Scribd
Upload
26 views30 pages

KL 038.4 Part 5 Kea 0.7.en

parte 5 kea

Uploaded by

dsotob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views30 pages

KL 038.4 Part 5 Kea 0.7.en

parte 5 kea

Uploaded by

dsotob
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

KL 038.4: Kaspersky Industrial CyberSecurity.

Part V. Kaspersky Endpoint Agent

KL 038.4

Kaspersky
Industrial
CyberSecurity

Part V.
Kaspersky Endpoint Agent

Student guide
1
KL 038.4: Kaspersky Industrial CyberSecurity.
Part V. Kaspersky Endpoint Agent

ed
Table of contents

ut
1. How Kaspersky Endpoint Agent works .................................................................................. 3
1.1 What is Kaspersky Endpoint Agent? ................................................................................................4

ib
1.2 Hardware and software requirements ..............................................................................................6

2. Incident response ........................................................................................................................... 7

r
2.1 How to respond to an alert ...............................................................................................................7

st
2.2 Configuring the display of detection events in Kaspersky Security Center ......................................9
Configure the report on threats ........................................................................................................9
Enable display of the list of alerts ...................................................................................................10

di
Which technologies and tasks create an incident card? ................................................................10
2.3 Alert details .....................................................................................................................................11
Information about the detected object ............................................................................................12

re
Information about the created files .................................................................................................13
Information about injections and network connections ..................................................................14
Information about the created keys and registry changes .............................................................15
Information about the parent process.............................................................................................16
or
2.4 Threat containment.........................................................................................................................17
Isolate the host ...............................................................................................................................17
How to disable host isolation ..........................................................................................................18
Prevent execution ...........................................................................................................................19
What Execution Prevention does ...................................................................................................21
d

Quarantine a file .............................................................................................................................21


Create an Indicator of Compromise (IoC) ......................................................................................23
e

2.5 Security audit ..................................................................................................................................28


pi

What is a security audit? ................................................................................................................28


Perform security audit.....................................................................................................................29
co
be
tto
No

2
KL 038.4: Kaspersky Industrial CyberSecurity.
Part V. Kaspersky Endpoint Agent

ed
1. How Kaspersky Endpoint Agent works

ut
Kaspersky Industrial CyberSecurity for Nodes protects nodes against cybersecurity threats, but it only

ib
shows that a malicious object was detected and indicates the actions that were or were not taken on the
malicious object.

r
An analyst cannot use this information to detect the specific attack vector and determine the point where
the attack was blocked by the security application.

st
For example, the analyst might see that Kaspersky Industrial CyberSecurity for Nodes has detected and
blocked an encryption attempt. The analyst can use the event to find out which application encrypted the

di
data, but cannot find out whether or not the encryption was a legitimate operation, and cannot track the
entire chain of events that preceded the encryption attempt.

As a result, even if a threat has been detected and blocked, the analyst cannot be fully confident that

re
everything is all right in the system, i.e. that the attack is completely neutralized, all its consequences
have been eliminated, there are no unauthorized changes in the operating systems or applications, and
no data has leaked.

To analyze the cause of an incident, we need an application that will gather the event’s extended context.
or
An event’s extended context refers to additional information surrounding the detection of the threat, such
as:
— Process start events or process termination events
— Events involving the establishment of outbound connections
d

— Events involving the opening of ports


e

— Login events with different user accounts


— Command line used to run an object
pi

— Object name
co
be
t to
No

3
KL 038.4: Kaspersky Industrial CyberSecurity. 1. How Kaspersky Endpoint Agent works
Part V. Kaspersky Endpoint Agent

1.1 What is Kaspersky Endpoint Agent?

ed
ut
r ib
st
di
re
or

Kaspersky Endpoint Agent is an application that is installed on individual nodes and gathers telemetry
d

from them. For example, the application observes the following:


— Processes running on a node
e

— Open network connections


pi

— Files being modified

All telemetry gathered by Kaspersky Endpoint Agent can be forwarded to Kaspersky Industrial
co

