Categories
Apps Uncategorized

Corporate network protection: Kaspersky Endpoint Detection and Response (KEDR)

Corporate network protection: Kaspersky Endpoint Detection and Response (KEDR)

Share it:

Unlike single endpoint solutions, the EDR-class solution provides multi-host event visibility and “heavy” methods of detection (sandbox, deep learning models, event correlation) as well as expert tools for incident investigation, proactive threat hunting and attack response.

Kaspersky EDR is a cybersecurity solution for the protection of corporate IT systems. It adds endpoint detection and response (EDR) capacities to IT security:

Extract patterns of elaborate attacks, automatically and manually, from events on many hosts.
Respond to attacks by blocking their progress.
Prevent future attacks.

The need for EDR
Not long ago, a typical cyberattack would use mass malware. It would target separate endpoints and detonate within single computers. Mass malware attacks are automatic, they pick out random victims via mass emails, phishing websites, rogue Wi-Fi hotspots etc. The remedy was endpoint protection solutions (EPP), which would protect hosts from mass malware.

Facing the effective EPP-based detection, attackers switched to the more costly, but more effective, tactic of launching targeted attacks against particular victims. Due to high cost, targeted attacks are usually used against companies, with the aim of getting profit. Targeted attacks involve reconnaissance and are designed for penetrating the victim’s IT system and evading its protection. The attack kill chain involves many hosts of the IT system.

Due to the high variety of methods and their human-led, interactive nature, targeted attacks can evade EPP-based security:

EPPs rely on what they see on a single endpoint. But advanced attacks act on many hosts, making relatively unsuspicious actions on yet another endpoint. Even if host EPPs detect some of these actions, the attackers eventually build a multi-host kill chain. Traces of such attacks are scattered about many hosts.
As EPP verdict is automatic, the attackers can verify that their attack is not detected by victim’s EPP or other automatic security solutions. Attackers keep whole farms of antimalware just for this case.
Vendors cannot increase protection by just making EPP solutions more “paranoid” due to risk of false positives. So even when something ambiguous is happening on a host that could be a part of a kill chain as well as a legit action, EPP is designed not to interfere.
To address targeted attacks, cybersecurity vendors extend EPP solutions with endpoint detection and response (EDR) features:

Providing centralized visibility of events on many hosts for their manual and automatic correlation
Providing security staff with sufficient data about events
Creating tools for response and remediation, thus countering human-led attacks with human-led cyberdefense
In essence, EDR adds new layers of endpoint protection against advanced attacks.

Kaspersky EDR’s input into security
Kaspersky EDR adds protection power to an existing EPP solution. EPP specializes on simpler mass attacks (viruses, Trojans etc), while the EDR concentrates on advanced attacks. With this solution, analytics view malware activity as well as events with legit software in the context of an attack, uncovering the whole kill chain.

Kaspersky EDR is fully integrated with Kaspersky Enterprise Security EPP, and it can work with EPP solutions of other vendors. The EDR adds the following:

Multi-host event visibility: aggregation of attack traces scattered around the IT system
Detection with “heavy” methods, which require much computation power unavailable for regular user endpoints due to possible effect on regular user workflow: advanced pre-processing, sandbox, heavy machine learning models, including deep learning, and others. Heavy methods provide better-quality detection
Expert tools for incident investigation, proactive threat hunting and attack response

Kaspersky EDR design
Elements

Endpoint sensor: integrated with Kaspersky Endpoint Security in one-agent or standalone (for deployment with other EPP solutions)
On-premise servers (event storage; analytic engine; management module; optionally—a sandbox).On-premise location keeps the event data in full control of the customer
The KSN cloud or KPSN private cloud for detection enrichment in real time and prompt reaction to new threats
EDR as part of Kaspersky Threat Management and Defense

Kaspersky EDR, Kaspersky Anti Targeted Attack platform and Kaspersky Cybersecurity Service (KCS) make up a suit for advanced protection and threat intelligence:

Kaspersky Anti Targeted Attack Platform adds network-, web- and mail-based detection, extending the solution’s scope of targeted attack detection to “endpoint+network” level.
KCS adds expert support for customer IT security team: training, providing threat intelligence data, security operation center (SOC) management by Kaspersky Lab and other options.
Integration with Security information and event management (SIEM) systems

You can integrate our EDR with 3rd party SIEM systems (detect data is exported in common event format, CEF).

