SlideShare a Scribd company logo
Khaled SANAA, CISSP
Sales Engineer, Kaspersky Lab
KASPERSKY THREAT INTELLIGENCE:
KNOW YOUR ENEMY !
Our Research
ADVANCED THREAT TAXONOMY: MULTISTAGE AND HIDDEN
Attack
preparation
Delivery C&C ExecutionLateral
movement
Damage &
silent leave
• gather data
• prepare strategy
• non-malware
• hidden
• encrypted
• new domain
• «gray domain»
• payload/command delivery
• hide inside normal activities
• steal credentials
• non violation of anything
• rapid
• silent
• no immediate damage
• hide the traces
• erase from logs
• leave a backdoor
Security
Solution Threat Hunting Investigation
External Threat Intelligence Additional Data to Analyze
Risk level?Incident Reaction Actionable
Intelligence
HIGH
LOW
Security Policies
Improvement
Fast Recovery
Full Incident
Response
RemediationForensics
THE MEANING BEHIND «DETECTION» IS YOUR ABILITY TO REACT
7
Threat Intelligence Portal
HIGH LEVEL
INFORMATION ON
THE RISK
ATTACKER
METHODOLOGIES,
TOOLS AND
TACTICS
MACHINE-
READABLE
THREAT
INDICATORS
DETAILS OF THE
SPECIFIC
INCOMING ATTACK
LONG-TERMSHORT-TERM
HIGHER LEVEL LOWER LEVEL
• APT INTELLIGENCE REPORTS
• FINANCIAL THREAT INTELLIGENCE
REPORTS
TACTICAL
• THREAT DATA FEEDS
TECHNICAL
• TAILORED THREAT INTELLIGENCE
STRATEGIC
• THREAT LOOKUP
• CLOUD SANDBOX
OPERATIONAL
8
Threat Intelligence Sources
Customer
Kaspersky
Global
Users
Web crawlers
BotFarm
Spam traps
Sensors
APT reseach team
Partners
OSINT
4 5
1
3
Kaspersky Lab
Statistics
Kaspersky Lab
Expert Systems
KL Analyst
Whitelisting
Threat
Intelligence
2
9
Threat Data Feeds
EDR
SIEMs
Email
servers
Proxy
servers
Firewall
TIPs
DLP
Correlation
Service
THREAT
DATA
FEEDS
HASH FEED (WIN / *nix / MacOS / AndroidOS / iOS)
IP REPUTATION
APT IOC FEEDS
URL FEEDS (Malicious, Phishing and C&C))
RANSOMWARE URL FEED
HASH FEEDS FOR TELECOMS
WHITELISTING FEED
Kaspersky Lab | The Power of Protection10
Description of fields
RANSOMWARE URL FEED
Record Sample
{
"id": 17775479,
"mask": "disk-space.ru",
"type": 1,
"first_seen": "24.09.2017 14:48",
"last_seen": "03.11.2017 15:54",
"popularity": 5,
"geo": "ru, ua, kz, by, de, dz, us, in, am, md",
"IP": "104.25.107.35, 104.25.106.35, 185.182.81.34,
139.59.131.232, 184.164.147.24, 184.164.147.3, 5.254.65.25,
184.164.146.10, 107.155.66.37",
"files": [
{
"MD5": "",
"SHA1": "",
"SHA256": ""
},
"whois": {
"domain": "disk-space.ru",
"created": "26.10.2014",
"expires": "26.10.2018",
"registrar_name": "REGRU-RU",
"NS": "jamie.ns.cloudflare.com, micah.ns.cloudflare.com",
"NS_ips": "173.245.58.168, 173.245.59.206",
"MX": "mx1.beget.com, mx2.beget.com",
"MX_ips": "185.78.30.48, 185.78.30.71, 5.101.158.67, 5.101.158.68"
}
JSON format id – unique record identifier
mask – record covering links that host ransomware objects or that are
accessed by them.
type – record type. 1, 2 and 4 types of masks are only used to simplify
integration with
security controls or TIPlatforms.
first_seen – date when the record was created/detected (UTC)
last_seen – date when the record was last encountered by Kaspersky Lab’s
users (UTC)
popularity – index number defining the record popularity (how many users were
affected
by this record). 5 is the most popular, 1 the least popular
geo – Top 10 countries where KL users were most affected by this record
IP – Top 10 IPs of the URL/mask within the last 4 months
files - top 10 related ransomware files (hosted on or accessed to the URL/mask)
whois - domain whois and DNS data
Kaspersky Lab | The Power of Protection11
Description of fields
APT IOC FEEDS
Record Sample
APT Hash Data Feed
{
"MD5": "CFFFC5A0E5BDC87AB11B75EC8A6715A4",
"detection_date": "21.09.2017 00:00",
"publication_name": "The Silence - new trojan attacking
financial organizations"
}
APT URL Data Feed
{
"id": 17868336,
"mask": "oospoosp.com",
"type": 1,
"detection_date": "23.10.2017 00:00",
