Dans le cadre de la 8ème edition des Cyber Security Days 2018, organisée par l'agence nationale de la sécurité informatique, notre partenaire Kaspersky North Africa a présenté son module "Kaspersky Threat intelligence".

1. Khaled SANAA, CISSP
Sales Engineer, Kaspersky Lab
KASPERSKY THREAT INTELLIGENCE:
KNOW YOUR ENEMY !

2. Our Research

3. ADVANCED THREAT TAXONOMY: MULTISTAGE AND HIDDEN
Attack
preparation
Delivery C&C ExecutionLateral
movement
Damage &
silent leave
• gather data
• prepare strategy
• non-malware
• hidden
• encrypted
• new domain
• «gray domain»
• payload/command delivery
• hide inside normal activities
• steal credentials
• non violation of anything
• rapid
• silent
• no immediate damage
• hide the traces
• erase from logs
• leave a backdoor

4. Security
Solution Threat Hunting Investigation
External Threat Intelligence Additional Data to Analyze
Risk level?Incident Reaction Actionable
Intelligence
HIGH
LOW
Security Policies
Improvement
Fast Recovery
Full Incident
Response
RemediationForensics
THE MEANING BEHIND «DETECTION» IS YOUR ABILITY TO REACT

5. 7
Threat Intelligence Portal
HIGH LEVEL
INFORMATION ON
THE RISK
ATTACKER
METHODOLOGIES,
TOOLS AND
TACTICS
MACHINE-
READABLE
THREAT
INDICATORS
DETAILS OF THE
SPECIFIC
INCOMING ATTACK
LONG-TERMSHORT-TERM
HIGHER LEVEL LOWER LEVEL
• APT INTELLIGENCE REPORTS
• FINANCIAL THREAT INTELLIGENCE
REPORTS
TACTICAL
• THREAT DATA FEEDS
TECHNICAL
• TAILORED THREAT INTELLIGENCE
STRATEGIC
• THREAT LOOKUP
• CLOUD SANDBOX
OPERATIONAL

6. 8
Threat Intelligence Sources
Customer
Kaspersky
Global
Users
Web crawlers
BotFarm
Spam traps
Sensors
APT reseach team
Partners
OSINT
4 5
1
3
Kaspersky Lab
Statistics
Kaspersky Lab
Expert Systems
KL Analyst
Whitelisting
Threat
Intelligence
2

7. 9
Threat Data Feeds
EDR
SIEMs
Email
servers
Proxy
servers
Firewall
TIPs
DLP
Correlation
Service
THREAT
DATA
FEEDS
HASH FEED (WIN / *nix / MacOS / AndroidOS / iOS)
IP REPUTATION
APT IOC FEEDS
URL FEEDS (Malicious, Phishing and C&C))
RANSOMWARE URL FEED
HASH FEEDS FOR TELECOMS
WHITELISTING FEED

8. Kaspersky Lab | The Power of Protection10
Description of fields
RANSOMWARE URL FEED
Record Sample
{
"id": 17775479,
"mask": "disk-space.ru",
"type": 1,
"first_seen": "24.09.2017 14:48",
"last_seen": "03.11.2017 15:54",
"popularity": 5,
"geo": "ru, ua, kz, by, de, dz, us, in, am, md",
"IP": "104.25.107.35, 104.25.106.35, 185.182.81.34,
139.59.131.232, 184.164.147.24, 184.164.147.3, 5.254.65.25,
184.164.146.10, 107.155.66.37",
"files": [
{
"MD5": "",
"SHA1": "",
"SHA256": ""
},
"whois": {
"domain": "disk-space.ru",
"created": "26.10.2014",
"expires": "26.10.2018",
"registrar_name": "REGRU-RU",
"NS": "jamie.ns.cloudflare.com, micah.ns.cloudflare.com",
"NS_ips": "173.245.58.168, 173.245.59.206",
"MX": "mx1.beget.com, mx2.beget.com",
"MX_ips": "185.78.30.48, 185.78.30.71, 5.101.158.67, 5.101.158.68"
}
JSON format id – unique record identifier
mask – record covering links that host ransomware objects or that are
accessed by them.
type – record type. 1, 2 and 4 types of masks are only used to simplify
integration with
security controls or TIPlatforms.
first_seen – date when the record was created/detected (UTC)
last_seen – date when the record was last encountered by Kaspersky Lab’s
users (UTC)
popularity – index number defining the record popularity (how many users were
affected
by this record). 5 is the most popular, 1 the least popular
geo – Top 10 countries where KL users were most affected by this record
IP – Top 10 IPs of the URL/mask within the last 4 months
files - top 10 related ransomware files (hosted on or accessed to the URL/mask)
whois - domain whois and DNS data

