Threat Validation Made Easy with Kaspersky TIP

Threat hunting for security teams has always been like finding a needle in the haystack. With the Kaspersky Threat Intelligence Portal(TIP) plugin, DNIF users can now populate and validate threats based on surfaced threat intel data for IP addresses, domains, URLs and file hashes observed in DNIF events.

threat intelligence

Complete visibility of your organization's security threat landscape and risk exposure.

Need For Context Driven Threat Hunting

Modern cyberthreats require an in depth view of the tactics and tools used by threat actors. Generating this intelligence and identifying the most effective countermeasures require constant dedication and high levels of expertise. With threat intelligence feeds directly integrated in a next-gen SIEM platform, empowers security teams to stay up-to-date with recently discovered Indicators of Compromise(IOCs), which results in quick detection and mitigation of emerging attacks.

Kaspersky TIP + DNIF

DNIF’s integration with Kaspersky’s TIP ensure users have an end to end solution when its comes to detecting malicious activities and possible threats within a network environment. DNIF analyses terabytes of data in realtime and uses it features and functionalities to detect outliers and have it validated through Kaspersky’s 100% vetted Threat Intelligence and acted upon in the shortest possible time frame.

Key Features:

  • Ingest and analyse structured as well as unstructured data in real-time.
  • Threat intelligence generated, monitored and delivered by highly fault-tolerant infrastructure from Kaspersky.
  • Detect known as well as unknown threats across organization with the help of profilers that can detect outliers and perform trend analysis.
  • Orchestrate and respond across technology stack with scenario based automation playbooks.
  • Perform advanced security analytics by correlating threat intel feeds with UEBA and SOAR.

Get Started With Simple Validation Queries

Get IP Report

Validate and monitor traffic sources across organization by validating IP addresses in real-time for known bad reputation.

Sample Query

Get URL Report

Identify malicious or flagged websites accessed across organization in real-time.

Sample Query

Get Domain Report

Identify and detect domains and sub-domains which were accessed within organization and have been flagged for known malicious activity.

Sample Query

Get File Hash Report

Validate file hashes to identify malicious or infected files and enforce file integrity monitoring across organization.

Sample Query

Detecting Malicious IP Addresses

Attackers can misconfigure IP options to evade detection mechanisms and/or perform reconnaissance on a network. They can also craft malicious packets (and packet fragments) that contain anomalies designed to bypass detection mechanisms and gain targeted information about a network. Because different operating systems respond differently to anomalous packets, attackers can determine the OS running on a target by examining the target’s response to the packet.

DNIF has a repository containing multiple device specific packages, these packages contain widgets, dashboards, reports, modules, workbooks and alerts for that device. Apache Webserver: Base Package contains a workbook named “Malicious IP Detection”; this workbook contains a query to detect and raise a module/alert when a malicious IP is detected. For a complete walkthrough on the use case, please refer the presentation shared below:

Detect malicious IP addresses - A complete use case walkthrough

Threat Intelligence / Related Blogs