Kaspersky Lab has launched a new threat intelligence service, dubbed Kaspersky CyberTrace, which aggregates threat intelligence data feeds from a range of open source intelligence, vendor and “custom” sources and lets users plug them into existing third party Security Information and Event Management (SIEM) tools.
The release aims to help provide machine-readable threat intelligence that will help allow Security Operation Centers to automate initial triage processes when identifying a threat. They can then provide Tier 1 specialists with enough context to immediately identify alerts that need to be investigated or escalated to Incident Response teams.
Feeds are pulled from Kaspersky’s own web crawlers, Botnet Monitoring service [pdf] spam traps, research teams, partners and the deep web, among other sources, the privately held Russian cybersecurity company said. The tool – released freely for Kaspersky customers – is compatible with SIEM tools from other vendors, including IBM QRadar, Splunk, ArcSight ESM, LogRhythm, RSA NetWitness, and McAfee ESM.
It integrates with other threat intelligence feeds (e.g. from other vendors) in JSON, STIX, XML and CSV formats, supporting documentation shows.
“If IoC [Indicators of Compromise] from threat intelligence feeds are found in any log source within an organisation’s environment, Kaspersky CyberTrace automatically sends alerts to SIEMs, for ongoing monitoring and validation to reveal additional contextual evidence for the security incidents,” the company said.
Kaspersky CyberTrace: Feeds Include…
Kaspersky’s threat intelligence feeds include the following:
APT Hash Data Feed — a set of hashes that cover malicious artifacts used by APT actors to conduct APT campaigns.
APT IP Data Feed — a set of IP addresses that belong to the infrastructure used in APT campaigns.
APT URL Data Feed — a set of domains that belong to the infrastructure used in APT campaigns.
Malicious URL Data Feed — a set of URLs with context that cover malicious websites and web pages.
Phishing URL Data Feed — a set of URL masks with context covering phishing links and websites.
Botnet C&C URL Data Feed — a set of URLs and hashes with context that cover desktop botnet C&C servers and related malicious objects.
Malicious Hash Data Feed — a set of file hashes with context that cover the most dangerous, prevalent and emerging malware.
Mobile Malicious Hash Data Feed — a set of file hashes with context for detecting malicious objects that infect mobile Google Android and Apple iPhone devices.
P-SMS Trojan Data Feed — a set of Trojan hashes with context for detecting SMS Trojans that send premium-rate SMS messages to mobile users, as well as enable the attacker to steal, delete and respond to SMS messages.
Mobile Botnet Data Feed — a set of URLs with context that cover mobile botnet C&C servers.
IP Reputation Data Feed — a set of IP addresses with context that cover different categories of suspicious and malicious hosts.
Ransomware URL Data Feed — a set of URLs, domains, and hosts with context that cover ransomware links and websites.
IoT URL Data Feed — a set of URLs with context covering malware that infects IoT (Internet of Things) devices.
The company said that users of the new tool will get this (and other) aggregated data inspected in real-time using preprocessing techniques including statistical criteria, sandboxes, heuristics engines, multi-scanners, similarity tools, behavior profiling etc., analysts validation and whitelisting verification. Every record in each data feed is also supplied with actionable context (threat scoring, geolocation, threat names, timestamps, resolved IPs addresses of infected web resources, hashes, popularity, etc.)