What's new

Kaspersky Threat Intelligence Portal offers the following features and enhancements.

RELEASE 12.2023

Threat Lookup has been enhanced to showcase indicator availability across our Data Feeds, thus helping to identify and prioritize the most dangerous, prevalent and emerging threats.

Threat Lookup API now allows users to search the Dark and Surface webs.

URL Sandbox. Phishing content analysis for web addresses has been significantly enhanced, improving accuracy when identifying phishing threats.

File Sandbox. Now allows automatic type detection for file names featuring multiple dots, thus optimizing the analysis process by improving accuracy and efficiency.

Reporting. User interface (UI) has been enhanced by consolidating various report types into a single section, streamlining the user experience for easier access and navigation (including Home page).

Data Feeds API. Introducing a new set of prevention-oriented feeds that can be seamlessly integrated with network security appliances and accessed through an API.

Data feeds tab updated to provide up-to-date information about our Data Feeds (introducing new Feeds).

General improvements:

RELEASE 10.2023

Similarity technology. New Similarity technology is available both for Threat Lookup and Threat Analysis. Users can now submit a file (in Threat Analysis) or its hash (in Threat Lookup) and receive a list of hashes for similar malicious files known to Kaspersky. Furthermore, users can also get additional useful context to identify samples with similar functionality and understand their characteristics and properties to better detect evolving cyberthreats. Making an intelligent decision based on comprehensive file analysis is the optimal approach to understanding current sophisticated, targeted, and tailored threats. Individual anti-virus or behavior analysis tools working in silos may yield only limited information about recently modified malware. However, the combination of threat intelligence, dynamic analysis, threat attribution and similarity technologies provide users with a powerful tool for the detection of malicious objects that were not previously seen. To help security researchers stay informed about existing and emerging threats, the technology has a customizable interface that allows users to filter search parameters to quickly prioritize and address critical threats and thus remediate them more effectively.

The Threat Analysis User interface (UI), including History section, has been enhanced to support file analysis scenarios covering the Similarity technology and results display speed.

Data Feeds tab updated. Data Feeds tab now highlights proper use cases for available Data Feeds. It allows users to make a conscious decision when selecting Data Feeds for their purposes.

Analysis of password-protected archives now supported. Kaspersky Threat Attribution Engine technology has been updated to improve Threat Analysis by supporting the option to analyze password-protected archives. After uploading, such archives are then extracted and all objects are fully processed, like any other files that are not password protected.

New API specifications for Threat Lookup and Threat Analysis. The new specifications adhere to industry OpenAPI standards and provide clear and standardized endpoints, parameters, and responses for seamless integration. This allows developers to access comprehensive insights, thus streamlining API consumption and integration.

API specification files are easy to navigate and are available from Kaspersky Threat Intelligence Portal Help.

General improvements:

RELEASE 05.2023

New timeline of IoCs changes. Kaspersky Threat Intelligence Portal now displays how and when zone and category changes were made for an IP address, web addresses or domain over the last two months or two years. This significantly accelerates incident investigations and threat hunting when identified IoCs are clean or not categorized at the moment of investigation.

Asset Management of Digital Footprint Intelligence improvements. Service now supports new asset types:

This extension of attack surface monitoring capabilities increases cyber underground visibility and transparency, allowing you to identify a new class of previously hidden threats.

The user can also remove unnecessary assets to stop monitoring them.

New "Like" button for Threat Intelligence reports. Users can now "Like" reports to provide anonymized feedback, helping experts to focus on developing reports with the most popular formats or themes.

Data Feeds tab content updated. Users can now access up-to-date information about our Data Feeds (introducing new Data Feeds) and tools designed for their seamless integration with your security controls.

General improvements:

RELEASE 02.2023

Improved UI/UX Research Graph. New nodes such as Actor and Report names are now also supported. The user can now place a Report name or an Actor to the Graph to see their relations with IoCs and vice versa. This accelerates incident investigations and threat hunting activities by highlighting IoCs from high-profile attacks described in our APT, Crimeware or Industrial reports, as well as Actor profiles.

Introduction of dark mode or theme. Users can now switch between the current bright mode and a dark alternative, either to improve visibility in dim light or for purely aesthetic reasons.

