Kaspersky Anti Targeted Attack Platform (KATA) is a complex solution for enterprises with multiple layers of detecting technologies to protect against targeted attacks. Real time monitoring of network traffic combined with object sandboxing and endpoint behavior analysis, delivers a detailed insight into what's happening across a business’ IT infrastructure. By correlating events from multiple layers including network, endpoints and the global threat landscape, KATA achieves “near realtime” detection of complex threats and helps to enable retrospective investigations. This solution exemplifies Kaspersky Lab’s multi-layered, next generation approach to advanced protection.
In past years, commodity malware remained hidden in the shadow of more sophisticated targeted long-term and better-prepared attack campaigns, so called APTs (Advanced Persistent Threats). Being targeted towards the victim, such attacks easily bypass single-layered protection. But with more detecting techniques involved, the probability of an attacker’s mistake raises.
The main purpose of the anti-targeted attack solution is to raise the cost of an attack to the level where the attack is not profitable. Therefore, ideal solutions should resemble a puff pie – layers of detecting technologies with a tasty filling in the very middle.
KATA incorporates the following detection techniques:
Targeted Attack Analyzer (TAA) – new technology developed specifically for KATA. It aggregates events from the endpoints and from other detecting engines to make decisions based on statistics and machine learning models.
The Sandbox – the basis of Kaspersky Lab’s award-winning detection rate, planted on a separate server. In addition, special post-processing was added to mark atomic suspicious activities of the files. On one hand, it is a generic approach to the detection of an attacker’s tools for their actions, on the other hand it gives more information about the malware to the security officer.
IDS scans of real-time traffic – very effective way to detect communication channels.
Traditional AV check working with specific (more paranoid) settings. All detections and semi-detections are going into TAA for further analysis.
Kaspersky Security Network (KSN) is widely used to get reputation, popularity and all possible information about objects processed by KATA (files, domains, URLs, IP addresses and more). Private cloud (KPSN) is also supported.
User can upload Yara rules to scan objects going through KATA. If the object is an archive, KATA opens it and passes single objects for Yara scan.
KATA gets data for analysis from different sources:
Network sensor receives copy of traffic, retrieves objects and network metadata for further analysis.
Integration with Kaspersky Security Mail Gateway allows it to send all messages to KATA. Alternatively, a customer can install special KATA Mail Sensor.
Kaspersky Endpoint Security can act as an endpoint sensor to gather all necessary data from the computers across the customer network. Alternatively, a standalone agent can be installed which is compatible with third-party endpoint protection.
The main purpose of KATA is to detect the targeted attack on every stage as it develops. Every layer of protection is responsible for detection of one or more stages of the attack: Sandbox, Yara and AV monitor infiltration, IDS is responsible for communication and exfiltration, TAA monitors almost all stages, and KSN helps all of the above with necessary data.
As a result, the Information Security Officer sees everything malicious, suspicious and abnormal that happens in the corporate network.
Kaspersky Anti Targeted Attack Platform
Proven advanced threat detection empowered by machine learning and HuMachine™ intelligence