Windows in the Application drop-down list and select IoC Scan for the task type.
ut
Configure an IoC scan task
r ib
st
di
re
or
e d
pi
You can import indicators of compromise in OpenIOC format into the task properties. It can be an IoC file
exported from an incident card or third-party indicators of compromise.
37
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
An IoC scan task automatically recognizes what type of data to look for.
With the default settings, the task scans critical areas on the device, meaning the temporary folders and
download folders of all users.
co
In this section, you can also specify a period when events were logged under the EventLogItem data
type. To do so, click the Logs and dates link and configure the relevant period. You can even select
specific Kaspersky EDR Optimum logs to be analyzed.
In the Advanced section, you can disable scanning for specific types of indicators of compromise.
be
However, this is not recommended because a task with this setting may fail to find certain malicious files
and the threat will remain in your network.
t to
No
38
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
3.5 Eradication
ed
ut
r ib
st
di
re
or
The process of eradicating the effects of an infection and restoring operation of the device depends on
d
Eradication and recovery may require a full reinstallation of the operating system and software, or a
specific set of actions, such as deleting malicious objects or cleaning the registry.
1. We’ve taken some actions to eliminate an infection without reinstalling the operating system.
2. We isolated the device from the enterprise network before we began conducting a detailed
analysis and subsequent response.
3. Now we are certain that the threat has been eliminated, so we want to restore the device's
be
39
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
In both cases, the Isolated from network tag is assigned to the computer.
pi
To find all isolated computers, open Devices | Tags | Device tags and select the Isolated from network
tag. Click the View devices link to see the list of devices isolated from the network.
co
Note that removing the tag from the device properties is not enough to release the device! You must
disable isolation in the alert card or in the properties of Kaspersky Endpoint Security installed on the
device.
be
t to
No
40
KL 002.12.1: Kaspersky Endpoint Security and Management. 3. Incident response
Unit IV. EDR Optimum
ed
ut
r ib
st
di
re
or
To release a device, go to its properties, open Kaspersky Endpoint Security application settings, switch to
d
Application settings | Detection and Response, click Endpoint Detection and Response and then
click the Unblock computer isolated from the network button.
e
After an incident has been investigated, consider how to use the obtained information to improve network
security and streamline investigation and response processes.
pi
For example, IoC scan tasks created when investigating various incidents might accumulate in the
Kaspersky Security Center console. Once an incident has been closed and indicators of compromise
co
have been removed from computers, it makes little sense to store a separate task for them. You can
export an IoC from a task to a file and add it to a general IoC scan task that runs once a week at a
relatively free time.
be
t to
No
41