Cyberattack analysis and quick response

Blocking a threat isn’t enough; you have to understand and reconstruct the whole infection chain.

Most security solutions for small and medium-size businesses exist simply to prevent malware from running on a workstation or server — and for years, that was enough. As long as an organization could detect cyberthreats on end devices, it could arrest the spread of infection over its network and thus protect the corporate infrastructure.

Times change. A typical modern cyberattack is not an isolated incident on one employee’s computer but a complex operation affecting a sizable portion of the infrastructure. Therefore, minimizing the damage of a modern cyberattack requires not just blocking malware, but also quickly understanding what happened, how it happened, and where it could happen again.

What’s changed

Modern cybercrime has evolved such that even a small company might reasonably fall prey to a full-featured, targeted attack. To some extent, that’s a result of the increasing availability of the tools needed for a complex, multistage attack. Also, however, criminals always try to maximize their profit-to-effort ratio, and ransomware operators really stand out in that regard. Lately, we’ve seen true research and lengthy preparation for ransomware operations. Sometimes, operators lurk in a target network for weeks, exploring the infrastructure and stealing vital data before striking with encryption and ransom demands.

A small business may instead serve as an intermediate target in a supply-chain attack — attackers sometimes use the infrastructure of a contractor, an online service provider, or a small partner to assault a larger organization. In such cases, they may even exploit zero-day vulnerabilities, which is normally a costly option.

Understanding what happened

Ending a complex, multilevel attack requires a clear picture of how an attacker penetrated the infrastructure, how much time they spent inside, which data they may have accessed, and so forth. Simply deleting malware would be akin to treating a disease’s symptoms without addressing its causes.

In enterprise-level companies, the SOC, IS department, or an outside party performs such investigations. Big companies use EDR-class solutions for that. Limited budgets and staff tend to place those options out of reach of a small business. Small businesses still need specialized tools, though, to help them respond promptly to complex threats.

Kaspersky Endpoint Security Cloud with EDR

Setting up our SMB solution with EDR functionality doesn’t take a security expert — the updated Kaspersky Endpoint Security Cloud Plus offers improved visibility of the infrastructure. The administrator can quickly identify the paths a threat uses to spread, view detailed info on affected machines, quickly view the details of malicious files, and see where else the files are currently used. That helps admins promptly detect all threat hot spots, block the execution of dangerous files, and isolate affected machines, thus minimizing potential damage.

While we monitor the tool’s usage to determine its relevance in the field, we’ve made EDR functionality available through 2021 to users of Kaspersky Endpoint Security Cloud Plus in test mode. You can learn more and order a trial version here.