Kaspersky Threat Intelligence Portal offers the following features and enhancements.
RELEASE 12.2023
Threat Lookup has been enhanced to showcase indicator availability across our Data Feeds, thus helping to identify and prioritize the most dangerous, prevalent and emerging threats.
Threat Lookup API now allows users to search the Dark and Surface webs.
URL Sandbox. Phishing content analysis for web addresses has been significantly enhanced, improving accuracy when identifying phishing threats.
File Sandbox. Now allows automatic type detection for file names featuring multiple dots, thus optimizing the analysis process by improving accuracy and efficiency.
Reporting. User interface (UI) has been enhanced by consolidating various report types into a single section, streamlining the user experience for easier access and navigation (including Home page).
Data Feeds API. Introducing a new set of prevention-oriented feeds that can be seamlessly integrated with network security appliances and accessed through an API.
Data feeds tab updated to provide up-to-date information about our Data Feeds (introducing new Feeds).
General improvements:
RELEASE 10.2023
Similarity technology. New Similarity technology is available both for Threat Lookup and Threat Analysis. Users can now submit a file (in Threat Analysis) or its hash (in Threat Lookup) and receive a list of hashes for similar malicious files known to Kaspersky. Furthermore, users can also get additional useful context to identify samples with similar functionality and understand their characteristics and properties to better detect evolving cyberthreats. Making an intelligent decision based on comprehensive file analysis is the optimal approach to understanding current sophisticated, targeted, and tailored threats. Individual anti-virus or behavior analysis tools working in silos may yield only limited information about recently modified malware. However, the combination of threat intelligence, dynamic analysis, threat attribution and similarity technologies provide users with a powerful tool for the detection of malicious objects that were not previously seen. To help security researchers stay informed about existing and emerging threats, the technology has a customizable interface that allows users to filter search parameters to quickly prioritize and address critical threats and thus remediate them more effectively.
The Threat Analysis User interface (UI), including History section, has been enhanced to support file analysis scenarios covering the Similarity technology and results display speed.
Data Feeds tab updated. Data Feeds tab now highlights proper use cases for available Data Feeds. It allows users to make a conscious decision when selecting Data Feeds for their purposes.
Analysis of password-protected archives now supported. Kaspersky Threat Attribution Engine technology has been updated to improve Threat Analysis by supporting the option to analyze password-protected archives. After uploading, such archives are then extracted and all objects are fully processed, like any other files that are not password protected.
New API specifications for Threat Lookup and Threat Analysis. The new specifications adhere to industry OpenAPI standards and provide clear and standardized endpoints, parameters, and responses for seamless integration. This allows developers to access comprehensive insights, thus streamlining API consumption and integration.
API specification files are easy to navigate and are available from Kaspersky Threat Intelligence Portal Help.
General improvements:
RELEASE 05.2023
New timeline of IoCs changes. Kaspersky Threat Intelligence Portal now displays how and when zone and category changes were made for an IP address, web addresses or domain over the last two months or two years. This significantly accelerates incident investigations and threat hunting when identified IoCs are clean or not categorized at the moment of investigation.
Asset Management of Digital Footprint Intelligence improvements. Service now supports new asset types:
This extension of attack surface monitoring capabilities increases cyber underground visibility and transparency, allowing you to identify a new class of previously hidden threats.
The user can also remove unnecessary assets to stop monitoring them.
New "Like" button for Threat Intelligence reports. Users can now "Like" reports to provide anonymized feedback, helping experts to focus on developing reports with the most popular formats or themes.
Data Feeds tab content updated. Users can now access up-to-date information about our Data Feeds (introducing new Data Feeds) and tools designed for their seamless integration with your security controls.
General improvements:
RELEASE 02.2023
Improved UI/UX Research Graph. New nodes such as Actor and Report names are now also supported. The user can now place a Report name or an Actor to the Graph to see their relations with IoCs and vice versa. This accelerates incident investigations and threat hunting activities by highlighting IoCs from high-profile attacks described in our APT, Crimeware or Industrial reports, as well as Actor profiles.
Introduction of dark mode or theme. Users can now switch between the current bright mode and a dark alternative, either to improve visibility in dim light or for purely aesthetic reasons.
