Kaspersky has released its new intelligent solution for discovering threats. It is aimed at helping SOC analysts and also to match malware samples particular to an incident to previously revealed APT groups. Using this solution, Kaspersky Threat Attribution Engine will match a previously discovered malicious code against one of the biggest databases of malware in the industry and based on the similarity in the code, it will link it to a specific APT group or campaign. This information will help the security experts to prioritize the high-risk threats over the less serious incidents.
The security teams can gear up with a better customized incident response plan for the attack if the nature of the attack is known to them previously.Understanding and revealing the true nature of an attack is quite challenging because it requires not only a large amount of collected data pertaining to threat intelligence (TI) but also the right knowledge and expertise to crack it. Kaspersky provides an automated classification and identification of the sophisticated malware with its new Kaspersky Threat Attribution Engine.
The solution has been developed using an internal tool used by Kaspersky’s Global Research and Analysis Team(GReAT).
In order to determine whether a new threat is related to a known APT group or campaign, Kaspersky Threat Attribution Engine breaks a newly found malicious file into small binary pieces.Each of these pieces are compared with the ones present in Kaspersky’s database of malware data. For better accuracy, the solution also includes the large database of whitelisted files. This helps in easy tracking of the malware quality and attack identification and therefore provides a better and faster incident response.
Based on the similarity, Kaspersky Threat Attribution Engine calculates the reputational score. It also highlights the possible origin, description of the author and links to both private and public resources, outlining the previous campaigns. Kaspersky APT Intelligence Reporting subscribers can also see a detailed report on the strategy used by the identified threat actor, as well as further response steps.
Kaspersky Threat Attribution Engine can be used in a customer’s network which is “on premise”, rather than in a third-party cloud environment. The customers have complete control over data sharing. The customers can also create their own database and fill it with malware samples using the extra threat intelligence data obtained.
There are several ways to understand who is behind an attack. The analysts can use various entities in the malware to determine attackers’ native language, or IP addresses. These information help to track the location of the attacker. A professional attacker will always mask such information to mislead the analysts. The best way is to search for code similarities that the samples have in common with others identified in previous incidents or campaigns but such manual investigation take a long time. To speed-up this process, Kaspersky has created Kaspersky Threat Attribution Engine, which is now available for the company’s customers,” comments Costin Raiu, Director Global Research & Analysis Team at Kaspersky.
Kaspersky Threat Attribution Engine is commercially available globally.