Features
Continuous centralized event aggregation and visibility. The EDR aggregates events from hosts in real time:

The EDR aggregates events continuously, regardless of their cause and suspiciousness. This makes EDR more effective against unknown malware. We could design it to aggregate only suspicious or malware events and thus save disk space on the central node (as some other EDR solutions do). But then legit actions of attackers with stolen credentials would not be logged, and new unrecognized threats won’t trigger logging as well.
The EDR central node uploads events feed from hosts to its storage on the central node. Some other vendors’ EDRs store events right on hosts. When the central node needs data about events, it requests log info from hosts. This design saves disk space on the central node, but makes search slower and connection-dependent, with host visibility depending on host’s availability in the network.
Automatic detection. Threats visible in the scope of a single host are detected by Kaspersky Endpoint Security with heuristic, behavioral and cloud detection (or with another EPP host application). Above this, the EDR adds layers of detection with a multi-host scope, based on correlation of events feed from multiple hosts.

Apart from event-based detection, EDR host agents automatically send suspicious objects or parts of memory to the central node for a deeper analysis with algorithms unavailable for regular host computation power, including heavy pre-processing, heuristics and machine learning algorithms, sandbox, extended cloud detection, detection based on Kaspersky Lab’s threat data feed, custom detection rules (Yara).

Manual detection, or threat hunting, is the proactive search by an operator for traces of attacks and threats. The EDR lets you “hunt” through the whole history of events from many hosts, aggregated in the storage:

You can search through the storage for traces of attacks and suspicious events and link them together to reconstruct the potential kill chain. Search queries in the database support compound filters (by hosts, detection technology, time, verdict, severity level etc).
You can upload new IOCs to the EDR and detect earlier undetected persisting threats.
You can manually send suspicious objects for deeper analysis by “heavy” detection methods.
If the company has enabled the KL TIP service (Kaspersky Lab Threat intelligence platform), you can request information about objects in threat database.
Response is actions that an operator can take when they detect a threat. These actions include:

Incident investigation, reconstructing events in the kill chain.
Remote operations on the host, including process kill, deleting or quarantining files, running programs and other actions.
Containment of the detected threat by hash-based deny of object execution.
The rollback of changes on hosts caused by malware activity relies on the EPP solution. For example, Kaspersky Endpoint Security undoes such malware actions.
Prevention is the policies that restrict object activities on endpoints:

Hash-based execution deny policies prevent running particular files (PE, scripts, office documents, PDF) throughout the whole IT system let you prevent attacks currently spreading around the world.
Automatic detection of objects or URLs on hosts, which have been previously detected in a sandbox as malware.
Application execution control (whitelisting, startup control, privilege control), policies of network access, USB drive access and others rely on the EPP solution. Kaspersky Endpoint Security EPP provides all these prevention features.
Management of Kaspersky EDR is role-based and provides workflow management: alert assignment, tracing alert status, logging alert processing. Email notifications are flexibly configured according to alert types and their combos (detect type, severity etc).

Use case: uncovering the kill chain
EDR host agents routinely send events to the in-house EDR server.

One of events received on the server is associated with execution of a file with unique occurrence in the corporate IT system (judging by its hash). The file has other suspicious traits as well.
The server triggers deeper investigation. It downloads the file itself for the automatized analysis by EDR analytical engines. The file is queued for automatic analytic procedures.
The sandbox detects file behavior as malware and alerts the operator.
The operator initiates manual investigation and checks the events possibly associated with the infection:

a. With standard administrator tools, finds that the infected machines had been accessed from a corporate web server, which is available from the Internet. Finds suspicious files and processes being executed on the server, creation of suspicious executables. Eventually, finds a web shell that attackers uploaded via a vulnerability on the server’s web site.

b. Identifies all command and control (C&C) servers for this attack.

The operator responds to the attack:
a. Blocks all detected C&Cs.
b. Kills malicious processes.
c. Blocks execution of malware files by their hashes.
d. Quarantines malware and suspicious files for later investigation.

Categories
Apps

Phishers have targeted your Instagram accounts

Add Your Heading Text Here

Share it:

To hijack popular Instagram accounts, scammers are sending phishing e-mails with fake copyright infringement notifications.

Have you reached a few thousand followers on Instagram? More? Congratulations, you are insta-famous. Among other things, though, being an Instagram influencer means that it’s quite possible that account thieves are after you. A new phishing scheme targeting popular accounts on Instagram is gaining momentum. Here is how it works.

You’ve got copyright violation notification

“Your account will be permanently deleted for copyright infringement,” claims an e-mail notification that looks very official. It has the usual Instagram header and logo, and the e-mail address in the From field is extremely close to a legitimate one: In most cases it’s either mail@theinstagram.team or info@theinstagram.team.

The e-mail claims that you have just 24 hours (in some versions it’s 48 hours) to appeal and provides a “Review complaint” button. If you click it, you end up on a convincing phishing page, where fraudsters put an image saying they care very much about copyright protection and offer you a link to “Appeal.” To make the scam look even more legitimate, they offer a long list of language choices, although it doesn’t work — whatever you click, the phishing page always remains in English.