Improved Threat Lookup. More details are now available about attachments in spam messages. The information is provided for a hash in the new File was attached to email section and includes the following:
Categories for spam messages are also provided, such as phishing or spoofing.
Saved searches with filters are now supported. Users can now specify different filters and criteria for automated scheduled searches to monitor and receive alerts about new information for a particular IoC, keyword, phrase or intelligence report. This significantly improves proactive uncovering of the following previously unknown or inactive threats:
Users can manage (edit, delete) the list of created saved searches by specifying their names, periods to check new data, and notifications about new data (via UI or email). Notifications about new findings are also displayed on the Home page for a quick check. When opening the notification, users obtain new data compared to the previous state.
Monthly subscriptions are now supported. This change was made to meet MSSP license requirements.
The customer registration process to get user credentials for the Portal has also been simplified.
RELEASE 07.2022
Threat Lookup now supports new categories for IP addresses:
Threat Lookup now provides more classifications for APT- and Crimeware-related objects (IP addresses, domains, web addresses, and hashes):
Full context about for found objects is available via a link to the corresponding report or service, which is next to the tag.
We updated Surface web and Dark Web search syntax in Threat Lookup. See the Help for more information on syntax and working with search operators.
Improved Kaspersky Sandbox. Now you can download files generated while the analyzed file is executed:
General improvements:
RELEASE 06.2022
Improved Digital Footprint Intelligence. Now context for the phishing, typosquatting, and combo-squatting real-time notifications is extended. Our phishing tracking service actively tracks and alerts you in real time to the appearance of phishing websites targeting your brand, company name, online services or trademarks, and provides you with relevant, accurate and detailed context about phishing or fraudulent activity directly relevant to your business, including injected malware and phishing URLs that steal credentials, sensitive information, financial information, and personal data from your users.
Every notification provides deep coverage, high accuracy, and reliable information about phishing attacks, enabling you to react fast to dynamically generated phishing domains and URLs as well as to phishing outbreaks. Provided intelligence enables you act swiftly and with precision to mitigate the impact of phishing activity on your organization and your users, taking a proactive stance against fraud. Takedown service is also available.
Phishing notifications now include the following context:
RELEASE 04.2022
Improved Cloud Threat Attribution Engine. Now clicking on an Actor (on the analysis report page) initiates a search request to show available related threat intelligence reports and actors.
Improved user experience for the search functionality. When using the search functionality, the user stays on the tab where the search was initiated (previously the user was always redirected to the Lookup tab).
Improved Kaspersky Sandbox:
section
values are added to differentiate results for specific Android and Windows sections with the same section names. Certain values are still available for the backward compatibility with previous API versions.RELEASE 12.2021
Introduction of Dark web search. This is a source of invaluable threat and brand intelligence that offers insights from a comprehensive range of deep and dark web sources for threats to your organization, whether a planned attack, discussions around vulnerabilities, or a successful data breach. This tailored information provides visibility over risks to your organization, enabling security teams to reduce the attack surface, secure online brand value, and take actions on threats before, or even after, they become incidents (to minimize impact).
With the service you can:
Benefits include Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. The service also provides actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond to and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.
Introduction of Surface web search. Surface web offers security practitioners a vast and potentially hugely valuable source of intelligence about threats. By introducing this service, we inform you about how global security events can potentially impact or are already threatening your assets, brand or organization. The service condenses and validates a comprehensive range of security-related surface/open web sources (such as security news portals, blogs or forums) to provide access to information that helps you identify critical events, access risks, anticipate disruptions to reduce security risks, keep employees safe and boost security resilience.
Benefits include Surface web monitoring, Dark web monitoring, Digital Footprint tailored reports, real-time notification about threats to your assets, and takedown services. You also receive actionable and trusted threat and brand intelligence, with human contextualized analysis, to ensure security teams move as swiftly as possible to prevent, detect, respond and mitigate external threats that pose the greatest danger to your assets, brand organization, region or industry.
Threat Lookup is extended by Indicator of Compromises relating to a wide range of high-confident OSINT sources. The results are displayed via the OSINT IoCs tab. This allows for the presenting of OSINT sources where looked-up IoCs are mentioned, even if Kaspersky Threat Lookup does not provide any context. Hash IoC type is also supported now, while URL, Domain and IP address IoC types will be available during 2022.