Improved Threat Lookup. More details are now available about attachments in spam messages. The information is provided for a hash in the new File was attached to email section and includes the following:

Categories for spam messages are also provided, such as phishing or spoofing.

Saved searches with filters are now supported. Users can now specify different filters and criteria for automated scheduled searches to monitor and receive alerts about new information for a particular IoC, keyword, phrase or intelligence report. This significantly improves proactive uncovering of the following previously unknown or inactive threats:

Users can manage (edit, delete) the list of created saved searches by specifying their names, periods to check new data, and notifications about new data (via UI or email). Notifications about new findings are also displayed on the Home page for a quick check. When opening the notification, users obtain new data compared to the previous state.

Monthly subscriptions are now supported. This change was made to meet MSSP license requirements.

The customer registration process to get user credentials for the Portal has also been simplified.

RELEASE 07.2022

Threat Lookup now supports new categories for IP addresses:

Threat Lookup now provides more classifications for APT- and Crimeware-related objects (IP addresses, domains, web addresses, and hashes):

Full context about for found objects is available via a link to the corresponding report or service, which is next to the tag.

We updated Surface web and Dark Web search syntax in Threat Lookup. See the Help for more information on syntax and working with search operators.

Improved Kaspersky Sandbox. Now you can download files generated while the analyzed file is executed:

General improvements:

RELEASE 06.2022

Improved Digital Footprint Intelligence. Now context for the phishing, typosquatting, and combo-squatting real-time notifications is extended. Our phishing tracking service actively tracks and alerts you in real time to the appearance of phishing websites targeting your brand, company name, online services or trademarks, and provides you with relevant, accurate and detailed context about phishing or fraudulent activity directly relevant to your business, including injected malware and phishing URLs that steal credentials, sensitive information, financial information, and personal data from your users.

Every notification provides deep coverage, high accuracy, and reliable information about phishing attacks, enabling you to react fast to dynamically generated phishing domains and URLs as well as to phishing outbreaks. Provided intelligence enables you act swiftly and with precision to mitigate the impact of phishing activity on your organization and your users, taking a proactive stance against fraud. Takedown service is also available.

Phishing notifications now include the following context:

RELEASE 04.2022

Improved Cloud Threat Attribution Engine. Now clicking on an Actor (on the analysis report page) initiates a search request to show available related threat intelligence reports and actors.

Improved user experience for the search functionality. When using the search functionality, the user stays on the tab where the search was initiated (previously the user was always redirected to the Lookup tab).

Improved Kaspersky Sandbox:

RELEASE 12.2021

Introduction of Dark web search. This is a source of invaluable threat and brand intelligence that offers insights from a comprehensive range of deep and dark web sources for threats to your organization, whether a planned attack, discussions around vulnerabilities, or a successful data breach. This tailored information provides visibility over risks to your organization, enabling security teams to reduce the attack surface, secure online brand value, and take actions on threats before, or even after, they become incidents (to minimize impact).

With the service you can:

Benefits include Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. The service also provides actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond to and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.

Introduction of Surface web search. Surface web offers security practitioners a vast and potentially hugely valuable source of intelligence about threats. By introducing this service, we inform you about how global security events can potentially impact or are already threatening your assets, brand or organization. The service condenses and validates a comprehensive range of security-related surface/open web sources (such as security news portals, blogs or forums) to provide access to information that helps you identify critical events, access risks, anticipate disruptions to reduce security risks, keep employees safe and boost security resilience.

Benefits include Surface web monitoring, Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. You also receive actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.

Threat Lookup is extended by Indicator of Compromises relating to a wide range of high-confident OSINT sources. The results are displayed via the OSINT IoCs tab. This allows for the presenting of OSINT sources where looked-up IoCs are mentioned, even if Kaspersky Threat Lookup does not provide any context. Hash IoC type is also supported now, while URL, Domain and IP address IoC types will be available during 2022.

Introduction of Research Graph. The Graph (also known as Link Analysis) is designed to explore data stored in TI Portal (Threat Lookup) visually, discover threat commonalities and generate new related IoCs. It allows you to graphically visualize the relationship between URLs, domains, IPs, files, and other context encountered during investigations, pivot to find additional relationships and view in-depth information without the investigation losing context (no need to manually cross reference dozens of indicators provided in tables). The graph includes the following features: transformations, mini graph, grouping nodes, manual addition of links, addition of indicators and node searching.