CyberSecurity for Networks and to Kaspersky Security Center.


be
t to
No

4
KL 038.4: Kaspersky Industrial CyberSecurity. 1. How Kaspersky Endpoint Agent works
Part V. Kaspersky Endpoint Agent

ed
ut
r ib
st
di
re
or
When integrated with Kaspersky Industrial CyberSecurity for Nodes and managed by Kaspersky Security
Center, Kaspersky Endpoint Agent provides EDR (Endpoint Detection & Response) functionality.
Kaspersky Endpoint Agent, Kaspersky Industrial CyberSecurity for Nodes, and Kaspersky Security
Center constitute the Kaspersky Industrial CyberSecurity Endpoint Detection and Response
d

solution.

Kaspersky Industrial CyberSecurity Endpoint Detection and Response:


e

— Gathers additional information about the detection of a threat. The administrator and analyst can
pi

analyze this information, which is presented as an incident card, through the Kaspersky Security
Center Web Console. This helps clarify what was happening on the endpoint device before the
detection event occurred, and whether additional response measures should be taken.
co

— Provides threat containment measures. You can:


— Isolate the endpoint from the network
— Quarantine detected objects for further analysis
— Prevents execution of executable files, scripts, or documents.
— Creates IoC Scan tasks to find Indicators of Compromise on managed devices. The administrator
be

can create IoCs based on data obtained from telemetry, or use external resources that publish
information about IoCs (for example, securelist.com or other public sources).
— IoC Scan tasks let you configure automatic response actions that Kaspersky Endpoint Agent will
perform if it detects indicators of compromise.
to

— Run an additional scan of the computer using Kaspersky Industrial CyberSecurity for Nodes
— Quarantine a file
— Isolate the computer from the network
— Conduct a security audit of nodes based on OVAL rules.
t

The administrator can manage Kaspersky Endpoint Agent only using Kaspersky Security Center Web
Console.
No

5
KL 038.4: Kaspersky Industrial CyberSecurity. 1. How Kaspersky Endpoint Agent works
Part V. Kaspersky Endpoint Agent

The following Kaspersky application versions support Kaspersky Industrial CyberSecurity Endpoint

ed
Detection and Response:
— Kaspersky Industrial CyberSecurity for Nodes 3.1
— Kaspersky Endpoint Agent 3.13 or later

ut
— Kaspersky Security Center Windows 12.1 or later – full support of Kaspersky Industrial
CyberSecurity Endpoint Detection and Response functionality

ib
1.2 Hardware and software requirements

r
st
di
re
or
d e
pi
co
be
to

You can find the complete hardware and software requirements in the online product help at
https://support.kaspersky.com/KEA/3.14/en-US/193103.htm.
t
No

6
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

2. Incident response

ed
ut
2.1 How to respond to an alert

r ib
st
di
re
or
d

This is a general plan. In practice, each organization must have its own plans and scenarios for handling
security incidents.
e

Kaspersky Endpoint Agent forwards telemetry to Kaspersky Security Center. In Kaspersky Security
Center, an extended context is provided as an incident card and as description of all detected interactions
pi

between malware and the system. In Kaspersky Security Center, the extended context is referred to as
alert details.
co

An analyst must use the alert details to do the following:


— Classify the incident—understand whether the detected activity is legitimate or not. If the activity
is illegitimate, find the source of the attack and the stage at which it was detected; also, identify
devices that have already been attacked and those that may be exposed to the attack.
— Determine the incident priority: depending on the collected information, detect the incident’s
be

importance, prepare a plan of action, and assign a specialist or a team to investigate and respond
to the incident.

Based on the alert details, a cybersecurity expert can do the following:


— Isolate a host where suspicious activity was detected.
to

— Prevent execution of a file, document, or script.


— Quarantine a suspicious file or files.
— Analyze artifacts.

Based on their investigation, the cybersecurity expert decides what to do next:


t

— Close the incident and take no further action.


