This week, Kaspersky released a threat intelligence solution designed to help attribute samples of malware to known advanced persistent threat ( APT) groups.
The new Kaspersky antivirus Threat Attribution Engine, a globally accessible commercial tool, uses a proprietary method to match malicious code against a database of malware and connect it to groups or campaigns based on similarities in code.
More often than not, it is a difficult, time-consuming task to identify the actor behind an attack, requiring both a large amount of collected threat intelligence and a highly skilled , experienced team of researchers, Kaspersky argues.
The new tool is intended to automate sophisticated malware classification and identification processes. It is based on an internal tool used by the Global Research and Analysis Team of Kaspersky (GReAT) and has already been leveraged in the investigation of the campaigns TajMahal, ShadowHammer, ShadowPad and Dtrack, and the LightSpy iOS implant.
Kaspersky Threat Attribution Engine incorporates a database of APT malware samples (more than 60,000 APT-related files) and clean files collected over a period of 22 years, and can quickly link new attacks to known APT malware, targeted incidents and hacking groups.
Based on their similarity with database samples, the tool calculates a reputational score of new files, highlighting their possible origin and author. In order to relate it to previous initiatives, a brief overview and links to both private and public resources are given.
Kaspersky APT Intelligence Reporting subscribers get access to a dedicated report containing information about the identified threat actor’s tactics, techniques , and procedures, the company explains.
The Kaspersky Threat Attribution Engine is intended for on-premise implementation, rather than for use in a cloud environment by third parties, so that the consumer manages data sharing.
In addition , it allows customers to build their own database of malware samples that are detected by in-house researchers, so that the tool can label malware based on that information but keep the data secret.
“The product can be deployed in a secure, air-gapped environment that restricts any third party access to the information processed and the objects submitted. There is an API interface to connect the Engine to other tools and frameworks to implement assignment into existing infrastructure and automated processes, “explains Kaspersky.
In addition to the identification of Appropriate malware, the Identification Engine will decide if the organization is the main target of an assault or a side victim, and can help create efficient and timely mitigation of the danger, the security company says.
“Our experience shows that the best way [to reveal who’s behind an attack] is to search for shared code the samples have in common with others identified in previous incidents or campaigns. Unfortunately it can take days or even months for such manual investigation. In order to automate and speed up this task, we created Kaspersky Threat Attribution Engine, which is now available to customers of the company, “commented Costin Raiu, director of GReAT at Kaspersky.