Cybersecurity vendor Kaspersky has revealed that its sandboxing technology is now available for use in customer networks.
The on-premises Kaspersky Research Sandbox is designed for organisations with strict restrictions on data sharing, to enable them to build their internal security operations centres (SOCs) or computer emergency response teams (CERTs).
The company said the solution helps them to detect and analyse targeted threats while also being sure that all the examined files are kept inside the organisation.
Last year, about half (48%) of enterprises in the Middle East, Turkey, Africa (META) region experienced a targeted attack, a Kaspersky survey of IT decision makers found. These threats are often designed to only work in a specific context within the victim’s organisation. For example, a file may perform nothing malicious until an exact application is opened or unless a user scrolls through the document.
According to Kaspersky, some files can identify that they are not in the end-user environment – for instance, if there is no sign that anybody is working on the endpoint – and won’t run the malicious code. However, as a SOC usually receives numerous security alerts, analysts cannot manually investigate all of them to identify which one is the most dangerous.
To help companies analyse advanced threats more accurately and timely, Kaspersky’s sandboxing technologies can now be implemented inside a customer’s organisation. The Kaspersky Research Sandbox emulates the organisation’s system with random parameters (such as user and computer name, IP address, etc) and imitates an actively-used environment, so that malware cannot distinguish that it is running on a virtual machine.
Kaspersky Research Sandbox has evolved from the internal sandboxing complex used by the company’s own anti-malware researchers. The vendor’s sandbox technology has a special API for integration with other security solutions, so that a suspicious file can be automatically sent for analysis. The results of analysis can also be exported to a SOC’s task management system. This automation of repetitive tasks cuts down the time required for incident investigation.
“Our Kaspersky Cloud Sandbox, launched in 2018, works perfectly for organisations who need to analyse complex threats without additional investment in hardware infrastructure,” remarked Veniamin Levtsov, Vice President, Corporate Business at Kaspersky.
However, Levtsov said organisations with internal SOCs and CERTs, and strict restrictions on data sharing require more control over files they analyse.
“Now, with Kaspersky Research Sandbox they can choose the deployment option that suits them the most as well as being able to customise on-premises sandboxing images to any enterprise environment.”
Kaspersky Research Sandbox provides detailed reports on file execution. The reports contain execution maps and an extended list of events performed by the analysed object, including its network and systems activities with screenshots, as well as a list of downloaded and modified files.
Kaspersky said by knowing exactly what each malware does, incident responders can come up with the required measures to protect the organisation from the threat. SOC and CERT analysts will also be able to create their YARA rules to check analysed files against them.
The company noted that as the solution is installed in the customers’ network, it provides more capabilities to mirror its operating environment. Virtual machines from the Kaspersky Research Sandbox can be connected to an organisation’s internal network. As a result, it can reveal malware designed to run only in a certain infrastructure and get an understanding of its intentions.
In addition, Kaspersky said analysts can set up their Windows version with specific pre-installed software to completely emulate their enterprise environment. It simplifies an organisation’s detection of environment-aware threats such as the recently discovered malware that was used in attacks against industrial companies. Kaspersky Research Sandbox also supports Android OS to detect mobile malware.
Click below to share this article