Introduction of Research Graph. The Graph (also known as Link Analysis) is designed to explore data stored in TI Portal (Threat Lookup) visually, discover threat commonalities and generate new related IoCs. It allows you to graphically visualize the relationship between URLs, domains, IPs, files, and other context encountered during investigations, pivot to find additional relationships and view in-depth information without the investigation losing context (no need to manually cross reference dozens of indicators provided in tables). The graph includes the following features: transformations, mini graph, grouping nodes, manual addition of links, addition of indicators and node searching.
Digital Footprint Intelligence service now allows the management of an organization’s assets to be monitored. The user can specify or import a list of assets grouped by their type (such as IP addresses or ranges, domains, brand names, employee names, emails, and so on) to be automatically monitored by the service. Kaspersky experts can also contribute to the list of assets, for example, by discovering your servers or services which are publicly exposed on the internet, intentionally or unintentionally (shadow IT). An ignore list is also supported, allowing users to specify assets that should be disregarded for monitoring. In the case that a specified asset is discovered across the surface, deep, or dark web, the user receives a real-time notification with useful context, such as priority, timestamps and source. Digital Footprint tailored reports also include analysis of all assets specified by the user.
Cloud Threat Attribution Engine (TAE) is now provided as Software-as-a-Service (SaaS), which runs completely on cloud TI Portal infrastructure (previously, only the on-premise deployment option was available). TAE is an unrivaled malware analysis tool that provides insights into the origin of high-profile malware and possible perpetrators and is now also integrated with Cloud Sandbox within the TI portal under the Threat Analysis tab. The tab allows you to access the results of Dynamic, Static, Anti-Virus and Attribution analysis for objects considered as suspicious enriched with Threat Intelligence within one single place, thus providing a powerful tool for the detection of previously unseen malicious objects. It saves the time of security analysts by preventing the need for files considered as suspicious to be run under the platforms of different vendors — a requirement that yields disparate results that are difficult to consolidate. Without accurate consolidation, it is hard to make correct decisions. As a result, the Threat Analysis tab helps SOC teams, security researchers, and malware analysts stay informed about existing and emerging malware-related threats, thus allowing them to quickly prioritize and address critical threats and remediate them more effectively.
The Threat Lookup service has been significantly improved by extending coverage to support searches within the following services:
The service unifies all of our best-in-market Treat Intelligence services and sources, and cyber reconnaissance capabilities within one single window. This allows you to leverage the synergy of these resources to extend overall threat visibility and coverage, without the need to switch between services delivering different results.
Improvement of Digital Footprint Intelligence by supporting real-time notifications of typosquatting attacks. This allows organizations to be notified not only about phishing websites, but also typosquatting. The current list of real-time notification types is the following:
The web interface has been significantly enhanced (new color scheme, layout) to ensure a smooth user experience as new features are introduced. In addition, Kaspersky’s new corporate user interface style is also supported.
General improvements:
RELEASE 10.2021
Suricata rules have been introduced to accompany our APT, Crimeware and ICS (now Industrial) Threat Intelligence reports. Threat Intelligence reports are provided with complementary files that include related Indicators of Compromise (IOCs) and YARA rules. Additionally, Suricata rules are now supported as well (see Download section for particular Threat Intelligence report).
Cyberattacks have become so sophisticated that they can thwart even the best security systems, especially those that still assume networks can be secured via firewall encryption. Kaspersky security experts provide Suricata rules to detect network threats related to those in Threat Intelligence reports. The rules can be used by Threat Intelligence report customers for network security appliances such as network intrusion detection and prevention systems (IDS/IPS), next generation firewalls (NGFW), and other network security or PCAP processing tools.
Services available through the Kaspersky Threat Intelligence Portal web interface can now also be accessed using time-based one-time passwords (TOTP), as an alternative two-factor verification method (instead of providing a Certificate). Previously, users had to have both a Login/Password and Certificates (pfx) to access the Portal web interface. However, TOTP token service offers users the flexibility to choose from a range of authentication applications like Google Authenticator or Microsoft Authenticator.