No

— Eliminate the causes of the incident and restore the network.

7
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

To eliminate the causes of an incident, the analyst can do the following:

ed
— Terminate malware processes.
— Delete malicious objects.
— Run specific commands that will help stop a malicious process.

ut
r ib
st
di
For the purposes of this course, we will focus on the following:
— Analysis of alert details

re
— Containment tools
— Remediation and restoration tools
or
d e
pi
co
be
t to
No

8
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

2.2 Configuring the display of detection events in

ed
Kaspersky Security Center

ut
To use Kaspersky Industrial CyberSecurity Endpoint Detection and Response, the administrator must
install Kaspersky Industrial CyberSecurity for Nodes and Kaspersky Endpoint Agent on the protected
node.

ib
We covered remote installation via Kaspersky Security Center in Part IV. Kaspersky Industrial
CyberSecurity for Nodes.

r
To view incident cards in Kaspersky Security Center:
— Configure the report on threats

st
— Add the EDR detection widget
— Enable the list of displayed alerts

di
Configure the report on threats

re
or
de
pi
co

All detection events of Kaspersky Industrial CyberSecurity for Nodes can be viewed in the Report on
threats. The administrator can view the report under Monitoring & Reporting | Reports.
be

After installation and activation of Kaspersky Endpoint Agent, new detection events are enriched by
additional information. In the Open incident column, the View incident card link appears, which lets you
view the details of the detection event.

Old detection events—those logged before Kaspersky Endpoint Agent was activated or installed—will
to

not be enriched.
t
No

9
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Enable display of the list of alerts

ed
ut
r ib
st
di
re
All detection events are also displayed in Monitoring & Reporting | Alerts. In the Enrichment and
or
response column, an enriched event has a More details link, which lets you view the detection details.

Enable display of the Alerts page in the web console interface options: KSC\<<User name under which
you have connected to the administration server>> | Interface options | Show EDR alerts.
d

Which technologies and tasks create an incident card?


e
pi
co
be

Kaspersky Endpoint Agent does not generate detection events. It uses telemetry data to enrich
detection events from Kaspersky Industrial CyberSecurity for Nodes components.
to

Kaspersky Endpoint Agent gathers telemetry for the following:


— Detections by the Real-Time File Protection component
— Detections by the On-Demand Scan task
t
No

10
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

2.3 Alert details

ed
ut
r ib
st
di
re
or

Alert details in the Kaspersky Security Center Web Console consist of the following:
d

Threat status: whether it has been blocked.


e

Chain of processes that preceded the detection: the activity of each process is specified, such as
pi

creating files, establishing connections, or modifying the registry. The object originally detected by a
protection technology is highlighted in blue.

Information about the incident: object name and location on the device, category, detection timestamp,
co

etc. Endpoint data is also included: computer’s domain name, IP address, MAC address, operating
system, device location in the Kaspersky Security Center group hierarchy.

The bottom of the window contains details on the malicious object, such as the file hash, creation date
and modification date, and user account used to create the file.
be

Detection details are stored on the administration server for 30 days and then deleted. Alert details are
displayed regardless of whether the device for which the enriched event was generated is currently
online.
t to
No

11
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Information about the detected object

ed
ut
r ib
st
di
re
or

The first thing to pay attention to is the threat status.


d

In our case, we can see that Kaspersky Industrial CyberSecurity for Nodes successfully blocked the
e

threat. This is confirmed by the status Success: Deleted.