As soon as you click the “Appeal” link, you are invited to input your Instagram credentials. And that’s not the end. Immediately, another message appears: “We need to verify your feedback and check if your e-mail account matches the Instagram account,” it says. Click “Verify My E-mail Address,” and you’ll see a list of e-mail providers. If you choose yours, you’ll be invited to submit both your e-mail address and (surprise!) the password for your e-mail account.

Then, a “We will review your feedback” reply appears, but only for few seconds. After that you’ll be redirected to a real Instagram’s website — another simple trick that lends additional credibility to the scam.

It’s not the first time when Instagram influencers are targeted by scammers. The first wave of phishing was tempting users to apply for a blue “Verified” account badge.

Categories
Apps

How the Cascade Virus Made Kaspersky Famous.

Add Your Heading Text Here

Share it:

Cascade was the first virus that Eugene Kaspersky ever encountered. It was 30 years ago, in 1989, and it changed his life completely. He disassembled the virus and wrote a tool that helped remove it. The tool became popular among his friends and acquaintances, and that was when he decided to devote all of his time to developing an antivirus solution. That antivirus became commercially available in 1992, and in 1997, the company we now know as Kaspersky was founded.

A lot has happened since 1989 — from the founding of the EU and the breakup of the USSR to the cloning of a life being and the creation of the modern Internet. Here, in the graphic below, we take a look back at those 30 years: how things have changed, how the cyberthreat landscape has become more and more complicated, how tech has evolved, and how the world has reacted to such changes.

source: Kaspersky Blog

Categories
Apps

Chrome zero-day exploited in the wild

Add Your Heading Text Here

Share it:

On Halloween, Google releases Chrome 78.0.3904.87 to patch a Chrome zero-day discovered by Kaspersky exploited in the wild.

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day.

The actively-exploited zero-day was described as a use-aster-free bug in Chrome’s audio component.

Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences.

Chrome 78.0.3904.87 is available for Windows, Mac, and Linux. The release will slowly roll out to all Chrome users in the coming weeks but users can trigger a manual update right now by visiting the browser’s Help > About Google Chrome section

source: ZDNet

Categories
Apps

6 accounts you should never abandon

Add Your Heading Text Here

Share it:

Can you recall every online service account you have? Maybe you signed up to access some content or because a friend asked you to, then lost interest. Many users simply stop logging in and don’t bother to delete their accounts. The accounts sit there, dormant, waiting to be hacked — but if they are, you won’t know about it anytime soon, if ever.

Abandoned account: What could go wrong

Does it really matter what happens to an unwanted profile, though? If it gets hacked, so what? You didn’t need it anyway. However, in some cases, an abandoned account can be exploited to gain access to resources and important information that you do need. Here’s what you need to know

  1. Social network accounts

Few people regularly check their accounts in all of their social networks. Say, for example, a person creates a Facebook profile, uses it to log in to Instagram and other services (handy, right?), and then realizes he doesn’t actually need Facebook — not an uncommon scenario. Sure, the social network continues to send e-mail notifications if the user didn’t bother to disable them, but they get filtered into a separate folder that he quit checking long ago.

Again, a more-than-plausible scenario. When the user receives an e-mail warning that someone logged into his account from an unknown device, he doesn’t see it. The cybercriminals who logged in have a free shot at the accounts linked to Facebook. They will also probably have time to sting some of the victim’s friends or followers on Facebook.

What to do

Set up two-factor authentication. Lots of services offer it; here are our posts on setting up security, including 2FA, in Facebook and Twitter.
Enable notifications about account logins from unknown devices — and pay attention to them.   
  1. Backup e-mail address

Many people set up a separate e-mail account for mailings and notifications so as not to clutter up their main mailbox, and use it for registering everything and anything, including profiles with important data. And no incoming e-mails there are from real-life people, so they don’t check it very often. Therefore, they may not notice for a long time that their backup e-mail has been hacked — at least not until they lose access to a very important account.

What to do

Enable two-factor authentication for this account.
Set up forwarding of messages from this mailbox to a separate folder in your primary e-mail account.
  1. Password manager

What if you saved your account credentials in a password manager, and then decided to replace it with a different app? The profile in the old manager doesn’t go anywhere, and neither do the passwords in it (half of which you probably didn’t change). If someone gains access to this profile, they will be able to get into your accounts. And even if you do discover the theft of an account, it won’t be immediately obvious how the cybercriminal got hold of the password for it.