RELEASE 08.2021
The public roadmap for Kaspersky Threat Intelligence services and features is now available for Kaspersky Threat Intelligence Portal users. It provides users with information about recent developments and what features and functionality can be expected over the coming quarters. With more transparency on the future "roadmap", users can better adjust their work activities and existing plans. The public roadmap page also offers the opportunity to submit new feedback or feature requests to influence future plans.
Given the continuously evolving cyber threat landscape, businesses need to be more proactive regarding ever more sophisticated and blended security attacks. In response, we decided to extend the scope of our Financial Threat Intelligence Reporting service to provide all clients with a unified source of information on cybercrime (not only specific to financial industries). Given the breadth of information provided, we changed the name of the existing service to Kaspersky Crimeware Intelligence Reporting.
The service will cover the following types of reports:
Reports are usually provided with complementary files that include related Indicators of Compromise (IOCs) and YARA rules (similar to APT and ICS (now Industrial) reports). Suricata rules will be added as well soon.
Crimeware Intelligence Reporting users can now gain full access to crimeware actor profiles. Similar to APT actor profiles, the new technical descriptions section for crimeware actors allows security professionals to track actors and their networks, understand their own visibility and gaps, as well as overlap TTPs against the MITRE ATT&CK matrix. Consequently, this helps companies understand what to focus on to improve their defenses proactively.
Accurate information about a malevolent actor and their preferred tools and tactics are essential, as it provides an understanding of the potential goal of an attack and what techniques may be used. For each actor, we provide a general overview, different aliases used, victimology and previous targets, descriptions of past operations, toolsets, and external references. We also provide all available reports on the actor, as well as specific IOCs and YARA rules to detect and track their activity.
RELEASE 06.2021
HasRedZone
) that indicates whether the requested object has potentially dangerous relations. This provides valuable context for prioritization purposes, even if the requested object is not categorized.HOTFIX 08.2020
RELEASE 04.2020
HOTFIX 06.2019
RELEASE 04.2019
Kaspersky Sandbox now supports dynamic analysis not only for files, but for web addresses and the files accessed by web addresses as well. Web addresses are deeply analyzed in a secure environment to provide their web category, threat and suspicious activities, network and operating system activities, screenshots, downloaded files and scripts, and any other security threats hidden within legitimate content or located on the web address. A comprehensive and detailed analysis report is generated for every detonated web address to enable security professionals to accelerate incident response (IR) activities, or implement appropriate defense strategies and protection measures.
Kaspersky’s APT Intelligence Reporting Service is the result of Kaspersky Global Research and Analysis Team (GReAT) investigations. GReAT is a worldwide group of Kaspersky’s top-notch cyber-security experts who have tracked the most sophisticated APT actors and their activity for the last 10 years.
Accurate information about an actor behind a campaign is essential, as it provides an understanding of what might be the real goal of the attack and the techniques available for an adversary. The knowledge of an actoґs origin, capabilities, past campaigns, techniques used in their operations, and technical details is now one click away thanks to the new actor profiles provided in our APT Intelligence Reporting Service.
For each actor, we provide a general overview, its suspected country of origin, different aliases used, victimology and previous targets, descriptions of past campaigns, toolset, and external references. We also provide all of the reports related to the actor, as well as specific IoCs and YARA rules to detect their activity.
Additionally, we map all the actor's tactics, techniques and procedures (TTPs) with MITRE threat model, showing in the ATT&CK Enterprise and PRE-ATT&CK matrix that the actor used in previous campaigns. As we always do in our reports, we also map TTPs with our own descriptive methodology, dividing them in Infection Vector, Implants, and Infrastructure for a quick and high-level understanding of the threat.
Our technical description of threat actors provides the means for security professionals to track actors in their networks, understand their own visibility and gaps, as well as overlap TTPs against the MITRE ATT&CK matrix to know what to focus to improve your defense proactively.
We are introducing a feedback form to receive customer feedback regarding our Kaspersky Threat Intelligence Portal, accessible by an easy-to-use tray icon. Every feedback will be considered to improve the Portal.
The Data Feeds tab content is updated to provide up-to-date information about our Data Feeds (introducing new Feeds) and tools designed for Data Feeds seamless integration with your security controls (such as, SIEMs, ELK, MISP, and so on).
