Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the program") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The program is developed for corporate users.
Kaspersky Anti Targeted Attack Platform includes two functional blocks:
Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
The program can receive and process data in the following ways:
Integrate into the local area network, receive and process mirrored SPAN, ERSPAN and RSPAN traffic, and extract objects and metadata from the HTTP, FTP, SMTP, and DNS protocols.
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
Connect to the proxy server via the ICAP protocol, receive and process data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.
For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation on these programs.
Integrate with Kaspersky Endpoint Agent and receive data from individual computers running Microsoft® Windows® and Linux® operating systems in the corporate IT infrastructure. Kaspersky Endpoint Agent continuously monitors processes running, active network connections, and files that are being modified on those computers.
Integrate with external systems with the use of the REST API interface and scan files on these systems.
The program uses the following means of Threat Intelligence:
Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
The Kaspersky Threats database.
The program can provide the user with the results of its performance and Threat Intelligence in the following ways:
Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
Integrate with external systems via the REST API and send information on detects to external systems on demand.
Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.
Users with the Senior security officer or Security officer role can perform the following actions in the program:
Monitor program performance.
View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
Run tasks on hosts with Kaspersky Endpoint Agent: run programs and stop processes, download and delete files, quarantine objects on Kaspersky Endpoint Agent workstations, place copies of files in Storage, and restore files from quarantine.
Set up policies for preventing the running of files that they consider to be unsafe on selected hosts with Kaspersky Endpoint Agent.
Isolate separate hosts with Kaspersky Endpoint Agent from the network.
Work with TAA (IOA) rules to classify and analyze events.
Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
Manage objects in quarantine and copies of objects in Storage.
Manage reports on the program performance and on detects.
Configure forwarding of notifications about alerts and about program operation problems to one or multiple email addresses.
Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
Users with the Security auditor role can perform the following actions in the program:
Monitor program performance.
View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
View the list of hosts with the Endpoint Agent component and information about selected hosts.
View the custom rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
View reports on program performance and reports on alerts.
View the list of VIP alerts and the list of data excluded from the scan.
Monitor program performance.
View all settings made in the program web interface.
Users with the Local administrator or Administrator role can perform the following actions in the program:
Administer integration of the program with other programs and systems.
Manage TLS certificates and set up trusted connections between Central Node and Sandbox servers and between Kaspersky Anti Targeted Attack Platform servers and Kaspersky Endpoint Agent as well as external systems.
Manage accounts of program users.
Monitor program performance.
The program detects the following events occurring within the corporate IT infrastructure and notifies the user accordingly:
A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
A file has been sent to the email address of a user on the corporate LAN.
A website link was opened on a corporate LAN computer.
Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
Processes have been started on a corporate LAN computer.
Kaspersky Anti Targeted Attack Platform evaluates events and advises the user to direct attention to each detected event (alert) according to the impact that this alert may have on computer or corporate LAN security based on Kaspersky experience.
The Kaspersky Anti Targeted Attack Platform user independently makes a decision about further actions in response to alerts.