Next, analyze which executable files were involved in the attack. To simplify incident analysis, the object
pi

that Kaspersky Industrial CyberSecurity for Nodes detected and blocked is highlighted in blue. Click an
object in the threat formation chain to view detailed information about the file.
co

The following data is displayed:


— Execution date and time
— Command line parameters. This information can be useful if a script was executed implicitly
through PowerShell or other interpreters.
be

— Process identifier (PID)


— Integrity level. A process’s integrity level reveals the privileges with which the process was run.
“High integrity” means that the process was started with full administrator permissions.
— Information about the user who started the detected object
to

— MD5 and SHA256 checksums of the file


— The trust group of the file according to Kaspersky’s classification
t
No

12
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Information about the created files

ed
ut
r ib
st
di
re
or

As you continue to explore details of the detected malicious activity, you can see what files it created.
d

You should analyze these files too, because they may spread the threat within the organization, facilitate
e

a data leak, or start a malicious file when the system boots.


pi
co
be
t to
No

13
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Information about injections and network connections

ed
ut
r ib
st
di
re
or

Kaspersky Endpoint Agent registers code injections and network connections.


d

Information about injections shows executable files related to the attack. This information can be useful
e

when checking if any of these files remain on the target device.

Information about network connections includes the following:


pi

— Date and time when each connection was established


— Local and remote address and connection port. You can analyze the network connection log on
co

the proxy server to find out which other devices connected to the same address and the same
port. This will quickly give you the list of devices that may have been compromised.
— The web address, referrer, user agent, and HTTP method (GET/POST) will only be displayed if
the request was made using HTTP.
be
t to
No

14
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Information about the created keys and registry changes

ed
ut
r ib
st
di
re
or

The analyst can study detection details that include information about the created keys and changes in
d

the registry related to the attack. To open a menu containing detailed information about an object, click
any object in the list.
e

Malware often modifies the registry to launch its objects. In some cases, malware may even do this using
legitimate reputable software to aid in a certain stage of the attack and make it difficult for protection
pi

software to detect illegitimate activity.

When analyzing changes in the registry, pay the utmost attention to the keys that have the yes value in
co

the Autorun point field. This key autostarts an object.


be
t to
No

15
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Information about the parent process

ed
ut
r ib
st
di
re
or

When investigating details of a detection event, you can also check whether parent processes are related
d

to the attack and whether they are suspicious or malicious.


e

If the parent process is Windows Explorer, a web browser, or an email application, a user most likely
carelessly executed the malicious file.
pi

If the parent process is a little-known file, that may indicate a new unknown threat and may be a reason to
proceed to threat containment.
co
be
t to
No

16
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

2.4 Threat containment

ed
Once threat analysis is completed, begin to contain the threat to prevent it from propagating to other
corporate devices. At the threat containment stage, we recommend the following:

ut
— Isolate compromised devices from the network.
— Prevent execution of the objects related to the attack.
— Quarantine suspicious files.

ib
— If necessary, retrieve objects for further analysis.

We recommend that you take some containment actions before completing a detailed analysis. For

r
example, if the alert details indicate that a node is attempting to establish a large number of network
connections, the analyst is advised to immediately isolate the device from the network and prevent

st
execution of objects. The analyst can do this directly from the detection card.

Isolate the host

di
A host can be isolated by using the response buttons directly from the incident card, or it can be done

re
from the device card. or
ed
pi
co
be

The administrator does not need to use third-party tools or switch between consoles to begin containing a
threat, because the main commands are available in the detection card.

You can click the Isolate device from the network button to strictly limit a machine’s network activity.
Isolation is performed by Kaspersky Endpoint Agent. On the isolated device, the user sees the
corresponding notification.
to

Kaspersky Endpoint Agent does not block all connections. It does not block:
— Connections of Kaspersky Industrial CyberSecurity for Nodes services
— Connections of Kaspersky Security Center Network Agent
t
No

You can configure network isolation exclusions in the policy.

17
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

To view all isolated devices, open Tags | Device tags and select the Isolated from network tag. The

ed
Kaspersky Security Center Web Console will display the specific devices that have been isolated from the
network.

ut
r ib
st
di
How to disable host isolation
re
or
d e
pi
co
be
to

Note that removing the tag from the device properties is not enough to release the device!
The isolation period is defined in the Kaspersky Endpoint Agent policy. By default, a device will be
isolated for 30 minutes.
t

We recommend that you do not decrease this time so that a device remains isolated until specialists
complete their investigation and cope with the threat.
No

To release a device, go to its properties, open Kaspersky Endpoint Agent application settings, switch to
Application settings | Network Isolation | General, and then clear the Isolate this device from the
network check box.