"publication_name": "GreenBug waterholes a Kurdish
Government website"
}
APT IP Data Feed
{
"IP": "191.101.251.200",
"detection_date": "12.10.2017 00:00",
"publication_name": "Adobe Flash Zero Day (CVE-2017-11292)
Deploying FinSpy Malware – early warning"
}
APT YARA Data Feed contains YARA rules as is
JSON format
detection date – date when the record was created/detected (UTC).
Records are sorted in descending order.
security controls or TIPlatforms.
publication name – a short description of the APT campaign
12
Integration with Security Controls
SIEM
THREAT INTELLIGENCE PLATFORMS
DATA MINING TOOLS
NETWORK CONTROLS
13
Threat Data Feeds Consumption
Log Sources
Security Officer
Dashboards Alerts
Corporate Network
Kaspersky
Infrastructure
SIEM aggregates logs from different network devices
and IT systems and send the events with URLs,
hashes, and IPs to correlation service for analysis
SIEM
Raw logs
Forwarded
events
Matching engine
Detection events
Data feeds
1
2
3
Correlation service matches incoming events
with feeds and send detection events to SIEM
5
Free downloader regularly
downloads up-to-date threat
intelligence feeds and loads
them into correlation service
Feed
Downloader
— Views events with
security context and
receives alerts
— Investigates security
incidents based on
context
4
14
Incident Investigation Workflow
Threat Lookup
MD5, SHA1 or SHA256
URL or Domains
IP Addresses
Threat Names
RESTful API
Cloud Sandbox
15
Incident Investigation Workflow
Cloud Sandbox
Advanced analysis of files in various
formats
CLOUD SANDBOX
Default settings and advanced settings
for optimized performance
Advanced anti-evasion
and human simulating techniques
Visualization and intuitive
reporting
Advanced detection of APT,
targeted and complex threats
A workflow allowing to run
highly effective and complex
incident investigations
Scalability without the need to
purchase costly appliances
Seamless integration and
automation of your security
operations
Web Interface
RESTful API
KEY CAPABILITIES
16
Intelligence Reporting
APT INTELLIGENCE
REPORTING
TAILORED THREAT INTELLIGENCE
REPORTING
FINANCIAL THREAT INTELLIGENCE
REPORTING
Kaspersky Lab | The Power of Protection17
Financial Threat Intelligence Reporting
TARGETED ATTACKS
METHODS USED TO BYPASS SECUIRTY MECHANISMS
MONETIZATION METHODS
ATTACKS ON ATMs
ATTACKS ON POS SYSTEMS DEVICES
SPECIFIC TOOLS DEVELOPED OR SOLD
BY CYBERCRIMINALS
Kaspersky Lab | The Power of Protection18
Kaspersky Lab | The Power of Protection19
KASPERSKY Cloud Sandbox
Kaspersky Lab | The Power of Protection20
KASPERSKY Cloud Sandbox
Kaspersky Lab | The Power of Protection21
Kaspersky Lab | The Power of Protection22
KASPERSKY Cloud Sandbox
Kaspersky Lab | The Power of Protection23
KASPERSKY Cloud Sandbox
Kaspersky Lab | The Power of Protection24
KASPERSKY THREAT LOOKUP: demo
Kaspersky Lab | The Power of Protection25
KASPERSKY THREAT LOOKUP: demo
Kaspersky Lab | The Power of Protection26
KASPERSKY THREAT LOOKUP: demo
Kaspersky Lab | The Power of Protection27
KASPERSKY THREAT LOOKUP: demo
Kaspersky Lab | The Power of Protection28
KASPERSKY THREAT LOOKUP: demo
Kaspersky Lab | The Power of Protection29
KASPERSKY THREAT LOOKUP: demo
30
Cybersecurity Services Map
THREAT INTELLIGENCE
— THREAT DATA FEEDS
— INTELLIGENCE REPORTING:
APT
FINANCIAL
TAILORED
— THREAT LOOKUP
— CLOUD SANDBOX
THREAT HUNTING AND
INCIDENT RESPONSE
— MANAGED PROTECTION
—TARGETED ATTACK DISCOVERY
— MALWARE ANALYSIS
— DIGITAL FORENSICS
— INCIDENT RESPONSE
PENETRATION TESTING
SECURITY ASSESSMENT
— APPLICATION
— PAYMENT SYSTEMS
— TRANSPORTATION SYSTEMS
— ICS
— IOT AND SMART TECHNOLOGIES
SECURITY TRAINING
— DIGITAL FORENSICS
— MALWARE ANALYSIS
— INCIDENT RESPONSE
— EFFICIENT DETECTION WITH YARA
Let’s Talk?
Kaspersky Lab
2, rue Joseph Monier
92500 Rueil-Malmaison , France
Tel: +33 1 41 39 80 96
www.kaspersky.com

