Monitoring risks

Kaspersky Anti Targeted Attack Platform can detect risks to which the information system resources are exposed. The application identifies the risks based on traffic analysis results and the received device information.

Detected risks can belong to the following categories:

• Vulnerability. Detected device vulnerabilities belong to this category.
• Configuration problems. This category includes security risks caused by incorrect configuration and risks of compromising data when writing and reading device configurations.
• Insecure network architecture. This category includes risks associated with detected insecure network interactions, devices, protocols, and software; risks due to authorized devices becoming inactive; and risks due to the EPP applications being absent from devices or not fully functional.

Each risk is scored from 0.0 to 10.0. When calculating the risk score, the application takes into account the available information about the device with which the detected risk is associated. When calculating the score, the application takes into account the importance level of the device, as well as other risks associated with that device. The base score is used as the initial value for the calculation. The base scores of risks in the Vulnerability category follow the Common Vulnerability Scoring System (CVSS). For the rest of the risk categories, the base scores are taken from the table of risk types.

Risk information is uploaded to the database of detected risks on the Central Node. The total amount of stored records in the database cannot exceed the specified limit. If the amount exceeds the limit, the application automatically deletes 10% of the oldest records. You can set the maximum size of detected risk information when configuring the storage settings.

The contents of the detected risk database is displayed in the Risks section of the application web interface. You can also view an overview of device risks in the Assets section on the Devices tab.

About risks of the Vulnerability category

Vulnerability risks are registered when the application detects vulnerabilities in monitored devices on the corporate LAN. A vulnerability is a flaw in the software or hardware of a device, which an attacker can exploit to compromise the information system or gain unauthorized access to information.

The application detects vulnerabilities by analyzing the available device information. Information that can help identify a known vulnerability for a device is compared against certain fields in the database of known vulnerabilities. The database of known vulnerabilities is built into the application. This database, maintained by Kaspersky experts, contains information about the most relevant or the most frequently encountered device vulnerabilities.

The database of known vulnerabilities contains descriptions of vulnerabilities and of devices that are affected by these vulnerabilities. In addition, the database contains recommendations for protecting the system in the form of texts or links to public resources. The database of known vulnerabilities contains descriptions and recommendations from various sources, which may include vendors of devices and software, as well as various security organizations. The descriptions and recommendations in the database are in English.

After the application is installed, the original database of known vulnerabilities is used. You can keep your database up to date by installing updates.

Kaspersky Anti Targeted Attack Platform compares the available information about devices with fields in the database of known vulnerabilities that describe the devices that are affected by the vulnerabilities. The application uses the following device information to detect vulnerabilities:

• Hardware vendor.
• Hardware model.
• Hardware version.
• Software vendor. If no software vendor information can be found in the device information, Kaspersky Anti Targeted Attack Platform reuses the Hardware vendor value.
• Software name. If the software name cannot be found in the device information, Kaspersky Anti Targeted Attack Platform reuses the Hardware model value.
• Software version.

In the database of known vulnerabilities, device descriptions are stored in the CPE (Common Platform Enumeration) format. The application compares the available device information with these descriptions, automatically converting the information to the CPE format. For each vulnerability, the content of the matching descriptions is listed in the risk details area in the Matched CPE section.

The main parameter that identifies a vulnerability is its ID in the Common Vulnerabilities and Exposures (CVE) list. This identification number is called the CVE ID. If a vulnerability does not yet have a CVE ID, an ID obtained from other public resources with descriptions of vulnerabilities is specified.

The Kaspersky Anti Targeted Attack Platform supports getting IDs and links to descriptions of vulnerabilities provided by the Federal Service for Technical and Export Control (FSTEC) of Russia in the Information Security Threats Databank (hereinafter also referred to as the "BDU"). If the downloaded vulnerability information contains such information from FSTEC's BDU, the application displays this information in the form of corresponding IDs in the "BDU:<year>-<number>" format.

Implementation scenario for a continuous risk management process

The risk detection functionality allows implementing continuous (cyclical) risk management in your information system. To help you manage risks, Kaspersky Anti Targeted Attack Platform provides information about detected risks, which you can use to take the necessary remediation or mitigation measures.

The implementation scenario for the continuous risk management process involves the following steps:

1. Taking a device inventory

   This step is performed using the Device Activity Detection and Device Information Detection methods (the methods must be enabled). At this step, the application automatically detects new devices and updates the device information. If some devices on the network were not detected automatically, you need to add them manually or import them from external projects.