The Chrome™ Plugin enables users to lookup web addresses, IPs, hashes (MD5, SHA1, and SHA256), and domains straight from the viewed web pages, by using the Kaspersky Threat Intelligence Portal lookup functionality.
The goal of the plugin is to immediately provide your security teams with as much data about IoCs as possible, from any web page (without even opening Kaspersky Threat Intelligence Portal), allowing you to speed up your threat investigation activities. IoCs are highlighted automatically.
A pop-up window (with the opt-out option) for the plug-in is shown when visiting the Threat Lookup tab, for users who do not have this plug-in installed yet.
RELEASE 08.2018
id
parameter in the get_list
endpoint is a string value now.RELEASE 05.2018
RELEASE 04.2018
Kaspersky Sandbox is now available for our customers. Kaspersky Sandbox is an advanced, automated malware analysis system that has been developed out of Kaspersky sandboxing technology and previously used only in Kaspersky internal infrastructure. The technology has been evolving for more than 20 years of continuous threat research and release of the most industry-leading security solutions. It offers a hybrid approach combining threat intelligence gleaned from petabytes of statistical data (thanks to Kaspersky Security Network), behavioral analysis, and rock-solid anti-evasion and human-simulating technologies such as auto clicker, document scrolling, and stub processes.
As a result, Kaspersky Sandbox provides a high detection rate—thousands of new malicious files are detected every day. This advantage allows customers to detect advanced persistent threats (thanks to the Kaspersky Anti-APT team) and targeted and complex threats that bypass traditional anti-virus tools.
Kaspersky Sandbox is designed to boost incident response and forensic activities, or can be used as a cloud system for processing files automatically. Also available are capabilities such as data visualization graphs, export to JSON / STIX / CSV formats, and REST API for automated integration into customer workflow.
A user-friendly interface allows customers to easily understand the actions and behaviors of executed files, such as the following:
RELEASE 12.2017
RELEASE 11.2017
An executive summary, technical analysis of an attack, and indicators of compromise (IOCs) in CSV and YARA Rules formats are available for every report. RESTful API and comprehensive full-text search are also supported.
Two types of accounts are supported:
RELEASE 09.2017
The Home page displays a worldwide cyber-map with data visualization of global cyber-attacks, and provides information about the top 10 threats for each country. The Home page contains a tagged events list to notify users about new articles on the Securelist website and new APT Intelligence reports. WHOIS Tracking notifications are also available.
This section includes links to the tools developed by Kaspersky to help users to detect and remove malware during incident response activities. An Incident Response Guide from Kaspersky in PDF is also available. This guide provides basic explanations and recommendations for responding to information security incidents. This guide aims to do the following:
This utility is a multifunction high-performance tool that allows downloading, converting, and filtering of Threat Data Feeds from Kaspersky according to a specified set of rules.
HOTFIX 06.2017
Executive summaries provide an easy-to-understand overview of an attack and are C-level oriented.
Demo mode provides full access (including IOCs and executive summaries) to some selected APT Intelligence reports. All other reports (in the Demo mode) are shown but not available (names of these reports are substituted with the following phrase—Available for commercial license only).
The Licenses page can also provide license information about licensed Threat Data Feeds. You can contact Business Development Managers (BDMs) to activate this feature.
RELEASE 04.2017
Be the first to know and get exclusive, in-depth actionable intelligence reporting on advanced persistent threats (APTs). APT Intelligence Reporting Service provides customers with exclusive, proactive access to the descriptions of high-profile cyber-espionage campaigns, including associated indicators of compromise (IOCs) available in CSV and YARA Rules formats. APT Intelligence reports and associated IOCs can now be automatically requested using RESTful API. Comprehensive full-text search and search by tags is also implemented.
Purchase access to new services, renew existing licenses, get information about remaining quotas, set notifications about expiring licenses, and much more.
Change your Kaspersky Threat Intelligence Portal password and configure email notifications for new or updated APT Intelligence reports and WHOIS tracking rules.
Now you can look up several objects in a single request using RESTful API, and see the result of each lookup in the web interface as well.
RELEASE (GA) 10.2016