Kaspersky Anti Targeted Attack Platform 3.6 release notes

Kaspersky Anti Targeted Attack Platform 3.6 was released on May 24, 2019.

What we’ve added

• Classification of alerts by the Sandbox component in accordance with the MITRE ATT&CK matrix. The Sandbox component matches detected suspicious activities with attack phases, hacker techniques and methods in the MITRE ATT&CK matrix.
• The option to create a custom database of indicators of attack (IOA) for classifying and analyzing events.
• An application deployment scenario which lets multiple Central Node servers connect to the same Sandbox servers.
• Case sensitivity support when searching for, editing, and deleting files, folders, and other objects in accordance with NTFS file system standards.
• Monitoring of new registry keys. Analysis of data about changes to registry branches from the sections of HKEY_USERS/HKEY_CURRENT_USER.
• The sending of new Windows event types (Windows events logging) with the following IDs:
  • EventId 4776 — the computer attempted to validate the credentials for an account.
  • EventId 4648 — attempt to log in with credentials.
  • EventId 4768 — a Kerberos authentication ticket (TGT) was requested.
  • EventId 4769 — a Kerberos service ticket was requested.
  The update allows attacks that use these Windows events to be detected:
  • Pass-the-hash (4776, 4624)
  • Keberoast (4769)
  • Mimikatz (4624, 4648, 4768)
• API support for sending information about Kaspersky Anti Targeted Attack Platform alerts to third-party solutions upon request. The transmitted alert information can also contain additional information such as triggered technologies, object types, alert importance.

What we’ve implemented

• Multitenancy mode, in which Kaspersky Anti Targeted Attack Platform is installed as a distributed solution and can be used to protect the infrastructure of multiple organizations.
  • One or more Central Node servers can be used for the same organization. 
  • Each organization can manage the program independently from other organizations. 
  • The provider can manage the data of several organizations.
• A new method for analyzing APK files of the Android operating system based on machine learning.

Other improvements

• The Targeted Attack Analyzer technology now provides new automatic analysis and classification of alerts and events on Endpoint Sensors. It checks if the collected events match indicators of attack (IOA) and the MITRE ATT&CK matrix. The IOA rule database is created by experts at Kaspersky Lab and is continuously updated. New events that have triggered IOA rules are marked in the program interface. IOA rules contain descriptions of signs of attacks, examples and recommended countermeasures, as well as links to the information on each sign of attack in the MITRE ATT&CK knowledge base.
• Improved capabilities for selecting passwords for Microsoft Office documents and email messages. Passwords for attachments in email messages can be selected for the following file formats: ArchiveRAR (RAR v5) and Archive7z (7Z). Passwords for documents in PDF, Word, Excel, and PowerPoint formats can also be selected. Passwords are looked up in an existing password database or are derived by analyzing data in the email message body.
• We have optimized the application’s performance. Central Node and Sandbox servers now have 30% lower hardware requirements.

For more information about the release, see this article.