Kaspersky tool connects new attacks to APT groups in seconds

Malware tech metro africa

Kaspersky has released its new threat intelligence solution aimed at helping SOC analysts and incident responders attribute malware samples to previously revealed Advanced Persistent Threat (APT) groups.

Using its proprietary method, Kaspersky Threat Attribution Engine matches a discovered malicious code against one of the biggest databases of malware in the industry, and, based on the code similarities, links it to a specific APT group or campaign. This information helps security experts prioritise high-risk threats over less serious incidents.

By knowing who is attacking their company, and for what purpose, security teams can quickly come up with the most tailored incident response plan for the attack. However, unveiling the actor who is behind an attack is a challenging task, which requires not only a large amount of collected threat intelligence (TI) but also the right skills to interpret it.

To automate the classification and identification of sophisticated malware, Kaspersky presents its new Kaspersky Threat Attribution Engine. The solution has evolved from an internal tool used a world-renowned team of experienced threat hunters.

In order to determine if a threat is related to a known APT group or campaign and identify which one, Kaspersky Threat Attribution Engine automatically decomposes a newly found malicious file into small binary pieces. After that, it compares these pieces from a collection of more than 60,000 APT-related files.

For more accurate attribution, the solution also incorporates a large database of whitelisted files. This significantly improves the quality of the malware triage and attack identification and facilitates incident response.

Depending on how similar the analysed file is to the samples in the database, the Threat Attribution Engine calculates its reputational score and highlights its possible origin and author with a short description and links to both private and public resources, outlining the previous campaigns. The Threat Attribution Engine is designed to be deployed on a customer’s network, “on premise”, rather than in a third-party cloud environment. This approach grants a customer control over data sharing.

In addition to the threat intelligence available “out of the box”, customers can create their own database and fill it with malware samples found by in-house analysts. That way, the Threat Attribution Engine will learn to attribute malware analogous with those in a customer’s database while keeping this information confidential.

LEAVE A REPLY

Please enter your comment!
Please enter your name here