Kaspersky CyberTrace

What's new

Kaspersky CyberTrace offers the following new features and improvements:

What's new in version 4.0

• A database of indicators with full text search capability and the ability to search by using advanced search queries was added to enable complex searches across all indicator fields, including the context fields. The ability to filter results by Intelligence supplier simplifies the process of analyzing threat intelligence data.
• Pages with detailed information about each indicator were added for deeper analysis. Each page presents all information about an indicator from all threat intelligence suppliers (deduplication) and allows analysts to discuss threats in comments, as well as add internal threat intelligence about the indicator. If the indicator was detected, information about detection dates and links to the detections list will be available.
• Storage for detections was added to simplify the security monitoring and alerts triage processes. The raw event from the source and full information about the detection are saved to the database, for future analysis. The detection list supports searching saved data, to find all detections by threat, source IP address, user name, or any other field.
• An indicators export feature was added to support exporting indicator sets to security controls such as policies lists (block lists) and to support the sharing of threat data between Kaspersky CyberTrace instances or with other TI Platforms.
• A historical correlation feature (retroscan) was added to allow analyzing observables from previously checked events by using the latest feeds to find previously uncovered threats. All historical detections will be included in the report, for future investigations.
• Filter for sending detection events to SIEM solutions was added to reduce the load on the solutions and on the Analyst (fighting with alerts fatigue). It allows sending SIEM solutions only the most dangerous and confident detections that must be treated as incidents. All other detections will be saved to the internal database, and can be used during root cause analysis or in threat hunting.
• Multitenancy feature was added to support MSSP or Large Enterprise use cases when a service provider (central office) needs to handle events from different branches (tenants) separately. The feature allows connecting a single Kaspersky CyberTrace instance with different SIEM solutions from different tenants and configuring what feeds must be used for each tenant.
• HTTP REST API for looking up and managing threat intelligence was added. By using the REST API, Kaspersky CyberTrace can be easily integrated into complex environments for automation and orchestration. The API supports observables lookup, as well as TI indicators and TI suppliers managing scenarios.
• Integration with Kaspersky Unified Monitoring and Analysis Platform (KUMA) was added, including Web UI integration (single UI).
• New components were added to the Dashboard:
  • Table with last feed update statuses was added to inform the user about the updating of statistics for feeds.
  • Graph with checked events count was added to inform the user about the current and historical load on the system (in Event Per Second – EPS).
  • Feeds intersection matrix was added to help with choosing the most valuable threat intelligence suppliers.
• Scenario for auto-updatable dashboard on TV was added, to allow displaying key metrics on a TV screen in the user's office.
• Authentication with LDAP (MS Active Directory) was added.
• Ability to load feeds from Kaspersky as custom feeds was added, to simplify the process of adding new Kaspersky feeds to Kaspersky CyberTrace.
• UI style was updated in accordance with the Kaspersky rebranding guidelines.
• Process of creating format strings for events that will be sent to SIEM solutions was simplified. A wizard that automatically composes event format strings based on the selected set of event fields has been added.
• Installers for Windows and Linux were updated:
  • Kaspersky CyberTrace will be delivered as a single package for all SIEM solutions. The LogRhythm SIEM solution is supported out of the box.
  • Initial configuration was moved from installers to CyberTrace Web and must be performed after the first launch in Web UI.
• In Linux packages, init.d management scripts were replaced with systemd unit files.
• URL normalization for third-party intelligence sources was added to simplify the process of integrating third-party intelligence into Kaspersky CyberTrace.
• New X-KF-SaveStatistic flag was added to support saving detection statistics when X-KF-ReplyBack mode is used.
• Integration with RSA was updated (“:rfc3164” mode for forwarding from SIEM solutions is recommended instead of using EventDelimiter on the Kaspersky CyberTrace side).
• Windows Server 2019 is now supported; and support for Windows Server 2008 and Desktop versions of Windows was limited.
• Feed Service can send alerts to a specific IP address or hostname separately from detection events. The connection settings for alert events can be specified in Kaspersky CyberTrace Web.
• If an error occurs while sending a detection event, Feed Service will try to resend it after a specific period of time. The number of attempts and the time interval between them is specified in the configuration file of Feed Service.
• When adding a custom or third-party feed, the level of confidence is specified.This information is further included in detection events.
• When adding a custom or third-party feed, the vendor name must be specified. Such feeds and suppliers are listed separately from OSINT feeds.
• Kaspersky Threat Data Feeds now include ICS Hash Data Feed for protection against malicious applications that are aimed at Industrial Control Systems.
• Adding custom feeds in the MISP format is supported. Such feeds can be loaded from a local folder or via HTTP(S).
• The basic authentication scheme is available for each custom feed that is loaded via HTTP(S) or FTP(S).
• Information about the running and finished tasks is now available on the Tasks tab.
• The following OSINT feeds are no longer supported:
  • Abuse.ch_Ransomware_Common
  • Abuse.ch_Ransomware_BlockUrl
  • Abuse.ch_Ransomware_BlockDomain
  • Abuse.ch_Ransomware_BlockIP
  • Abuse.ch_Feodo_MalwareHash