More Related Content

What's hot

CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural Networks
Kaspersky
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Kaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01aKaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01a
Igor Pandzic
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV
OPNFV
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Russia the threat landscape
Russia  the threat landscapeRussia  the threat landscape
Russia the threat landscape
Альбина Минуллина
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
Dragos, Inc.
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
Mohammed Almusaddar
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
Priyanka Aash
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
Neelu Tripathy
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
Hacks in Taiwan (HITCON)
 
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Kaspersky
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
Cristian Garcia G.
 

What's hot (20)

CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural Networks
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Kaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01aKaspersky Kesb ep10 no_cm_v01a
Kaspersky Kesb ep10 no_cm_v01a
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Russia the threat landscape
Russia  the threat landscapeRussia  the threat landscape
Russia the threat landscape
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 

Similar to Présentation kaspersky threat intelligence services

Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary:  Creating a Threat-Based Cyber TeamKeeping Up with the Adversary:  Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Symantec
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
This is Next-Gen
This is Next-GenThis is Next-Gen
This is Next-Gen
Sophos Benelux
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
Blue Coat
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
Gabrielle Knowles
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
zeroXten
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modelling
DevSecCon
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
Microsoft
 

Similar to Présentation kaspersky threat intelligence services (20)

Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary:  Creating a Threat-Based Cyber TeamKeeping Up with the Adversary:  Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
This is Next-Gen
This is Next-GenThis is Next-Gen
This is Next-Gen
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat Protection
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modelling
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 

More from ANSItunCERT

Protection des enfants sur Internet et les appareils sous Android.pdf
Protection des enfants sur Internet et les appareils sous Android.pdfProtection des enfants sur Internet et les appareils sous Android.pdf
Protection des enfants sur Internet et les appareils sous Android.pdf
ANSItunCERT
 
Fiche de suivi
Fiche de suiviFiche de suivi
Fiche de suivi
ANSItunCERT
 
Fiche de suivi
Fiche de suivi Fiche de suivi
Fiche de suivi
ANSItunCERT
 
SAHER Magazine - Juin 2020
SAHER Magazine - Juin 2020SAHER Magazine - Juin 2020
SAHER Magazine - Juin 2020
ANSItunCERT
 