9. Kaspersky Lab | The Power of Protection11
Description of fields
APT IOC FEEDS
Record Sample
APT Hash Data Feed
{
"MD5": "CFFFC5A0E5BDC87AB11B75EC8A6715A4",
"detection_date": "21.09.2017 00:00",
"publication_name": "The Silence - new trojan attacking
financial organizations"
}
APT URL Data Feed
{
"id": 17868336,
"mask": "oospoosp.com",
"type": 1,
"detection_date": "23.10.2017 00:00",
"publication_name": "GreenBug waterholes a Kurdish
Government website"
}
APT IP Data Feed
{
"IP": "191.101.251.200",
"detection_date": "12.10.2017 00:00",
"publication_name": "Adobe Flash Zero Day (CVE-2017-11292)
Deploying FinSpy Malware – early warning"
}
APT YARA Data Feed contains YARA rules as is
JSON format
detection date – date when the record was created/detected (UTC).
Records are sorted in descending order.
security controls or TIPlatforms.
publication name – a short description of the APT campaign

10. 12
Integration with Security Controls
SIEM
THREAT INTELLIGENCE PLATFORMS
DATA MINING TOOLS
NETWORK CONTROLS

11. 13
Threat Data Feeds Consumption
Log Sources
Security Officer
Dashboards Alerts
Corporate Network
Kaspersky
Infrastructure
SIEM aggregates logs from different network devices
and IT systems and send the events with URLs,
hashes, and IPs to correlation service for analysis
SIEM
Raw logs
Forwarded
events
Matching engine
Detection events
Data feeds
1
2
3
Correlation service matches incoming events
with feeds and send detection events to SIEM
5
Free downloader regularly
downloads up-to-date threat
intelligence feeds and loads
them into correlation service
Feed
Downloader
— Views events with
security context and
receives alerts
— Investigates security
incidents based on
context
4

12. 14
Incident Investigation Workflow
Threat Lookup
MD5, SHA1 or SHA256
URL or Domains
IP Addresses
Threat Names
RESTful API
Cloud Sandbox

13. 15
Incident Investigation Workflow
Cloud Sandbox
Advanced analysis of files in various
formats
CLOUD SANDBOX
Default settings and advanced settings
for optimized performance
Advanced anti-evasion
and human simulating techniques
Visualization and intuitive
reporting
Advanced detection of APT,
targeted and complex threats
A workflow allowing to run
highly effective and complex
incident investigations
Scalability without the need to
purchase costly appliances
Seamless integration and
automation of your security
operations
Web Interface
RESTful API
KEY CAPABILITIES

14. 16
Intelligence Reporting
APT INTELLIGENCE
REPORTING
TAILORED THREAT INTELLIGENCE
REPORTING
FINANCIAL THREAT INTELLIGENCE
REPORTING

15. Kaspersky Lab | The Power of Protection17
Financial Threat Intelligence Reporting
TARGETED ATTACKS
METHODS USED TO BYPASS SECUIRTY MECHANISMS
MONETIZATION METHODS
ATTACKS ON ATMs
ATTACKS ON POS SYSTEMS DEVICES
SPECIFIC TOOLS DEVELOPED OR SOLD
BY CYBERCRIMINALS

16. Kaspersky Lab | The Power of Protection18

17. Kaspersky Lab | The Power of Protection19
KASPERSKY Cloud Sandbox

18. Kaspersky Lab | The Power of Protection20
KASPERSKY Cloud Sandbox

19. Kaspersky Lab | The Power of Protection21

20. Kaspersky Lab | The Power of Protection22
KASPERSKY Cloud Sandbox

21. Kaspersky Lab | The Power of Protection23
KASPERSKY Cloud Sandbox

22. Kaspersky Lab | The Power of Protection24
KASPERSKY THREAT LOOKUP: demo

23. Kaspersky Lab | The Power of Protection25
KASPERSKY THREAT LOOKUP: demo

24. Kaspersky Lab | The Power of Protection26
KASPERSKY THREAT LOOKUP: demo

25. Kaspersky Lab | The Power of Protection27
KASPERSKY THREAT LOOKUP: demo

26. Kaspersky Lab | The Power of Protection28
KASPERSKY THREAT LOOKUP: demo

27. Kaspersky Lab | The Power of Protection29
KASPERSKY THREAT LOOKUP: demo

28. 30
Cybersecurity Services Map
THREAT INTELLIGENCE
— THREAT DATA FEEDS
— INTELLIGENCE REPORTING:
APT
FINANCIAL
TAILORED
— THREAT LOOKUP
— CLOUD SANDBOX
THREAT HUNTING AND
INCIDENT RESPONSE
— MANAGED PROTECTION
—TARGETED ATTACK DISCOVERY
— MALWARE ANALYSIS
— DIGITAL FORENSICS
— INCIDENT RESPONSE
PENETRATION TESTING
SECURITY ASSESSMENT
— APPLICATION
— PAYMENT SYSTEMS
— TRANSPORTATION SYSTEMS
— ICS
— IOT AND SMART TECHNOLOGIES
SECURITY TRAINING
— DIGITAL FORENSICS
— MALWARE ANALYSIS
— INCIDENT RESPONSE
— EFFICIENT DETECTION WITH YARA

29. Let’s Talk?
Kaspersky Lab
2, rue Joseph Monier
92500 Rueil-Malmaison , France
Tel: +33 1 41 39 80 96
www.kaspersky.com