EDR
When cyberthreats threatened only select departments inside a company, preventive measures and common sense could serve as reliable protection. But now the notorious digital transformation has radically changed business processes, introducing information technologies almost everywhere. As a result, more and more systems get connected to information networks; more and more people use them; and new services, technologies, and digital tools are introduced into them. All of those require new approaches to ensuring information security.
A purely protective solution is simply not enough anymore. Of course, that does not mean protective mechanisms are useless; they’re still perfectly able handle the overwhelming majority of mass threats. However, the larger your business is, the more interesting it looks to intruders who have the resources to prepare a complex, advanced attack. And against such attacks standard techniques are not always effective.
Where is the targeted attack’s complexity?
The key difference between targeted attacks and mass attacks lies in the thoroughness of the approach. Before making their move, attackers may invest a tremendous amount of work in collecting information and analyzing your infrastructure. They are patient. It may take several months to get ready to try to implant something in your network — and that something may not always be uniquely identified as a threat; it is not necessarily malware. It may be a kind of concealed communication module using common protocols, in which case the monitoring system will be unable to distinguish it from a legitimate user application.
Such modules become active at the last moment, when threat actors need to access the network, commit a malicious transaction, or sabotage a process. If you have a reliable protective solution, then it is likely to respond to the anomaly and prevent the incident. But even in that case, you will see only the tip of the iceberg. The main work of intruders will remain invisible (especially if they have thought out in advance how they will sweep the trails). And that is fundamentally wrong.
Why do you need to know how malefactors acted
One might wonder, what is the practical benefit of knowing how intruders infiltrated your infrastructure — especially if the incident was prevented? But there is a benefit, and every incident must be thoroughly investigated.
First, knowing the root of the problem will allow you not to run into the same trap twice. If you will leave everything as it is, relying only on protective measures, hackers will inevitably repeat the attack scenario, but having improving their methods, perhaps greatly.
Second, knowing how intruders got in will allow you to respond thoughtfully and, most important, promptly. The breach may not be due to software or hardware vulnerabilities. Attackers can gain access to your infrastructure through an employee, knowingly or not. Or the threat can came through networks of subcontractors or service providers that have access to your systems for business reasons.
Not to mention that the attackers could have other implants in your network, and the incident could be only one part of their plan, or a distracting maneuver.
What can be done?
To protect your infrastructure from targeted and advanced attacks, it is necessary to strengthen your security mechanisms with a system that will enable you to peer into the past. Attackers can delete information and mask their tracks as much as they like, but if you have an endpoint detection and response (EDR) system, then investigators can easily get to the root of an incident. And they can do so without further disrupting the continuity of business processes.
As a solution, we offer the Threat Management and Defense platform, a combined version of our time-proved Kaspersky Anti Targeted Attack and a brand new Kaspersky Endpoint Detection and Response solution with expert services. It lets you implement a strategic approach to managing cyberthreats.
Kaspersky Anti Targeted Attack, using proven effective technologies based on machine learning allows you to find anomalies in network traffic, isolate suspicious processes, and look for correlations between events. Kaspersky Endpoint Detection and Response serves to aggregate and visualize the collected data, which is critical in the investigation of incidents. And, thanks to the services, you can receive aid at any time in case of particularly difficult incidents, train your monitoring center staff, or raise awareness of the company’s employees overall.
To learn more about our Threat Management and Defense platform, please visit its dedicated Web page.
Tips