Phishing : Display name impersonation
Phishing : Display name impersonationPhishing : Display name impersonation
Phishing : Display name impersonation
ANSItunCERT
 
SAHER Magazine - Mars 2020
SAHER Magazine - Mars 2020SAHER Magazine - Mars 2020
SAHER Magazine - Mars 2020
ANSItunCERT
 
Modèle de déclaration des failles
Modèle de déclaration des faillesModèle de déclaration des failles
Modèle de déclaration des failles
ANSItunCERT
 
NextCloud - télétravail
NextCloud - télétravailNextCloud - télétravail
NextCloud - télétravail
ANSItunCERT
 
Safer Internet Day 2020
Safer Internet Day 2020 Safer Internet Day 2020
Safer Internet Day 2020
ANSItunCERT
 
SAHER Magazine - Octobre 2019
SAHER Magazine - Octobre 2019SAHER Magazine - Octobre 2019
SAHER Magazine - Octobre 2019
ANSItunCERT
 
SAHER Magazine - août 2019
SAHER Magazine - août 2019SAHER Magazine - août 2019
SAHER Magazine - août 2019
ANSItunCERT
 
SAHER Magazine - Juillet 2019
SAHER Magazine - Juillet 2019SAHER Magazine - Juillet 2019
SAHER Magazine - Juillet 2019
ANSItunCERT
 
SAHER Magazine - Juin 2019
SAHER Magazine - Juin 2019SAHER Magazine - Juin 2019
SAHER Magazine - Juin 2019
ANSItunCERT
 
SAHER Magazine - Mai 2019
SAHER Magazine - Mai 2019SAHER Magazine - Mai 2019
SAHER Magazine - Mai 2019
ANSItunCERT
 
SAHER Magazine - Avril 2019
SAHER Magazine - Avril 2019SAHER Magazine - Avril 2019
SAHER Magazine - Avril 2019
ANSItunCERT
 
SAHER Magazine - Mars 2019
SAHER Magazine - Mars 2019SAHER Magazine - Mars 2019
SAHER Magazine - Mars 2019
ANSItunCERT
 
Stratégie Tunisie Digitale 2020
Stratégie Tunisie Digitale 2020 Stratégie Tunisie Digitale 2020
Stratégie Tunisie Digitale 2020
ANSItunCERT
 
Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?
ANSItunCERT
 
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
ANSItunCERT
 
Ansi - Tuncert : Référentiel d'audit de la sécurité des SI
Ansi - Tuncert : Référentiel d'audit de la sécurité des SIAnsi - Tuncert : Référentiel d'audit de la sécurité des SI
Ansi - Tuncert : Référentiel d'audit de la sécurité des SI
ANSItunCERT
 

More from ANSItunCERT (20)

Protection des enfants sur Internet et les appareils sous Android.pdf
Protection des enfants sur Internet et les appareils sous Android.pdfProtection des enfants sur Internet et les appareils sous Android.pdf
Protection des enfants sur Internet et les appareils sous Android.pdf
 
Fiche de suivi
Fiche de suiviFiche de suivi
Fiche de suivi
 
Fiche de suivi
Fiche de suivi Fiche de suivi
Fiche de suivi
 
SAHER Magazine - Juin 2020
SAHER Magazine - Juin 2020SAHER Magazine - Juin 2020
SAHER Magazine - Juin 2020
 
Phishing : Display name impersonation
Phishing : Display name impersonationPhishing : Display name impersonation
Phishing : Display name impersonation
 
SAHER Magazine - Mars 2020
SAHER Magazine - Mars 2020SAHER Magazine - Mars 2020
SAHER Magazine - Mars 2020
 
Modèle de déclaration des failles
Modèle de déclaration des faillesModèle de déclaration des failles
Modèle de déclaration des failles
 
NextCloud - télétravail
NextCloud - télétravailNextCloud - télétravail
NextCloud - télétravail
 
