Kaspersky sandboxing technology is now available for use in customer networks. The on-premises Kaspersky Research Sandbox is designed for organisations with strict restrictions on data sharing, to enable them to build their internal security operations centers (SOCs) or computer emergency response teams (CERTs).
The solution helps them to detect and analyse targeted threats while also being sure that all the examined files are kept inside the organisation.
Last year, about half (48%) of enterprises in the META region (Middle East, Turkey, Africa) experienced a targeted attack, a Kaspersky survey of IT decision makers revealed. These threats are often designed to only work in a specific context within the victim’s organisation: for example, a file may perform nothing malicious until an exact application is opened, or unless a user scrolls through the document.
In addition, some files can identify that they are not in the end-user environment – for instance, if there is no sign that anybody is working on the endpoint – and won’t run the malicious code.
However, as a SOC usually receives numerous security alerts, analysts cannot manually investigate all of them to identify which one is the most dangerous.
To help companies analyse advanced threats more accurately and timely, Kaspersky’s sandboxing technologies can now be implemented inside a customer’s organisation. The Kaspersky Research Sandbox emulates the organisation’s system with random parameters (such as user and computer name, IP address, etc) and imitates an actively-used environment, so that malware cannot distinguish that it is running on a virtual machine.
Kaspersky Research Sandbox has evolved from the internal sandboxing complex used by the company’s own anti-malware researchers. Now these technologies are available for customers as an isolated on-premises installation. Therefore, all the analysed files will not leave the company perimeter, making the solution suitable for organisations with tight data sharing restrictions.
Kaspersky Research Sandbox has a special API for integration with other security solutions, so that a suspicious file can be automatically sent for analysis. The results of analysis can also be exported to a SOC’s task management system. This automation of repetitive tasks cuts down the time required for incident investigation.
As the solution is installed in the customers’ network, it provides more capabilities to mirror its operating environment. Now, virtual machines from the Kaspersky Research Sandbox can be connected to an organisation’s internal network. As a result, it can reveal malware designed to run only in a certain infrastructure and get an understanding of its intentions. In addition, analysts can set up their Windows version with specific pre-installed software to completely emulate their enterprise environment.
It simplifies an organisation’s detection of environment-aware threats such as the recently discovered malware that was used in attacks against industrial companies. Kaspersky Research Sandbox also supports Android OS to detect mobile malware.
Kaspersky Research Sandbox provides detailed reports on file execution. The reports contain execution maps and an extended list of events performed by the analysed object, including its network and systems activities with screenshots, as well as a list of downloaded and modified files.
By knowing exactly what each malware does, incident responders can come up with the required measures to protect the organisation from the threat. SOC and CERT analysts will also be able to create their YARA rules to check analysed files against them.
“Our Kaspersky Cloud Sandbox, launched in 2018, works perfectly for organisations who need to analyse complex threats without additional investment in hardware infrastructure. However, organisations with internal SOCs and CERTs, and strict restrictions on data sharing require more control over files they analyse. Now, with Kaspersky Research Sandbox they can choose the deployment option that suits them the most as well as being able to customise on-premises sandboxing images to any enterprise environment,” comments Veniamin Levtsov, vice-president: corporate business at Kaspersky.
Kaspersky Research Sandbox can be integrated with Kaspersky Private Security Network. It allows organisations to not only gain insights on an object’s behaviour, but also receive information on the reputation of downloaded files or URLs the malware communicated with from the Kaspersky threat intelligence database installed within a customer’s data centre.
Kaspersky Research Sandbox is a part of the Kaspersky product portfolio for security researchers. It includes the Kaspersky Threat Attribution Engine, Kaspersky CyberTrace and Kaspersky Threat Data Feeds.