Glossary
Advanced persistent threat (APT)
A sophisticated targeted attack against the corporate IT infrastructure that simultaneously uses different methods to infiltrate the network, hide on the network, and gain unobstructed access to confidential data.
Alternate data stream
Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.
Each file in the NTFS file system consists of a set of streams. The main stream contains the file contents. The other (alternate) streams are intended for metadata. Streams can be created, deleted, individually saved, renamed, and can even be run as a process.
Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.
Anti-Malware Engine
Program engine. Scans files and objects for viruses and other threats to the corporate IT infrastructure using anti-virus databases.
Backdoor program
A program planted by hackers on a compromised computer in order to be able to access this computer in the future.
Central Node
Program component. Scans data, analyzes the behavior of objects, and publishes analysis results in the web interface of the program.
Communication channel bandwidth
The highest possible speed of information transfer in the specific communication channel.
CSRF attack
Cross-Site Request Forgery (also referred to as an "XSRF attack"). Attack on website users by exploiting vulnerabilities of the HTTP protocol. The attack enables actions to be performed under the guise of an authorized user of a vulnerable website. For example, under the guise of an authorized user of a vulnerable website, a hacker can covertly send a request to the server of an external payment system to transfer money to the hacker's account.
Distributed solution
Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).
Dump
Contents of the working memory of a process or the entire RAM of the system at a specified moment of time.
End User License Agreement
Binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the program.
ICAP data
Data received by the ICAP protocol (Internet Content Adaptation Protocol). This protocol allows filtering and modifying data of HTTP requests and HTTP responses. For example, it allows scanning data for viruses, blocking spam, and denying access to personal resources. The ICAP client is normally a proxy server that interacts with the ICAP server by the ICAP protocol. Kaspersky Anti Targeted Attack Platform receives data from the proxy server of your organization after this data was processed on the ICAP server.
Intrusion Detection System
Program module. Scans the Internet traffic for signs of intrusions into the corporate IT infrastructure.
IOA
Indicator of Attack. Description of suspicious behavior of objects within a corporate IT infrastructure that may indicate a targeted attack on that organization.
IOC
Indicator of Compromise. A set of data about a malicious object or malicious activity.
IOC file
IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the program considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.
Kaspersky Anti Targeted Attack Platform
Solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT").
Kaspersky Endpoint Agent
Program component. Installed on workstations and servers of the corporate IT infrastructure that run Microsoft Windows and Linux operating systems. Continuously monitors processes running on those computers, active network connections, and files that are modified.
Kaspersky Private Security Network
A solution that allows users of Kaspersky anti-virus applications to access Kaspersky Security Network databases without sending data from their computers to Kaspersky Security Network servers.
Kaspersky Secure Mail Gateway
A solution designed for protection of incoming and outgoing email against malicious objects and spam, and for content filtering of messages. The solution lets you deploy a virtual mail gateway and integrate it into the existing corporate mail infrastructure. An operating system, mail server, and Kaspersky anti-virus application are preinstalled on the virtual mail gateway.
Kaspersky Security Network (KSN)
An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Kaspersky Threat Intelligence Portal
Kaspersky information system Contains and displays reputation information for files and URL addresses.
KATA
Kaspersky Anti Targeted Attack. Functional block of the Kaspersky Anti Targeted Attack Platform program, which detects threats on the perimeter of the enterprise IT infrastructure.
KEDR
Kaspersky Endpoint Detection and Response. Functional block of the Kaspersky Anti Targeted Attack Platform program, which provides protection for the local area network of the organization.
Kerberos authentication
A mechanism for mutual authentication of client and server before a connection is established between them, which allows communication over unprotected networks. The mechanism is based on using a ticket, which is issued to the user by a trusted authentication center.
Keytab file
A file containing pairs of unique names (principals) of clients that are allowed to use Kerberos authentication and encrypted keys derived from the user password. Systems that support Kerberos use keytab files to authenticate users without entering a password.
Local reputation database of KPSN
Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.
Malicious web addresses
URLs of resources distributing malicious software.
MIB (Management Information Base)
Virtual database used to manage objects that are transmitted over the SNMP protocol.
Mirrored traffic
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
MITM attack
Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.
MITRE technique
The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) database contains descriptions of hacker behavior based on the analysis of real attacks. It is a structured list of known hacker techniques represented as a table.
Multitenancy
Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.
New generation threats
Corporate IT infrastructure threats capable of overwriting, altering, encrypting, or distorting their code to a point where matches against signatures can no longer be detected by a security system.
NTP server
Precision time server using the Network Time Protocol.
OpenIOC
An open, XML-based standard for describing indicators of compromise containing over 500 different indicators of compromise.
Phishing URL addresses
URL addresses of resources designed to obtain unauthorized access to confidential data of users. Phishing is usually aimed at stealing various financial data.
Sandbox
Program component. Starts virtual images of operating systems. Starts files in these operating systems and tracks the behavior of files in each operating system to detect malicious activity and signs of targeted attacks to the corporate IT infrastructure.
Sensor
Program component. Receives data.
Service principal name (SPN)
Unique ID of the service on the network for Kerberos authentication.
SIEM system
Security Information and Event Management System. Solution for managing information and events in an organization's security system.
Signature
Code in information protection databases that contains a description of known threats.
SPAN
Switch Port Analyzer. Technology for mirroring traffic from one port to another.
Syslog
The standard for sending and recording messages about events occurring in the system employed on UNIX and GNU/Linux platforms.
TAA (IOA) rule
One sign of suspicious behavior of an object in the corporate IT infrastructure that causes Kaspersky Anti Targeted Attack Platform to consider an event to be an alert. A TAA (IOA) rule contains a description of a sign of an attack and recommended countermeasures.
Targeted attack
Attack that targets a specific person or organization. Unlike mass attacks by computer viruses designed to infect as many computers as possible, targeted attacks can be aimed at infecting the network of a specific organization or even a separate server within the corporate IT infrastructure. A dedicated Trojan program can be written to stage each targeted attack.
Targeted Attack Analyzer
Program module. Analyzes and monitors network activity of software installed on computers of the corporate LAN using TAA (IOA) rules. Searches for signs of network activity that the user of Kaspersky Anti Targeted Attack Platform is advised to direct his/her attention, as well as signs of targeted attacks to the corporate IT infrastructure.
Tenant
An individual organization or branch office of an organization to which the Kaspersky Anti Targeted Attack Platform solution is being provided.
TLS encryption
Encryption of connection between two servers, which ensures secure transmission of data between servers on the Internet.
Tracing
The program is run in debugging mode; after each command is executed, the program is stopped and the result of this step is displayed.
VIP status
Status of alerts with special access permissions. For example, alerts with the VIP status cannot be viewed by users with the Security officer role.
YARA
Program module. Scans files and objects for signs of targeted attacks on the corporate IT infrastructure using YARA Rules databases created by users of Kaspersky Anti Targeted Attack Platform.
YARA rules
A publicly available classification of malware, which contains signatures of signs of targeted attacks and intrusions into the corporate IT infrastructure, which is used by Kaspersky Anti Targeted Attack Platform to scan files and objects.
Zero-day attack
An attack targeting the corporate IT infrastructure by exploiting zero-day vulnerabilities in software. These are software vulnerabilities that hackers find and exploit before the software vendor has a chance to release a patch.
Zero-day vulnerability
A software vulnerability that hackers find and exploit before the software vendor has a chance to release a patch with fixed program code.