Safer Internet Day 2020
Safer Internet Day 2020 Safer Internet Day 2020
Safer Internet Day 2020
 
SAHER Magazine - Octobre 2019
SAHER Magazine - Octobre 2019SAHER Magazine - Octobre 2019
SAHER Magazine - Octobre 2019
 
SAHER Magazine - août 2019
SAHER Magazine - août 2019SAHER Magazine - août 2019
SAHER Magazine - août 2019
 
SAHER Magazine - Juillet 2019
SAHER Magazine - Juillet 2019SAHER Magazine - Juillet 2019
SAHER Magazine - Juillet 2019
 
SAHER Magazine - Juin 2019
SAHER Magazine - Juin 2019SAHER Magazine - Juin 2019
SAHER Magazine - Juin 2019
 
SAHER Magazine - Mai 2019
SAHER Magazine - Mai 2019SAHER Magazine - Mai 2019
SAHER Magazine - Mai 2019
 
SAHER Magazine - Avril 2019
SAHER Magazine - Avril 2019SAHER Magazine - Avril 2019
SAHER Magazine - Avril 2019
 
SAHER Magazine - Mars 2019
SAHER Magazine - Mars 2019SAHER Magazine - Mars 2019
SAHER Magazine - Mars 2019
 
Stratégie Tunisie Digitale 2020
Stratégie Tunisie Digitale 2020 Stratégie Tunisie Digitale 2020
Stratégie Tunisie Digitale 2020
 
Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?Access now : Data Protection: What you should know about it?
Access now : Data Protection: What you should know about it?
 
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
Enginov - Alpha Engineering : Modèles et plateforme de coordination avec le C...
 
Ansi - Tuncert : Référentiel d'audit de la sécurité des SI
Ansi - Tuncert : Référentiel d'audit de la sécurité des SIAnsi - Tuncert : Référentiel d'audit de la sécurité des SI
Ansi - Tuncert : Référentiel d'audit de la sécurité des SI
 

Recently uploaded

Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
dhavalvaghelanectarb
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
Zycus
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
chandangoswami40933
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
Anand Bagmar
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
jrodriguezq3110
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
Softradix Technologies
 

Recently uploaded (20)

Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024Flutter vs. React Native: A Detailed Comparison for App Development in 2024
Flutter vs. React Native: A Detailed Comparison for App Development in 2024
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
Microsoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptxMicrosoft-Power-Platform-Adoption-Planning.pptx
Microsoft-Power-Platform-Adoption-Planning.pptx
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
 