18
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Prevent execution

ed
ut
r ib
st
di
The administrator can prevent execution of suspicious files on endpoint devices. To do so, click the
Prevent execution button in the file details pane.

re
After clicking this button, the Kaspersky Security Center Administration Server creates a prevention rule
in the Kaspersky Endpoint Agent policy for the computer group. The name of this rule type takes the
prefix "[KillChain] md5". By default, a prevention rule uses the file’s MD5 hash sum.
or
To ensure that the prevention rule will work, enable execution prevention in the Kaspersky Endpoint
Agent policy. To do so, open Application Settings | Execution Prevention and select the Enable the
prevention of untrusted objects execution check box.
d

Execution Prevention has the following modes:


— Active – Kaspersky Endpoint Agent blocks untrusted objects and registers a security event.
e

— Statistics only – Kaspersky Endpoint Agent only registers a security event.


pi

The administrator can configure an execution prevention message to be displayed to the user. To do so,
enable the Notify device user about prevention option.
co
be
t to
No

19
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

The administrator will not always be able to block an untrusted object directly from the object details

ed
pane.

For example, if an adversary used a PowerShell script during an attack, the administrator will see only the
powershell.exe process in the incident card and will be able to block only this process.

ut
Blocking powershell.exe would be an excessive response, because this could block legitimate scripts that
ICS engineers use to automate system maintenance.

ib
The details pane for the executed process contains the command line parameters that were used during
the attack. For example, the administrator can find the name of an executed script, calculate its hash, and
create a prevention rule for this script in the Kaspersky Endpoint Agent policy.

r
st
di
re
or
de
pi
co

To independently create a prevention rule, go to Application Settings | Execution Prevention in the


Kaspersky Endpoint Agent policy and click Add in the Prevention rules section.

You can block executables, scripts, and Microsoft Office documents using an MD5 or SHA256 checksum
be

and/or object path.

Existing rules can be deleted, disabled, enabled, and modified.


t to
No

20
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

What Execution Prevention does

ed
ut
r ib
st
di
re
or

If the user attempts to run a prohibited object, Kaspersky Endpoint Agent blocks execution of the object
d

and registers a security event. Windows shows the user a message containing the corresponding error.
e

Quarantine a file
pi
co
be
t to
No

21
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

It makes sense to quarantine files that the security application does not consider to be dangerous but do

ed
not appear to be a part of the operating system or well-known software. Such files are typically
characterized by their lack of a digital signature.

When you quarantine a file, it is moved from its original folder to a special encrypted local storage of

ut
Kaspersky Endpoint Agent. Neither the user nor any processes will be able to run it again. However, if
cybersecurity experts conduct an investigation that determines that the file is not dangerous, they can
restore it from Quarantine to its original folder.

ib
To quarantine a file from an alert card, open the file details pane and click Quarantine.

You can quarantine only files that have a checksum from an incident card. Kaspersky Endpoint Security

r
calculates checksums only for executable files.
Non-executable files can be quarantined using a Quarantine file task. Specify the target devices and the

st
full path to the file (or its full path and checksum) in the task parameters.

di
re
or
de
pi
co

To create and run a Quarantine task, select the criteria for quarantining a file:
— Specify the file full path – the complete path to the file must be indicated.
— Specify the file by folder path and checksum – the path to the file folder and the checksum of
be

the file must be indicated.

You can enable the Delete the file from the device option, in which case Kaspersky Endpoint Agent will
place an encrypted copy the file in the local repository and then delete the original. If you do not want to
delete the original file, disable this option.
to

You can also exclude critical system files from the task scope by enabling the Do not perform actions
on critical system files option.
t
No

22
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

ed
ut
r ib
st
di
re
The administrator can view quarantined files of a specific node by running the following command in the
Windows command prompt:

agent.exe --quarantine show


or
Or the administrator can examine the quarantined files under Operations | Repositories | Quarantine in
the Kaspersky Security Center Web Console.

