Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the application") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The solution is developed for corporate users.
The Kaspersky Anti Targeted Attack Platform solution includes three functional blocks:
Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
Network Detection and Response (hereinafter also referred to as "NDR"), which provides protection of the corporate LAN.
The solution can receive and process data in the following ways:
Integrate into the local area network, receive and process mirrored SPAN, ERSPAN and RSPAN traffic, and extract objects and metadata from the HTTP, HTTP2, FTP, SMTP, DNS, SMB, and NFS protocols.
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
Connect to the proxy server via the ICAP protocol, receive and process data of HTTP, HTTP2, and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.
For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation of these applications.
Integrate with Kaspersky Endpoint Agent and Kaspersky Endpoint Security and receive data (events) from individual computers running Microsoft® Windows® and Linux® operating systems in the corporate IT infrastructure. These applications continuously monitor processes running on those computers, active network connections, and files that are modified.
Integrate with external systems with the use of the REST API interface and scan files on these systems.
The solution uses the following means of Threat Intelligence:
Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
The Kaspersky Threats database.
The solution can detect the following events that occur within the corporate IT infrastructure:
A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
A file has been sent to the email address of a user on the corporate LAN.
A website link was opened on a corporate LAN computer.
Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
Processes have been started on a corporate LAN computer.
The application can provide the results of its operation and Threat Intelligence to the user in the following ways:
Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
Integrate with external systems via the REST API and send information on alerts generated by the solution to external systems on demand.
View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
Run tasks on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security: run applications and stop processes, download and delete files, quarantine objects on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security, place copies of files in Storage of Kaspersky Anti Targeted Attack Platform, and restore files from quarantine.
Set up policies for preventing the running of files and processes that they consider to be unsafe on selected computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security.
Isolate individual computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security from the network.
Work with TAA (IOA) rules to classify and analyze events.
Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
Manage objects in quarantine and copies of objects in Storage.
Manage reports about application performance and alerts.
Configure the sending of notifications about alerts and problems encountered by the application to email addresses of users.
Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
Store and download copies of raw network traffic for analysis in external systems.
Users with the Security auditor role can perform the following actions in the application:
Monitor the components of the solution.
View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
View the list of hosts with the Endpoint Agent component and information about selected hosts.
View user-defined rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
View reports about application performance and alerts.
View the list of VIP alerts and the list of data excluded from the scan.
View all settings made in the application web interface.
Store and download copies of raw network traffic for analysis in external systems.
Users with the Local administrator or Administrator role can perform the following actions in the application:
Edit application settings.
Configure servers for the distributed solution and multitenancy mode.
Set up the integration of the application with other applications and systems.
Manage TLS certificates and set up trusted connections between the Central Node server and the Sandbox server, between Kaspersky Anti Targeted Attack Platform servers and the Endpoint Agent component, and with external systems.