Présentation kaspersky threat intelligence services

  • 1. Khaled SANAA, CISSP Sales Engineer, Kaspersky Lab KASPERSKY THREAT INTELLIGENCE: KNOW YOUR ENEMY !
  • 3. ADVANCED THREAT TAXONOMY: MULTISTAGE AND HIDDEN Attack preparation Delivery C&C ExecutionLateral movement Damage & silent leave • gather data • prepare strategy • non-malware • hidden • encrypted • new domain • «gray domain» • payload/command delivery • hide inside normal activities • steal credentials • non violation of anything • rapid • silent • no immediate damage • hide the traces • erase from logs • leave a backdoor
  • 4. Security Solution Threat Hunting Investigation External Threat Intelligence Additional Data to Analyze Risk level?Incident Reaction Actionable Intelligence HIGH LOW Security Policies Improvement Fast Recovery Full Incident Response RemediationForensics THE MEANING BEHIND «DETECTION» IS YOUR ABILITY TO REACT
  • 5. 7 Threat Intelligence Portal HIGH LEVEL INFORMATION ON THE RISK ATTACKER METHODOLOGIES, TOOLS AND TACTICS MACHINE- READABLE THREAT INDICATORS DETAILS OF THE SPECIFIC INCOMING ATTACK LONG-TERMSHORT-TERM HIGHER LEVEL LOWER LEVEL • APT INTELLIGENCE REPORTS • FINANCIAL THREAT INTELLIGENCE REPORTS TACTICAL • THREAT DATA FEEDS TECHNICAL • TAILORED THREAT INTELLIGENCE STRATEGIC • THREAT LOOKUP • CLOUD SANDBOX OPERATIONAL
  • 6. 8 Threat Intelligence Sources Customer Kaspersky Global Users Web crawlers BotFarm Spam traps Sensors APT reseach team Partners OSINT 4 5 1 3 Kaspersky Lab Statistics Kaspersky Lab Expert Systems KL Analyst Whitelisting Threat Intelligence 2
  • 7. 9 Threat Data Feeds EDR SIEMs Email servers Proxy servers Firewall TIPs DLP Correlation Service THREAT DATA FEEDS HASH FEED (WIN / *nix / MacOS / AndroidOS / iOS) IP REPUTATION APT IOC FEEDS URL FEEDS (Malicious, Phishing and C&C)) RANSOMWARE URL FEED HASH FEEDS FOR TELECOMS WHITELISTING FEED
  • 8. Kaspersky Lab | The Power of Protection10 Description of fields RANSOMWARE URL FEED Record Sample { "id": 17775479, "mask": "disk-space.ru", "type": 1, "first_seen": "24.09.2017 14:48", "last_seen": "03.11.2017 15:54", "popularity": 5, "geo": "ru, ua, kz, by, de, dz, us, in, am, md", "IP": "104.25.107.35, 104.25.106.35, 185.182.81.34, 139.59.131.232, 184.164.147.24, 184.164.147.3, 5.254.65.25, 184.164.146.10, 107.155.66.37", "files": [ { "MD5": "", "SHA1": "", "SHA256": "" }, "whois": { "domain": "disk-space.ru", "created": "26.10.2014", "expires": "26.10.2018", "registrar_name": "REGRU-RU", "NS": "jamie.ns.cloudflare.com, micah.ns.cloudflare.com", "NS_ips": "173.245.58.168, 173.245.59.206", "MX": "mx1.beget.com, mx2.beget.com", "MX_ips": "185.78.30.48, 185.78.30.71, 5.101.158.67, 5.101.158.68" } JSON format id – unique record identifier mask – record covering links that host ransomware objects or that are accessed by them. type – record type. 1, 2 and 4 types of masks are only used to simplify integration with security controls or TIPlatforms. first_seen – date when the record was created/detected (UTC) last_seen – date when the record was last encountered by Kaspersky Lab’s users (UTC) popularity – index number defining the record popularity (how many users were affected by this record). 5 is the most popular, 1 the least popular geo – Top 10 countries where KL users were most affected by this record IP – Top 10 IPs of the URL/mask within the last 4 months files - top 10 related ransomware files (hosted on or accessed to the URL/mask) whois - domain whois and DNS data