What to do

Delete accounts in password managers if you no longer use them

How to avoid problems with abandoned accounts

As you can see, even an unneeded account can cause a lot of problems if hijacked. Preventing a problem is much easier than dealing with its consequences. Therefore, we recommend that you keep track of your accounts. Here are some general handy tips:

Recall which online services you have registered for. Check which phone numbers and e-mails your accounts in social networks, online stores, banks, and other important services are linked to, and unlink all current profiles from inactive phone numbers and mailboxes.
If you log in somewhere through Facebook, Twitter, or Google, or keep an additional e-mail or phone number for newsletters, public Wi-Fi, etc., check those accounts from time to time.
If you decide to stop using a password manager, online store, or social media account, delete your accounts in these services.
Turn on account login notifications in services that have this option — and review those notifications promptly.
Use a security solution such as Kaspersky Security Cloud, which will notify you of leaks in services you use.
Categories
Apps Mobile Phones

10 Faqs About Android Application Security.

Add Your Heading Text Here

Share it:

Today our cybersecurity team reveals 10 common questions bothering android developers interested in securing their android applications.


Q1: How can i protect my android app from software pirates? I mean how can i obfuscate my source code?
Ans: You can choose to use DexGuard or DashO to make it difficult for software pirates, reverse engineers or intruders to pirate your source code.


Q2: I heard you can also use ProGuard to obfuscate source code?
Ans: Yes! But it is not effective. Practically not effective.


Q3: Do you think it is quite safer to save users data on their own device?
Ans: Yes and No. Yes- It is quite safer to save non-sensitive data on users devices. No- It is not safe to save sensitive data on users’ devices even if you intend to protect using strong encryption.


Q4: I heard hackers can intercept data in transit using a proxy such as Burpsuite?
Ans: Yes. They can intercept data in transit.


Q5: So is there any defense mechanism against this form of attack?
Ans: Yes. Ensure that the same validation method implemented on the client side is exactly implemented on the server-side.


Q6: Although I have implemented HTTPS to protect data in transit, i find it difficult to stop “csrf” attacks?
Ans: Okay. You can create tokens for each registered or authenticated user. In addition, ensure that tokens are available temporarily and re-created after a specific period.


Q7: Yes. I have done that but hackers still by-pass csrf protection.
Ans: Ensure that csrf tokens are validated at the server-side. Also make tokens random.


Q8: I want my android app to share data with other app but with some form of restriction. How can I achieve that?
Ans: Okay. You can use content provider which allows apps to share data with other apps. Moreover, with content provider, you can specify read and write permissions. Thus, some apps may have read and write permissions whilst others may have read -only permissions or write-only permissions


Q9: Could I also save data in shared_pref file? I heard it is not safe to do so.
Ans: It is safe to do so when data is not sensitive. It is not safe to do so when data is sensitive. So move all users’ data such as password, userid, and account number to your web server.


Q10: Is it advisable to hire android security researchers or pentesters to audit my apps?
Ans: Yes. We recommend you to do so.
Although these are other common faqs related to android security, at least, you can rely on some of our answers to make your android app secure.

#ISA_informs  #ISA_ltd

Categories
Apps Internet Security Mobile Phones

Four Ways to Infect Your Android Devices with Malware.

Add Your Heading Text Here

Share it:

Although we often blame exploit writers for developing malicious code for malicious purposes such as reading of one’s credentials, spying on a users’ communication and so on, we ought to blame ourselves periodically for allowing our android devices to be pregnant with malware.

This article briefly exposes four ways  how users/employees unknowingly infect their android devices with malware.

  • Sideloading apps:

Sideloading is a term referring to an android user intention to download apps from third-party stores instead of  ”pulling” it from Google’s playstore. Most of these third-party store apps are infected with malware because there is no proper protection  for apps installed on these stores. Thus, we recommend you download apps from Google’s playstore.

  •  Installing apps with numerous permissions:

Most users/employees often fail too observe the list of permissions an app requires in order to function on android devices. Before an android app is installed on your android device, it declares a list of permissions that a user must accept if he/she is interested in the app. Malware take interest in loosely protected apps to retrieve users’ data back to a remote server.

  •      Confirming to flashy updates from random websites:

“something-xxx antivirus is outdated. please download the current version” from  xyz.com .   We often see flashy updates on our mobile screens in a form of ‘Toast’ messages informing us about software expiration. Yes! software expires. But we advise users to download software directly from software vendors’ website.

  •   Clicking links on online forums:

This is one of the easiest ways even script kiddies could use to embedded malware into apps installed on your android devices. If a link on a particular topics interest you, just copy the link and paste it in the url section. It is quite safer than clicking on the link directly.

Avoiding these user-behaviors could save your android devices from malware lurking in the cyber world.

#ISA_informs    #ISA_Ltd