August 7, 2017

Impressive results on the anti-APT front

Business Technology

As we have mentioned before, we consider independent tests not as an indicator of our solutions’ effectiveness, but more as a tool to improve our technologies. Therefore, we rarely publish stories about test success, despite our products’ consistently high performance. However, the Advanced Threat Defense certification, conducted by ICSA Labs test lab is worth highlighting.

 

 

Our Kaspersky Anti-Targeted Attack platform participated in this certification for three consecutive quarters and showed an excellent result in the latest — 100% threat detection and 0 false positives. Why is that important for corporate clients, and what is behind these impressive figures?

Certification

According to ICSA Labs, the purpose of this certification is to determine how effective different protective solutions are against the latest cyberthreats. By the “latest,” ICSA means threats that are not detected by majority of traditional solutions. When choosing test scenarios, they relied on the Verizon Data Breach Investigation Report. Therefore, firstly, their test kit consists of the most trending threats, and secondly, every quarter the selection changes following the changes of the threat landscape.

 

 

This allows ICSA to analyze the dynamics of the solution’s performance. Strictly speaking, a good result in one test is not an indicator, but if a product shows good results, despite regular changes in threat patterns, it is a clear sign of effectiveness.

At the same time, the Verizon report contains data on cyberincidents that occurred in enterprise-class companies. Therefore, these are not just the most common and relevant attack vectors — these are threats used by cybercriminals against large businesses.

Latest results

The most recent study was conducted in the second quarter of this year, and its results were published in July. For each of the participants, ICSA Labs experts created a test infrastructure protected by a specialized solution. Then, within 37 days, they simulated various attacks on this infrastructure. In total, more than 1,100 tests were conducted using almost 600 samples of malware, and all of them were successfully detected by our specialized solution. Also, Kaspersky Anti-Targeted Attack platform scored perfectly with false positives: ICSA Labs experts launched more than 500 clean samples that were meant to look malicious, and our solution did not flag any of them as dangerous.

ICSA Labs does not perform comparative tests, and therefore it does not publish data summary tables. So we made our own tables, based on the open data, which you can find right here.

 

 

 

How did we achieve this?

Our products, and in particular the Kaspersky Anti-Targeted Attack platform, use a multilevel approach to threat detection. There are static analysis mechanisms, configurable YARA rules, unique SNORT rules for the IDS engine, certificate checking mechanisms, file and domain reputation checks via the global threat base (KSN), tools for advanced dynamic analysis in an isolated environment (sandbox), and a machine-learning engine — our Targeted Attacks Analyzer. Kaspersky Anti-Targeted Attack’s combination of those tools allows it to identify both known and as-yet-unknown malicious technologies.

The Targeted Attacks Analyzer, in fact, is the central analytical core. Based on machine learning, it allows Kaspersky Anti-Targeted Attack platform not only to compare information coming from different detection levels, but also to successfully detect anomalies in network and workstation behavior. Behavioral analysis can detect deviations that can indicate that an attack is in progress that is not using malicious software. For example, that might be an attack conducted with the use of legitimate software, stolen credentials, or through holes in IT infrastructure.

However, threat detection is not enough. Strictly speaking, if a product blocks everything, then it will also stop 100% of threats — but legitimate programs won’t work either. Therefore, it is important to work without false positives. Our technologies allow us to define safe processes, thanks to the HuMachine intelligence principle. The right balance between the detection level and the number of false positives consists of three elements:

  • Big data (we have a huge database of information on threats that has been collected for more than 20 years and is updated via the Kaspersky Security Network in real time with information from our solutions working on client computers around the world);
  • Advanced machine learning technologies that analyze this data;
  • Expertise of researchers, who, if necessary, correct and direct the machine-learning engine.

So we can say that the results of the ICSA certification in many respects is the result of the HuMachine principle.

To learn more about Kaspersky Anti-Targeted Attack platform, visit this web site.