  • 9. Kaspersky Lab | The Power of Protection11 Description of fields APT IOC FEEDS Record Sample APT Hash Data Feed { "MD5": "CFFFC5A0E5BDC87AB11B75EC8A6715A4", "detection_date": "21.09.2017 00:00", "publication_name": "The Silence - new trojan attacking financial organizations" } APT URL Data Feed { "id": 17868336, "mask": "oospoosp.com", "type": 1, "detection_date": "23.10.2017 00:00", "publication_name": "GreenBug waterholes a Kurdish Government website" } APT IP Data Feed { "IP": "191.101.251.200", "detection_date": "12.10.2017 00:00", "publication_name": "Adobe Flash Zero Day (CVE-2017-11292) Deploying FinSpy Malware – early warning" } APT YARA Data Feed contains YARA rules as is JSON format detection date – date when the record was created/detected (UTC). Records are sorted in descending order. security controls or TIPlatforms. publication name – a short description of the APT campaign
  • 10. 12 Integration with Security Controls SIEM THREAT INTELLIGENCE PLATFORMS DATA MINING TOOLS NETWORK CONTROLS
  • 11. 13 Threat Data Feeds Consumption Log Sources Security Officer Dashboards Alerts Corporate Network Kaspersky Infrastructure SIEM aggregates logs from different network devices and IT systems and send the events with URLs, hashes, and IPs to correlation service for analysis SIEM Raw logs Forwarded events Matching engine Detection events Data feeds 1 2 3 Correlation service matches incoming events with feeds and send detection events to SIEM 5 Free downloader regularly downloads up-to-date threat intelligence feeds and loads them into correlation service Feed Downloader — Views events with security context and receives alerts — Investigates security incidents based on context 4
  • 12. 14 Incident Investigation Workflow Threat Lookup MD5, SHA1 or SHA256 URL or Domains IP Addresses Threat Names RESTful API Cloud Sandbox
  • 13. 15 Incident Investigation Workflow Cloud Sandbox Advanced analysis of files in various formats CLOUD SANDBOX Default settings and advanced settings for optimized performance Advanced anti-evasion and human simulating techniques Visualization and intuitive reporting Advanced detection of APT, targeted and complex threats A workflow allowing to run highly effective and complex incident investigations Scalability without the need to purchase costly appliances Seamless integration and automation of your security operations Web Interface RESTful API KEY CAPABILITIES
  • 14. 16 Intelligence Reporting APT INTELLIGENCE REPORTING TAILORED THREAT INTELLIGENCE REPORTING FINANCIAL THREAT INTELLIGENCE REPORTING
  • 15. Kaspersky Lab | The Power of Protection17 Financial Threat Intelligence Reporting TARGETED ATTACKS METHODS USED TO BYPASS SECUIRTY MECHANISMS MONETIZATION METHODS ATTACKS ON ATMs ATTACKS ON POS SYSTEMS DEVICES SPECIFIC TOOLS DEVELOPED OR SOLD BY CYBERCRIMINALS
  • 16. Kaspersky Lab | The Power of Protection18
  • 17. Kaspersky Lab | The Power of Protection19 KASPERSKY Cloud Sandbox
  • 18. Kaspersky Lab | The Power of Protection20 KASPERSKY Cloud Sandbox
  • 19. Kaspersky Lab | The Power of Protection21
  • 20. Kaspersky Lab | The Power of Protection22 KASPERSKY Cloud Sandbox
  • 21. Kaspersky Lab | The Power of Protection23 KASPERSKY Cloud Sandbox
  • 22. Kaspersky Lab | The Power of Protection24 KASPERSKY THREAT LOOKUP: demo
  • 23. Kaspersky Lab | The Power of Protection25 KASPERSKY THREAT LOOKUP: demo
  • 24. Kaspersky Lab | The Power of Protection26 KASPERSKY THREAT LOOKUP: demo
  • 25. Kaspersky Lab | The Power of Protection27 KASPERSKY THREAT LOOKUP: demo
  • 26. Kaspersky Lab | The Power of Protection28 KASPERSKY THREAT LOOKUP: demo
  • 27. Kaspersky Lab | The Power of Protection29 KASPERSKY THREAT LOOKUP: demo
  • 28. 30 Cybersecurity Services Map THREAT INTELLIGENCE — THREAT DATA FEEDS — INTELLIGENCE REPORTING: APT FINANCIAL TAILORED — THREAT LOOKUP — CLOUD SANDBOX THREAT HUNTING AND INCIDENT RESPONSE — MANAGED PROTECTION —TARGETED ATTACK DISCOVERY — MALWARE ANALYSIS — DIGITAL FORENSICS — INCIDENT RESPONSE PENETRATION TESTING SECURITY ASSESSMENT — APPLICATION — PAYMENT SYSTEMS — TRANSPORTATION SYSTEMS — ICS — IOT AND SMART TECHNOLOGIES SECURITY TRAINING — DIGITAL FORENSICS — MALWARE ANALYSIS — INCIDENT RESPONSE — EFFICIENT DETECTION WITH YARA
  • 29. Let’s Talk? Kaspersky Lab 2, rue Joseph Monier 92500 Rueil-Malmaison , France Tel: +33 1 41 39 80 96 www.kaspersky.com