A sophisticated targeted attack against the corporate IT infrastructure that simultaneously uses different methods to infiltrate the network, hide on the network, and gain unobstructed access to confidential data.
Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.
Each file in the NTFS file system consists of a set of streams. The main stream contains the file contents. The other (alternate) streams are intended for metadata. Streams can be created, deleted, individually saved, renamed, and can even be run as a process.
Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.
Program engine. Scans files and objects for viruses and other threats to the corporate IT infrastructure using anti-virus databases.
A program planted by hackers on a compromised computer in order to be able to access this computer in the future.
Program component. Scans data, analyzes the behavior of objects, and publishes analysis results in the web interface of the program.
The highest possible speed of information transfer in the specific communication channel.
Cross-Site Request Forgery (also referred to as an "XSRF attack"). Attack on website users by exploiting vulnerabilities of the HTTP protocol. The attack enables actions to be performed under the guise of an authorized user of a vulnerable website. For example, under the guise of an authorized user of a vulnerable website, a hacker can covertly send a request to the server of an external payment system to transfer money to the hacker's account.
Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).
Contents of the working memory of a process or the entire RAM of the system at a specified moment of time.
Binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the program.
Data received by the ICAP protocol (Internet Content Adaptation Protocol). This protocol allows filtering and modifying data of HTTP requests and HTTP responses. For example, it allows scanning data for viruses, blocking spam, and denying access to personal resources. The ICAP client is normally a proxy server that interacts with the ICAP server by the ICAP protocol. Kaspersky Anti Targeted Attack Platform receives data from the proxy server of your organization after this data was processed on the ICAP server.
Program module. Scans the Internet traffic for signs of intrusions into the corporate IT infrastructure.
Indicator of Attack. Description of suspicious behavior of objects within a corporate IT infrastructure that may indicate a targeted attack on that organization.
Indicator of Compromise. A set of data about a malicious object or malicious activity.
IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the program considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.
Solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT").
Program component. Installed on workstations and servers of the corporate IT infrastructure that run Microsoft Windows and Linux operating systems. Continuously monitors processes running on those computers, active network connections, and files that are modified.
A solution that allows users of Kaspersky anti-virus applications to access Kaspersky Security Network databases without sending data from their computers to Kaspersky Security Network servers.
A solution designed for protection of incoming and outgoing email against malicious objects and spam, and for content filtering of messages. The solution lets you deploy a virtual mail gateway and integrate it into the existing corporate mail infrastructure. An operating system, mail server, and Kaspersky anti-virus application are preinstalled on the virtual mail gateway.
An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Kaspersky information system Contains and displays reputation information for files and URL addresses.
Kaspersky Anti Targeted Attack. Functional block of the Kaspersky Anti Targeted Attack Platform program, which detects threats on the perimeter of the enterprise IT infrastructure.
Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.
A mechanism for mutual authentication of client and server before a connection is established between them, which allows communication over unprotected networks. The mechanism is based on using a ticket, which is issued to the user by a trusted authentication center.
A file containing pairs of unique names (principals) of clients that are allowed to use Kerberos authentication and encrypted keys derived from the user password. Systems that support Kerberos use keytab files to authenticate users without entering a password.
Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.
URLs of resources distributing malicious software.
Virtual database used to manage objects that are transmitted over the SNMP protocol.
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.
The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.
Corporate IT infrastructure threats capable of overwriting, altering, encrypting, or distorting their code to a point where matches against signatures can no longer be detected by a security system.
Precision time server using the Network Time Protocol.
An open, XML-based standard for describing indicators of compromise containing over 500 different indicators of compromise.
URL addresses of resources designed to obtain unauthorized access to confidential data of users. Phishing is usually aimed at stealing various financial data.
Program component. Starts virtual images of operating systems. Starts files in these operating systems and tracks the behavior of files in each operating system to detect malicious activity and signs of targeted attacks to the corporate IT infrastructure.
Program component. Receives data.
Unique ID of the service on the network for Kerberos authentication.
Security Information and Event Management System. Solution for managing information and events in an organization's security system.
Code in information protection databases that contains a description of known threats.
Switch Port Analyzer. Technology for mirroring traffic from one port to another.
The standard for sending and recording messages about events occurring in the system employed on UNIX™ and GNU/Linux platforms.
One sign of suspicious behavior of an object in the corporate IT infrastructure that causes Kaspersky Anti Targeted Attack Platform to consider an event to be an alert. A TAA (IOA) rule contains a description of a sign of an attack and recommended countermeasures.
Attack that targets a specific person or organization. Unlike mass attacks by computer viruses designed to infect as many computers as possible, targeted attacks can be aimed at infecting the network of a specific organization or even a separate server within the corporate IT infrastructure. A dedicated Trojan program can be written to stage each targeted attack.
Program module. Analyzes and monitors network activity of software installed on computers of the corporate LAN using TAA (IOA) rules. Searches for signs of network activity that the user of Kaspersky Anti Targeted Attack Platform is advised to direct his/her attention, as well as signs of targeted attacks to the corporate IT infrastructure.
An individual organization or branch office of an organization to which the Kaspersky Anti Targeted Attack Platform solution is being provided.
Encryption of connection between two servers, which ensures secure transmission of data between servers on the Internet.
The program is run in debugging mode; after each command is executed, the program is stopped and the result of this step is displayed.
Status of alerts with special access permissions. For example, alerts with the VIP status cannot be viewed by users with the Security officer role.
Program module. Scans files and objects for signs of targeted attacks on the corporate IT infrastructure using YARA Rules databases created by users of Kaspersky Anti Targeted Attack Platform.
A publicly available classification of malware, which contains signatures of signs of targeted attacks and intrusions into the corporate IT infrastructure, which is used by Kaspersky Anti Targeted Attack Platform to scan files and objects.
An attack targeting the corporate IT infrastructure by exploiting zero-day vulnerabilities in software. These are software vulnerabilities that hackers find and exploit before the software vendor has a chance to release a patch.
A software vulnerability that hackers find and exploit before the software vendor has a chance to release a patch with fixed program code.
Page top