Create an Indicator of Compromise (IoC)


d

When a suspicious file is put into Quarantine after it has been blocked from running, you should check for
e

similar suspicious files on other network nodes and eliminate any that you find.
pi

To do so, the administrator can create and run an IoC Scan task, which searches for Indicators of
Compromise. The task searches computers for such files and can automatically quarantine them.
co

An IoC Scan is a tool that searches for traces of malicious activity on network computers. You can create
an IoC from an alert card, generate one from open-source data, or receive a ready file from a third-party
IoC provider.

For example, an incident card contains information about created files and registry keys. It is critical for
the administrator to find out if such files and registry keys are present on other computers because this
be

could mean that a malicious file has already been run on other computers in the network.

You can easily create a standard description for an indicator of compromise right from the alert card. To
do so, open the All incident events tab, select the objects related to malicious activity, and click the
Create IoC button.
to

Not all of the files displayed on an alert card are indicators of compromise. Standard Windows files may
be shown as well.
t
No

23
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

ed
ut
r ib
st
di
re
or
Kaspersky Endpoint Agent automatically generates indicators of compromise in the OpenIOC format from
the selected files and registry keys. Files are searched for by their MD5 checksum, while registry keys are
searched for by their full path, name, and value of the variable in the registry.

If the web console does not let you select certain files on the All incident events list, that means there is
d

no information about their MD5 checksums in Kaspersky Security Center.

If multiple objects are selected, Kaspersky Security Center generates a consolidated indicator. This
e

indicator consists of separate conditions for each object. You can combine the conditions with logical OR
or AND:
pi

— OR means that the computer will be considered compromised if it contains even one of the
selected objects.
co

— AND means that the computer will be considered compromised only if all of the selected objects
(files and registry keys) are found on it.

You can immediately save the generated IoC as a file or create an IoC scan task for the network
computers.
be

When you create a task, choose which actions it should perform when an IoC is detected:
— Isolate the device from the network—use this response action cautiously, since sudden isolation
may disrupt the user’s work and even the operation of the whole organization if an IoC is
detected on a server.

to

Scan critical areas.


— Quarantine the file.

An IoC can be exported from the incident card or scan task in OpenIoC format. To do so, click Export
IOC Collection…
t
No

24
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

ed
ut
r ib
st
di
re
A group IoC Scan task is created from the alert card. The task’s name will start with IoC Scan from
incident <threat name> <threat detection time>.

You can create multiple tasks from a single alert card. For example, select a group of highly reliable
indicators and make a task that will quarantine the respective files. For less reliable indicators, you can
or
create a task that will make the security solution scan the respective computers for threats. All tasks
created from the same card get the same names by default, so rename them to avoid confusion.

If an IoC Scan task is created from an alert card, it scans only critical areas (temporary folders and
download folders of all the device users) by default. You can redefine the scan area in the task properties
d

and select to scan specific folders on a drive, the system drive, or all drives of the device.
e

IoC Scan tasks created from an alert card are run once as soon as they are created.
pi
co
be
t to
No

You can create an IoC Scan task manually. In the task settings, you can add files in OpenIoC format from
external sources.

25
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

To add IoC files in the OpenIoC format, click the button Redefine IoC files; then in the window that

ed
opens, click Add IoC files and specify the OpenIoC files. A single scan task can search for multiple
indicators.

ut
r ib
st
di
re
or
An IoC Scan task automatically recognizes OpenIoC files that specify what types of data to look for.

On the Advanced tab, the administrator can configure the scan settings for data types represented in
d

OpenIoC files.