Digital Footprint Intelligence service now allows the management of an organization’s assets to be monitored. The user can specify or import a list of assets grouped by their type (such as IP addresses or ranges, domains, brand names, employee names, emails, and so on) to be automatically monitored by the service. Kaspersky experts can also contribute to the list of assets, for example, by discovering your servers or services which are publicly exposed on the internet, intentionally or unintentionally (shadow IT). An ignore list is also supported, allowing users to specify assets that should be disregarded for monitoring. In the case that a specified asset is discovered across the surface, deep, or dark web, the user receives a real-time notification with useful context, such as priority, timestamps and source. Digital Footprint tailored reports also include analysis of all assets specified by the user.

Cloud Threat Attribution Engine (TAE) is now provided as Software-as-a-Service (SaaS), which runs completely on cloud TI Portal infrastructure (previously, only the on-premise deployment option was available). TAE is an unrivaled malware analysis tool that provides insights into the origin of high-profile malware and possible perpetrators and is now also integrated with Cloud Sandbox within the TI portal under the Threat Analysis tab. The tab allows you to access the results of Dynamic, Static, Anti-Virus and Attribution analysis for objects considered as suspicious enriched with Threat Intelligence within one single place, thus providing a powerful tool for the detection of previously unseen malicious objects. It saves the time of security analysts by preventing the need for files considered as suspicious to be run under the platforms of different vendors — a requirement that yields disparate results that are difficult to consolidate. Without accurate consolidation, it is hard to make correct decisions. As a result, the Threat Analysis tab helps SOC teams, security researchers, and malware analysts stay informed about existing and emerging malware-related threats, thus allowing them to quickly prioritize and address critical threats and remediate them more effectively.

The Threat Lookup service has been significantly improved by extending coverage to support searches within the following services:

The service unifies all of our best-in-market Treat Intelligence services and sources, and cyber reconnaissance capabilities within one single window. This allows you to leverage the synergy of these resources to extend overall threat visibility and coverage, without the need to switch between services delivering different results.

Improvement of Digital Footprint Intelligence by supporting real-time notifications of typosquatting attacks. This allows organizations to be notified not only about phishing websites, but also typosquatting. The current list of real-time notification types is the following:

The web interface has been significantly enhanced (new color scheme, layout) to ensure a smooth user experience as new features are introduced. In addition, Kaspersky’s new corporate user interface style is also supported.

General improvements:

RELEASE 10.2021

RELEASE 08.2021

RELEASE 06.2021

HOTFIX 08.2020

RELEASE 04.2020

HOTFIX 06.2019

RELEASE 04.2019

RELEASE 08.2018

RELEASE 05.2018

RELEASE 04.2018

Kaspersky Sandbox is now available for our customers. Kaspersky Sandbox is an advanced, automated malware analysis system that has been developed out of Kaspersky sandboxing technology and previously used only in Kaspersky internal infrastructure. The technology has been evolving for more than 20 years of continuous threat research and release of the most industry-leading security solutions. It offers a hybrid approach combining threat intelligence gleaned from petabytes of statistical data (thanks to Kaspersky Security Network), behavioral analysis, and rock-solid anti-evasion and human-simulating technologies such as auto clicker, document scrolling, and stub processes.

As a result, Kaspersky Sandbox provides a high detection rate—thousands of new malicious files are detected every day. This advantage allows customers to detect advanced persistent threats (thanks to the Kaspersky Anti-APT team) and targeted and complex threats that bypass traditional anti-virus tools.

Kaspersky Sandbox is designed to boost incident response and forensic activities, or can be used as a cloud system for processing files automatically. Also available are capabilities such as data visualization graphs, export to JSON / STIX / CSV formats, and REST API for automated integration into customer workflow.

A user-friendly interface allows customers to easily understand the actions and behaviors of executed files, such as the following:

RELEASE 12.2017

RELEASE 11.2017

RELEASE 09.2017

HOTFIX 06.2017

RELEASE 04.2017

RELEASE (GA) 10.2016

Page top