   You must enable automatic update in the device settings for all information that determines the classification and operational characteristics of devices (for example, model and software version). If automatic update of such information is for some reason impossible, this information must be kept up to date manually.

2. Risk detection while scanning passively or actively

   The application passively scans devices for risks using the available information about the devices. The application also analyzes network interactions in corporate LAN traffic to detect risks. Risk detection is implemented by the Risk Detection method (the method must be enabled).

   You can also actively poll devices to quickly get their information. When performing active polling of devices, you also can detect specific types of risks if the corresponding risk analysis methods are selected. To actively poll devices, you need to add one or more Active poll connectors to the application.

   Risks of the Vulnerability category are automatically detected after updating the database of known vulnerabilities in the application or after adding or updating the device information that is used for matching (for example, after saving software model and version information).

3. Scoring and classifying detected risks

   For each detected risk, the application calculates a score. The score reflects the severity of the risk. Depending on the score, the severity of the risk can be Low (score 0.0–3.9), Medium (score 4.0–7.9), or High (score 8.0–10.0).

   Based on the severity levels and scores, and factoring in the special ways in which devices are used in your information system, you can classify detected risks in accordance with their importance. If you assess the risk as insignificant, you can manually change its status from the Active status (assigned by default after detection) to the Accepted status, for example, if the prerequisites for exploiting the vulnerability cannot be reproduced. When changing the status of a risk, we recommend adding or editing a comment.

   All risks that need something to be done about them should be left with the Active status.

4. Remediation

   At this step, you must undertake remediation or mitigation of the detected risks. To do this, check all Active detected risks, starting with the risks with the highest scores. Do what is necessary in your information system (for example, to remedy the vulnerability of a device, install the software update that fixes it, and if this is not possible, isolate this device from external networks). For some risks (for example, vulnerabilities), information on recommended actions is provided.

   Kaspersky Anti Targeted Attack Platform is not involved in the remediation of detected risks.

5. Verifying remediation

   This step is similar to risk detection while scanning. As a result of this step, no Active risks should remain in the risk table.

   For most risks that the application detects during passive scanning (for example, vulnerabilities), the application automatically assigns the Remediated status if the conditions for detecting these risks are no longer satisfied. For example, after the software version is changed for a device, the application assigns the Remediated status to the Vulnerability risk that was registered because of a vulnerable software version that had been specified previously. The Remediated status is also assigned to risks that no longer have a description in the database of known vulnerabilities (if the description is removed from the database after downloading updates).

   When devices are removed, the application also removes the risks associated with these devices.

   If, after remediation, the conditions for detecting the risk have not changed (for example, the vulnerable device is isolated from external networks, but the information about this device has not changed), you can manually assign the Accepted status to this risk. When changing the status of a risk, we recommend adding or editing a comment.

   Some risks cannot be automatically assigned a status of Remediated (for example, Remediated cannot be automatically assigned to risks that are detected during active polling of devices). For such risks, you must also manually assign the Accepted status after the risk remediation is complete.

   If a risk is associated with an event, you can assign the Accepted status to this risk at the same time when you change the event status to Resolved.

Viewing the risk table

The risk table is displayed in the Risks and anomalies section of the application web interface window.

Risk settings are displayed in the following columns of the table:

• Category.

  The name of the risk category.

• Name.

  Risk name. For a risk of the Vulnerability category, the CVE ID of the detected vulnerability is used (if there is no CVE ID, an ID obtained from other public resources with vulnerability descriptions is displayed).

• CVE.

  For risks of the Vulnerability category: CVE ID of the detected vulnerability.

• BDU.

  For risks of the Vulnerability category: ID of the vulnerability in the BDU database. If multiple vulnerabilities with different BDU IDs correspond to one vulnerability with a CVE ID, the column lists all such IDs.

• Risk ID.

  Unique ID of the risk.

• Score.

  The calculated risk score. This numerical value determines the severity level of the risk. Depending on the severity level, the score can be displayed in one of the following colors:

  • Red for a High severity risk.
  • Yellow for a Medium severity risk.
  • Blue for a Low severity risk.

  For Active risks, the color of the score is bright. For Remediated or Accepted risks, the color of the score is faint.

  In the details area, this setting is called Base score.

• Side 1.

  Address information of one of the sides of the network interaction (indicated for some types of risks). The display of MAC and IP addresses can be turned on and off separately. If extra address spaces are added in the application, when configuring the risk table, you can enable or disable the display of address space names using the Show address spaces setting.

• Side 2.

