Kaspersky sandboxing technologyis now available for use in customer
networks. The on-premises Kaspersky Research Sandbox is designed for
organizations with strict restrictions on data sharing, to enable them to build
their internal security operations centers (SOCs) or computer emergency
response teams (CERTs). The solution helps them to detect and analyze
targeted threats while also being sure that all the examined files are kept
inside the organization.
Last year, about half (48%) of enterprises in META region (Middle East,
Turkey, Africa) experienced a targeted attack, aKaspersky survey of IT
decision makersrevealed. These threats are often designed to only work in a
specific context within the victim’s organization: for example, a file may
perform nothing malicious until an exact application is opened, or unless a
user scrolls through the document.In addition, some files can identify that
they are not in the end-user environment– for instance, if there is no sign that
anybody is working on the endpoint–and won’t run the malicious code.
However, as aSOC usually receivesnumerous security alerts, analysts cannot
manually investigate all of them to identify whichone is the most dangerous.
To help companies analyze advanced threats more accurately and timely,
Kaspersky’s sandboxing technologies can now be implemented inside a
customer’s organization.The Kaspersky Research Sandbox emulates the
organization’s system with random parameters (such as user and computer
name, IP address, etc.) and imitates an actively-used environment, so that
malware cannot distinguish that it is runningon a virtual machine.
Kaspersky Research Sandbox has evolved from the internal sandboxing
complex used by the company’sown anti-malware researchers. Now these technologies are available for customers as an isolated on-premises
installation. Therefore, all the analyzed files will not leave the company perimeter, making the solution suitable for organizations with tight data
sharing restrictions.
Kaspersky Research Sandbox has a special API for integration with other
security solutions, so that a suspicious file can be automatically sent for analysis. The results of analysis can also be exported to aSOC’s task
management system. This automation of repetitive tasks cuts down the time
required for incident investigation.
As the solution is installed in the customers’ network, it provides more
capabilities to mirror its operating environment. Now, virtual machines from the Kaspersky Research Sandbox can be connected to an organization’s
internal network. As a result, it can reveal malware designed to run only in a certain infrastructure and get an understanding of its intentions. In addition,
analysts can set up their Windows version with specific pre-installed software to completely emulate their enterprise environment. It simplifies an
organization’s detection of environment-aware threats such asthe recently discovered malware that was used in attacks against industrial companies. Kaspersky Research Sandbox also supports Android OS to detect mobile
malware.
Kaspersky Research Sandbox provides detailed reports on file execution. The
reports contain execution maps and an extended list of events performed by the analyzed object, including its network and systems activities with
screenshots, as well as a list of downloaded and modified files. By knowing exactly what each malware does, incident responders can come up with the
required measures to protect the organization from the threat. SOC and CERT analysts will also be able to create their YARA rules to check analyzed files
against them.
“OurKaspersky Cloud Sandbox, launched in 2018,works perfectly for
organizations who need to analyze complex threats without additional investment in hardware infrastructure. However, organizations with internal
SOCs and CERTs,and strict restrictions on data sharing require more control over files they analyze. Now,with Kaspersky Research Sandbox they can
choose the deployment option that suits them the mostas well as being able to customize on-premises sandboxing images to any enterprise environment,”
commentsVeniamin Levtsov, VP, Corporate Business at Kaspersky.
Kaspersky Research Sandbox can be integrated with Kaspersky Private
Security Network. It allows organizations to not only gain insights on an object’s behavior, but also receive information on the reputationof
downloaded files or URLs the malware communicated with from the Kaspersky threat intelligence database installed within a customer’s data
center.
Kaspersky Research Sandbox is a part of the Kaspersky product portfoliofor
security researchers. It includesthe Kaspersky Threat Attribution Engine, Kaspersky CyberTraceand Kaspersky Threat Data Feeds. This offering helps
organizations tovalidate and investigate advanced threatsandfacilitates incident response by providing relevant threat information.