Overview
The latest attacks are aware of the protection tools their victims have in place, - and are developed accordingly, bypassing existing automatic security controls. If they remain undiscovered, these kinds of attacks can lurk within your organization for months. Running a compromise assessment is an effective way of understanding if your existing detection and prevention systems are sufficient. It helps to uncover past and ongoing attacks, enabling the most effective response.
Kaspersky Targeted Attack Discovery will be useful if you are concerned about attacks directed at your industry, if you have noticed suspicious behavior in your own systems, or if your organization simply recognizes the benefits of regular preventative inspections.
The service helps discover:
Comprehensive analysis
Detects compromise attempts using a combination of approaches, including threat intelligence, vulnerability assessment and incident investigation
Proactive mitigation
Timely identification of security incidents mitigates their impact before it becomes apparent and protects your resources from similar attacks in future
How the service works
Kaspersky experts detect, identify and analyze ongoing incidents as well as those that occurred in the past, and compile a list of systems affected by those attacks. We help you uncover malicious activities, identify the possible sources of an incident and plan the most effective remedial actions.
Kaspersky do this by:
- Analyzing the specific threat landscape of your organization
- Conducting in-depth inspections of your IT infrastructure and data (such as log files)
to identify possible signs of compromise
- Analyzing your outgoing network connections for suspicious activity
- Uncovering probable sources of an attack and other potentially compromised
systems
The Risk
According to recent research, a high proportion of security incidents are undetected. Relying on automated detection and prevention mechanisms alone, you run the risk of failing to detect:
Non-malware based attacks
Cyber-espionage activity
Advanced attacks already at work in your infrastructure
Attacks involving previously unknown tools
Attacks exploiting zero-day vulnerabilities
Fileless attacks
Suitable for
This solution is particularly well suited to addressing the security requirements, concerns and constraints of these enterprise sectors.
- Enterprise
- Government
- Financial Services
- Managed Security Service Providers
- Critical Infrastructure
Features
Gathering and analyzing data on attacks from external sources
The aim at this stage is to obtain a snapshot of the attack surface of a company whose assets are, or were, being targeted by intruders. We tap into a variety of intelligence sources, including underground cybercriminal communities, as well as internal Kaspersky’s monitoring systems. Analyzing this intelligence allows us to identify weaknesses in a company’s infrastructure that are of interest to cybercriminals, compromised accounts, stolen data and much more.
Onsite or remote data collection and early incident response
This stage sees data collected from workstations, servers, SIEM systems and other equipment in the customer’s infrastructure. Data can be collected onsite or remotely using software provided to the customer within the framework of the service. In case of suspicious activity Kaspersky experts collect any type of evidence related to the incident, which may include: log files of operating systems, applications and network equipment, web traffic logs (for example, from proxy servers), network traffic dumps, HDD images, memory dumps and any other types of information, which could be useful for investigation. Interviews with the customer’s representatives and of any other entities involved into the incident can also be organized. At this stage Kaspersky provides interim recommendations for initial incident response.
Evidence analysis
Kaspersky performs analysis of all available information (including malware analysis if needed) in order to recreate the picture of the incident. The customer may be asked to provide additional data (via email or various network resources, depending on the type and amount of data requested).
Report preparation
The work carried out within the framework of the service culminates in a final report. It contains the results of data analysis from external sources, as well as descriptions of detected attacks based on analysis of the data collected in the customer’s infrastructure. The report also contains remediation recommendations for the detected attacks.
Additional services
If necessary, our experts will analyze the symptoms of an incident, perform deep digital analysis for certain systems, identify a malware binary (if any) and conduct malware analysis. These optional services report separately, with further remediation recommendations. We can also, on request, deploy the Kaspersky Anti Targeted Attack (KATA) platform onto your network. This platform combines the latest technologies and global analytics in order to detect and respond promptly to targeted attacks, counteracting them at all stages of their lifecycle in your system.