If you plan to search for files by their hashes, you can modify the scan scope. With the default settings,
e

the task scans critical areas on the device, meaning, temporary folders and download folders of all users.
pi

You can customize the scan area and disable/enable searching the Windows registry.
co
be
t to
No

26
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

To check the task status and whether the indicators have been found on the computers, switch to the

ed
Application Settings tab of the task and open the IOC Scan Results section. You can find detailed IoC
scan results here, namely, the devices where indicators were detected.

Click the Indicator(s) of compromise detected link to open the list of results for the respective

ut
computer. It contains all indicators specified in the task. If an indicator was detected, the State column
contains the matched link that opens a detailed detection card with the names of detected files (or other
objects).

ib
The detection card shows which objects on the computer matched the IoC conditions. If the IoC consists
of several groups of conditions combined with the logical OR operator, the group whose conditions match
the found files (or other objects) will be highlighted.

r
st
di
re
or
d e
pi
co
be
t to
No

27
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

2.5 Security audit

ed
What is a security audit?

ut
r ib
st
di
re
or
The Kaspersky Endpoint Agent Security Audit task scans target nodes to check their compliance with
rules, generates a report, and sends it to the Kaspersky Security Center Administration Server.

Rules can check, for example, for the following:


d

— Vulnerabilities
— Installed applications
e

— Running processes
— Users' group membership
pi

— Files

Open Vulnerability and Assessment Language (OVAL) is an international cybersecurity standard that
includes a language for describing and assessing vulnerabilities.
co

OVAL rules consist of an XML file that contains a set of OVAL definitions.

A definition can describe, for example, the following:


— Vulnerability
be

— Application installed with certain settings (version later than the defined version, set of
components, etc.)
— Running process
— System status
to

Each definition contains triggering criteria. Criteria may include the following:
— Installed software
— Software version
— Files in a specific folder
t

When conducting an audit based on OVAL rules, Kaspersky Endpoint Agent gathers the necessary
No

information in the system and checks it against the criteria in OVAL definitions.

28
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Each OVAL definition is associated with a specific class. These classes are described by the OVAL

ed
specification:
— A Compliance definition checks whether the system configuration settings comply with the
security policy.
— An Inventory definition checks whether the software or hardware specified in OVAL rules is

ut
installed in the system.
— A Miscellaneous definition refers to custom scans.

ib
— A Patch definition checks whether the patch specified in OVAL rules is installed on the system.
— A Vulnerability definition checks whether the vulnerabilities specified in OVAL rules are present
in the system.

r
The Agent then generates a report that indicates whether each individual OVAL rule was triggered (the

st
system matches the criteria).

Perform security audit

di
re
or
ed
pi
co

Analysts can use built-in rules from Kaspersky ICS CERT, write their own rules, or use rules from the
OVAL repository (https://github.com/CISecurity/OVALRepo).
be

OVAL rules from ICS CERT include the vulnerabilities of most popular software used for industrial
networks running Windows.

On the Scope tab, the administrator can configure which OVAL definitions Kaspersky Endpoint Agent will
use when scanning a node.
to

The following modes are available:


— Scan all definitions – all OVAL definitions will be used for the scan.
— Scan the definitions, except for the exclusions listed below – all definitions except the
definitions added to the list will be used for the scan.
t

— Scan only definitions included in list below – only the definitions added to the list will be used
No

for the scan.

To add a definition to the list, click Add and select the definition from the list.

29
KL 038.4: Kaspersky Industrial CyberSecurity. 2. Incident response
Part V. Kaspersky Endpoint Agent

Kaspersky Security Center loads the list of definitions from the added source of OVAL rules.

ed
ut
r ib
st
di
re
To add OVAL rules from a file, select the Custom database from file … option and click Import OVAL
or
collection from file.

You can upload only one archive containing XML files with OVAL rules.
d e
pi
co
be
to

The administrator can find the results of the Security Audit task on the Application settings tab of the
task in the Report section.
t
No

The results are provided in a report where you can find the OVAL definitions that were used to conduct
the audit. The scan result will be indicated for each definition in the Security audit result type column.

30

You might also like