  Address information of the other side of the network interaction (indicated for some types of risks). The display of address information can be configured the same way as the Side 1 column.

• Device group.

  Name of the group in which the device with the detected risk is placed (contains the name of the group itself and the names of all its parent groups).

• Device.

  Name and address of the device.

• Source.

  For risks of the Vulnerability category: the name of the source from which the information was uploaded into the database of known vulnerabilities. In the details area, this setting is called Source of vulnerability.

• Status.

  Current risk status. The following statuses are possible:

  • The Active status is assigned by default when the risk is first detected (as well as upon repeated detection if the risk had been assigned the Remediated status). You can also manually assign the Active status to a risk if its current status is Accepted.
  • The Remediated status is automatically assigned if the conditions for detecting the risk are no longer satisfied.
  • The Accepted status is assigned to a risk manually if the risk is assessed as insignificant or if the undertaken remediation actions did not result in the automatic assignment of the Remediated status.
• Detected at.

  Date and time when the risk was detected.

• Last status change.

  Date and time of the last risk status change.

• Matched CPE.

  For risks of the Vulnerability category: device descriptions stored in the database of known vulnerabilities. Descriptions that match the device information from the table of devices are listed here.

When viewing the risk table, you can configure, filter, search, and sort the files, as well as navigate to related items.

Viewing risk information

Risk information includes information from the risk table and the following fields:

• Risk type is the code of the risk type.
• Description is the description specified for the risk type or for the vulnerability.
• Base score is the initial value for calculating the risk score.

For risks of the Vulnerability category, additional information is displayed in the following fields and field groups:

• CVSS vector is a record of metrics for calculating the CVSS vulnerability score.
• Attack conditions is a description of the conditions that must be satisfied for the vulnerability to be exploited.
• Impact is a description of the possible consequences of exploiting the vulnerability.
• Mitigations lists recommendations for the remediation of the vulnerability (for example, information about which software version is recommended to be installed on the device).
• Links lists links to public resources that can provide additional information about the vulnerability.
• CVE history lists dates when the vulnerability was identified, confirmed, and published in public sources.

To view risk information:

1. Select the Assets section in the application web interface window.
2. Go to the Devices tab.
3. Click the name of the vulnerability (as a CVE ID or other vulnerability ID) in the Risks column.

This opens a window containing information about the vulnerability.

Manually changing risk status

When managing the Risks and anomalies section, you can manually change the statuses of any risks from Active to Accepted and vice versa. When managing the Assets section, you can only change the status of Vulnerability category risks, and only from Active to Accepted.

You can also assign the Accepted status to a risk when assigning the Resolved status to events that are associated with this risk.

To manually change the risk status:

1. Open the risk details area or the risk details window.
2. Open the Change status drop-down list.
3. Depending on the status you want to assign to the risk, select one of the following from the drop-down list:
   • Accepted if you want to change the status of the risk from Active to Accepted.
   • Active if you want to reassign the Active status to the risk.

   This opens a confirmation prompt window.

4. If the selected risk has related events and you want to assign the Resolved status to all these events at the same time, select the Assign the Resolved status to all related events check box.

   Risks may become associated with events when registering certain types of events using the Asset Management technology.

5. In the prompt window, click OK.

Viewing risk information while managing the table of devices

When managing the table of devices, you can view information for risks that have been detected on devices. For each device that has risks of the Vulnerability category, the names of the detected vulnerabilities are displayed (as CVE IDs or other vulnerability IDs). If risks of other categories are detected on the device, names of those risk categories are displayed for that device. Vulnerability names and risk categories are displayed in the Risks column and in the details area when a device is selected.

By default, the table of devices displays information only about Active risks. If necessary, you can enable the display of information for all risks by selecting the Show remediated and accepted risks check box when configuring the device table.

To indicate the severity levels of risks, the names of vulnerabilities and categories are colored as follows:

• Red for High severity risks.
• Yellow for Medium severity risks.
• Blue for Low severity risks.

For Active risks, the color of the names is bright. For Remediated or Accepted risks, the color of the names is faint.

If a device has risks of the same category, the name of this category is displayed in the highest-severity color of all these risks.

If you want to view risk details, you can click the vulnerability and category names. Clicking a vulnerability name (as a CVE ID or other vulnerability ID) opens the vulnerability details window. Clicking a risk category name takes you to the risk table filtered to display the risks of the selected category for the device.

When viewing th table of devices, you can filter devices by their risks. You can also search for devices by vulnerability names (as CVE IDs or other vulnerability IDs).