Home  >  APT29  >  Results  >  Kaspersky  >  Configuration

Kaspersky Configuration

Products Versions

  • Kaspersky EDR (ver. 3.6) with Kaspersky Endpoint Security agent (ver. 11.1)
  • Kaspersky Managed Protection (service).


Kaspersky EDR is designed to defend endpoints against evasive threats and complex attacks, and to provide IT security/SOC teams with a powerful tool for threat discovery, in-depth incident investigation, proactive threat hunting and a centralized response.

This solution provides the following capabilities:

✓ Endpoint threat protection technologies:

  • Behavior detection, including ransomware and fileless threat protection
  • Exploit protection
  • Adaptive Anomaly Control
  • Endpoint hardening (application, web and device controls)
  • Vulnerability assessment and patch management
  • Similarity hash detection
  • File threat protection
  • Mail threat protection
  • Web threat protection
  • Network threat protection
  • HIPS
  • Firewall
  • Remediation engine

✓ Anti-targeted attack components:

  • Enhanced anti-malware engine
  • Sandbox
  • IDS
  • URL reputation (IPs, domains, URLs)
  • Indicator of Compromise (IoC)-based detection engine
  • Targeted Attack Analyzer with Indicator of Attack (IoA) detection
  • MITRE ATT&CK mapping and techniques search capabilities
  • Yara rules
  • Threat intelligence (delivered automatically via Kaspersky Security Network)

✓ Deep investigation and threat hunting capabilities:

  • Supports centralized IoC loading from threat data sources and supports automatic scheduled IoC scanning, streamlining the analysts’ work. Retrospective database scans can be used to enrich the quality of previously flagged security events and incidents.
  • Retrospective analysis in support of multi-stage attack investigation, even where compromised endpoints are inaccessible or when data has been encrypted by cybercriminals.
  • Option to take arbitrary files from hosts for sandbox processing and scanning according to Yara rules, in addition to endpoint protection.
  • Automated real-time threat hunting – events are correlated with unique Indicators of Attack (IoAs) generated by Kaspersky threat hunters, and mapped to the MITRE ATT&CK knowledgebase, to provide clear event descriptions and examples as well as response recommendations.
  • IT-Security specialists can create their own database of custom IoAs based on endpoint event attributes.
  • Access to the Kaspersky Threat Intelligence Portal to gain additional enhanced context about suspicious objects (such as reputation, related known global incidents, etc).
  • A powerful flexible query builder for proactive threat hunting, so that analysts can build complex queries in searching for atypical behavior, suspicious events and threats specific to the infrastructure. The query builder also enables hunting against individual MITRE ATT&CK techniques.

✓ Incident response and remediation:

  • Automated response and remediation by endpoint agent
  • One click response (for example, suspicious host isolation, file quarantine, prevention of executable files/documents/scripts from executing, file deletion, process kill, etc.)
  • Guided response (lookup in Kaspersky Threat Intelligence Portal, Sandbox report, related alerts search, IoA creation from alert indicators, etc.)

Read about these advanced cybersecurity technologies here: https://www.kaspersky.com/technowiki.

Managed Protection

For organizations lacking sufficient resources and/or expertise to pursue areas like threat hunting, or requiring external help in these areas, Kaspersky Managed Protection provides a complete managed service, deploying a unique range of advanced techniques to detect and respond to targeted attacks.

The service includes round-the-clock monitoring and the continuous analysis of cyberthreat data by Kaspersky experts, ensuring the real-time detection of targeted attacks. Kaspersky Managed Protection provides detailed and immediate reports on suspicious activities, together with guidance on effective response and mitigation, and can be complemented with full-scale remote or on-site incident response services.

Product Configuration

To meet requirements for participation in the MITRE Round 2 assessment, the following changes to default configuration were implemented:

  • To meet MITRE’s Azure deployment requirements, the on-premise sandbox and network sensors (web and mail) were not deployed.
  • To satisfy the requirements of the evaluation that discovered threats should not be blocked by solution components, a number of technologies in the endpoint agent were set either to ‘OFF’ mode (File Threat Protection, Mail Threat Protection, HIPS, Adaptive Anomaly Control, Remediation Engine, Firewall) or to ‘Notify’ mode (Behavior Detection, Exploit Prevention, Web Threat Protection, Network Threat Protection, AMSI Protection Provider). This configuration resulted in limitations to detection capabilities.
  • In MITRE’s configuration, 2 out of the 5 hosts participating in the test were not entered into the domain, so a special product patch was applied for these two hosts. In standard use, the corporate domain policy is configured to prevent non-domain hosts from gaining access to the corporate network’s resources. Customers requiring similar configurations are currently provided with the necessary patch, and it’s planned to include this in the next public release.
  • A list of Windows registry branches was configured with Kaspersky EDR, so that changes here could be controlled and monitored.