Credit to Author: Vladimir Kuskov| Date: Mon, 18 Oct 2021 19:35:52 +0000
Often, employees of security operation centers and information security departments turn to Kaspersky specialists for expert help. We analyzed the most common reasons for such requests and created a specialized service that helps customers to ask a question directly to an expert in the area they need.
Why you might need expert help
The threat of cyberattacks is growing all the time as cybercriminals find ever more ways to achieve their goals, discovering new hardware and software vulnerabilities in applications, servers, VPN gateways, and operating systems and immediately weaponizing them. Hundreds of thousands of new malware samples emerge every day, and a wide variety of organizations, including major corporations and even government agencies, fall prey to ransomware attacks. In addition, new sophisticated threat and APT campaigns are also unearthed regularly.
In this setting, threat intelligence (TI) plays a vital role. Only with timely information about attackers’ tools and tactics is it possible to build an adequate protection system, and, in the event of an incident, to conduct an effective investigation, detect intruders in the network, send them packing, and determine the primary attack vector to prevent a repeat attack.
Applying TI in a given organization requires having a qualified in-house specialist who can use TI provider data in practice. That expert thus becomes the most valuable asset in any threat investigation. That said, hiring, training and keeping cybersecurity analysts is expensive, and not every company can afford to maintain a team of experts.
Frequently asked questions
Several departments at Kaspersky help clients deal with cyberincidents. Briefly, they are the Global Research & Analysis Team (GReAT), the Global Emergency Response Team (GERT), and the Kaspersky Threat Research Team. In all, we have brought together more than 250 world-class analysts and experts. The teams regularly receive lots of client requests regarding cyberthreats. Having analyzed the recent requests, we identified the following categories.
Analysis of malware or suspicious software
A scenario we encounter pretty frequently involves the triggering of detection logic in endpoint security or threat hunting rules. The company’s security service or SOC investigates the alert, finds a malicious or suspicious object but lacks the resources to conduct a detailed study. The company then asks our experts to determine the functionality of the detected object, how dangerous it is, and how to make sure the incident is resolved after its removal.
If our experts can quickly identify what the client sent (we have a gigantic knowledge base of typical attacker tools and more than a billion unique malware samples), they answer immediately. Otherwise, our analysts need to investigate, and in complex cases, that can take a while.
Additional information about indicators of compromise
Most companies use a variety of sources for indicators of compromise (IoCs). The value of IoCs lies largely in the availability of context — that is, additional information about the indicator and its significance. That context is not always available, however. So, having detected a certain IoC in, say, the SIEM system, SOC analysts might see the presence of a trigger and realize an incident is possible but lack the information to investigate further.
In such cases, they can send a request to us to provide information about the detected IoC, and in many cases such IoCs turn out to be interesting. For example, we once received an IP address that was found in a company’s traffic feed (i.e., accessed from the corporate network). Among the things hosted at the address was a software management server called Cobalt Strike, a powerful remote administration tool (or, simply, a backdoor), that all sorts of cybercriminals use. Its detection almost certainly means the company is already under attack (real or training). Our experts provided additional information about the tool and recommended initiating incident response (IR) immediately to neutralize the threat and determine the root cause of the compromise.
Request for data on tactics, techniques, and procedures
IoCs are by no means all a company needs to stop an attack or investigate an incident. Once the cybercriminal group behind the attack has been determined, SOC analysts typically require data on the group’s tactics, techniques, and procedures (TTPs); they need detailed descriptions of the group’s modus operandi to help determine where and how the attackers could have penetrated the infrastructure, the information on methods attackers typically use to become entrenched in the network, as well as on how they exfiltrate data. We provide this information as part of our Threat Intelligence Reporting service.
Cybercriminals’ methods, even within the same group, can be very diverse, and describing all possible details is not feasible, even in a highly detailed report. Therefore, TI clients who use our APT and crimeware threat reports sometimes request additional information from us about a particular aspect of an attack technique in a specific context of relevance to the client.
We have been providing those sorts of answers, and many others, through special services or within the limited framework of technical support. However, observing a rise in the number of requests and understanding the value of our research units’ expertise and knowledge, we decided to launch a dedicated service called Kaspersky Ask the Analyst, offering quick access to our expert advice through a single point of entry.
Kaspersky Ask the Analyst
Our new service enables clients’ representatives (primarily SOC analysts and infosec employees) to get advice from Kaspersky experts, thereby slashing their investigation costs. We understand the importance of timely threat information; therefore, we have an SLA in place for all types of requests. With Kaspersky Ask the Analyst, infosec specialists can:
- Receive additional data from Kaspersky Threat Intelligence reports, including extended IoC and analytics context from GReAT and the Kaspersky Threat Research Team. Depending on your precise situation, they will discuss any connections between the indicators detected at your company with the activity described in the reports;
- Get a detailed analysis of the behavior of the identified samples, determine their purpose, and get recommendations for mitigating the consequences of the attack. The Kaspersky Global Emergency Response Team’s incident response experts will help with the task;
- Obtain a description of a specific malware family (for example, a particular piece of ransomware) and advice on protecting against it, plus additional context for specific IoCs (hashes, URLs, IP addresses) to help prioritize alerts or incidents involving them. Kaspersky Threat Research experts provide this information;
- Receive a description of specific vulnerabilities and their severity levels, as well as information about how Kaspersky products guard against exploitation. Kaspersky Threat Research experts likewise provide this data;
- Request an individual investigation (search) of dark web data. This will provide valuable information about relevant threats, which in turn suggests effective measures for preventing or mitigating cyberattacks. Kaspersky Security Services experts carry out the investigation.
You’ll find more information about these services on our website.