New Kaspersky Cloud Sandbox boosts complex threat investigation and response

Kaspersky Lab has launched a new service called Kaspersky Cloud Sandbox designed to boost the efficiency of incident response and cybersecurity forensics without any risks to the company’s IT systems.

Kaspersky Cloud Sandbox, allows advanced detection and forensic capabilities are available as a service within the Kaspersky Threat Intelligence Portal, allowing cybersecurity teams to ensure they meet their budget requirements while also benefitting from advanced technology. The service enables cybersecurity teams and security operations center (SOC) specialists to obtain deep insights into malware behavior and design, detecting targeted cyberthreats that were not identified in the wild.

“With businesses today increasingly being threatened by cybercrime, the need for rapid incident response and digital forensics has never been greater. Kaspersky Cloud Sandbox is an important addition to Kaspersky Lab’s global threat intelligence ecosystem, which addresses these challenges,”

Nikita Shvetsov, Chief Technology Officer, Kaspersky Lab.

“With businesses today increasingly being threatened by cybercrime, the need for rapid incident response and digital forensics has never been greater. Kaspersky Cloud Sandbox is an important addition to Kaspersky Lab’s global threat intelligence ecosystem, which addresses these challenges,” comments Nikita Shvetsov, Chief Technology Officer, Kaspersky Lab.

Advanced anti-evasion techniques: revealing a hidden truth

To lure malware into revealing its harmful potential, sandbox technology performance should possess advanced anti-evasion techniques. A malicious program, developed to run in a certain software environment, will not explode on a ‘clean’ virtual machine, and will most probably destroy itself without a trace. To avoid this, Kaspersky Cloud Sandbox applies the user’s various emulation techniques, such as Windows button clicking, document scrolling, special routine processes giving malware an opportunity to expose itself, the randomisation of user environment parameters and many others.

“Complementing the vast threat intelligence available to customers of the Kaspersky Threat Intelligence Portal, Kaspersky Cloud Sandbox becomes a unique service for the detailed analysis of files, which allows cybersecurity researchers and SOC teams to gain insights into file behaviors without any risks to IT infrastructure,” – comments Nikita Shvetsov, Chief Technology Officer, Kaspersky Lab,” added Shvetsov.

Logging system: nothing gets missed in the noise

Once a piece of malware starts running its destructive activities, another innovative Kaspersky Cloud Sandbox technology comes to force: its logging subsystem intercepts malicious actions non-invasively. When a Word document starts to behave suspiciously – for example, if it starts building a string in the machine memory, executing Shell commands, or dropping its payloads (all abnormal activities for a text document) – these events are registered in the Kaspersky Cloud Security logging subsystem.

It has extensive functionality able to detect a vast spectrum of malicious events including DLLs, registry key registration and modification, HTTP and DNS requests, file creation, deletion and modification etc. The customer is then provided with a full report containing data visualisation graphs and screenshots, as well as a readable sandbox log.

Detection and incident response performance: second to none

Kaspersky Cloud Sandbox detection performance is backed up with big data of real-time threat intelligence from Kaspersky Security Network (KSN), providing customers with immediate status on both known and new threats discovered in the wild. Advanced behavioural analysis based on more than 20 years of Kaspersky Lab threat research experience of fighting the most complex threats, allows customers to detect previously unseen malicious objects.

As well as getting advanced detection capabilities, SOC experts and researchers can amplify their incident response activities with other services available through the Kaspersky Threat Intelligence Portal.

When performing digital forensics or an incident response, a cybersecurity officer can receive the latest detailed threat intelligence about URLs, domains, IP addresses, file hashes, threat names, statistical/behaviour data and WHOIS/DNS data, and then link that knowledge to the IOCs generated by the sample that was analysed within the cloud sandbox. APIs to automate its integration into customer security operations are also available, allowing cybersecurity teams to boost their incident investigations in a matter of minutes.