Managing account credentials secrets for remote connections

Kaspersky Anti Targeted Attack Platform implements a secret storage. Secrets allow securely storing and using identification and authentication information that the application needs for automatic remote connections to devices. Secrets are used in active polling jobs.

The application supports various types of secrets. Depending on the purpose of the secret, you can select a relevant type and enter the appropriate data when adding or editing the secret settings.

Keep in secret the credentials required for remote connections to devices using remote connection protocols. Active polling jobs can use various protocols for remote connections, depending on the selected polling methods.

To ensure that identification and authentication details stored in secrets are used securely, the application implements protection against compromise of secrets when connecting to remote devices. After public keys received from devices are saved in the application, it monitors all subsequent remote connections to these devices and does not send information from secrets if devices on the network are spoofed.

Critical information of the secret (password or private key of the certificate) is accessible to you in plain text only once, when you enter this information while creating the secret. After a secret is saved, its critical information can no longer be viewed. You can only replace the critical information of a secret with new critical information while editing the secret (for example, you can enter a different password).

You can manage secrets in the Settings section, Secrets subsection. No more than 500 secrets can be added to the application.

Only users with the Administrator role can manage secrets.

Adding a secret

You can add secrets to the application secrets storage.

To add a secret:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Click Add secret.

   This opens the details area.

4. Enter a name for the secret.

   The secret name must be unique (must not match the names of other secrets) and must contain up to 256 characters. You can use letters, numerals, spaces, and the following special characters: ! @ # № $ % ^ & ( ) [ ] { } / \ : ; , . - _. The name of the secret must begin and end with any valid character other than a space.

5. Select the type of secret and configure its settings.

   You can select the following types of secrets:

   • Password only: this type of secret is used if only the password of a user with the relevant permissions is required for the access to device configuration data.
   • User name and password: this type of secret is used if a user name and password are required to receive data from the device.
   • User name and password, root password: this type of secret is used if a user name and password are required to receive data from the device, and the root password or the password for an account that processes requests with administrator privileges is additionally required for a connection with administrator (root) privileges.
   • User name and password, encryption password: this type of secret is used if a user name and password are required to receive data from the device, and an encryption password is additionally required to establish encrypted connections.
   • The Mixed secret type is used for the Remote connection method of device polling. You can specify the following settings for this type of secret:
     • User name to be used for remote connections to devices.

       The user name can contain Latin letters, numerals, periods, as well as special characters: _ and -. The name must begin with a letter and end with any supported character other than a period.

     • User password: if the user password will be used for authentication.

       The password may contain up to 256 ASCII characters.

     • Private key: if the private key of the certificate will be used for authentication.

       You can manually enter the sequence of characters comprising the key or upload the key from the certificate file by clicking Copy from file. You can upload private keys in CRT, PEM, and CER formats. If the private key file is protected by a passphrase, enter the passphrase in the Passphrase field before uploading the key.

       To use the private key of the certificate, you need to copy the public key of this certificate to all devices to which remote connections will be made using the secret. The steps for copying the public key to devices are performed without the involvement of Kaspersky Anti Targeted Attack Platform.

     • Root user password: if an additional password is required for connections to network equipment with administrator (root) privileges. In such cases, access is requested as root or as the user that is configured on network equipment for processing requests with administrator privileges.
6. Click Save.

Viewing table of secrets

The table of remote connection secrets is displayed in the Settings → Secrets section of the application web interface.

Information about secrets is displayed in the following columns of the table:

• Name of secret.

  The name that the application uses for the secret.

• Created.

  Date and time when the secret was added to the application.

• Changed.

  Date and time of the last modification of the secret in the application.

When viewing the table of secrets, you can use the configuration, filtering, searching, and sorting functionality.

Protecting against compromise of secrets when connected to remote devices

Identification and authentication details from secrets should be used only for remote connections to devices that are selected for active polling jobs. To protect this information against possible compromise in cases of device spoofing, the application verifies the public key received from the device before sending the information. The device uses the public key to establish SSH connections. A public key helps the application to verify that the SSH connection is being established with the correct device. Identification and authentication details are sent to the device after verifying that the received public key matches the public key saved in the application.

The saved public key of the device is displayed in the details area of the selected device on the General tab.

Receiving and saving public keys of devices in the application

By default, no public keys of devices are configured in Kaspersky Anti Targeted Attack Platform. A device's public key is received and saved when an SSH connection is established with this device for the first time for the purpose of scanning as part of an active polling job that uses a connector of the Active poll type. Identification and authentication details from the selected secret are sent to the device without checking the received public key. Therefore, before starting the active polling job for the first time for the selected device and establishing an SSH connection to it, make sure that there is no spoofed device on the network. To do this, you can run ifconfig to check that the IP addresses of the device configured in the application match the IP addresses on the network interfaces of the actual device.

Resetting saved device public keys

SSH connection keys on devices may change with time. Device users may generate new keys when their current private keys are at a risk of compromise.

When the private key is changed on the device, the public key is changed as well. After changing the public key, the application stops sending information from the secrets to this device because the new public key no longer matches the one saved in the application. Therefore, any subsequent device scans as part of active polling jobs finish with an error.

After changing the public key on the device, you must reset the currently saved public key for this device stored in the application. This will allow the secrets to be used again when connecting to the device remotely.

After resetting the saved public key, the application saves the newly received public key the next time an SSH connection is established with this device. Check that there is no spoofed device on the network, similarly to when initially receiving and storing a public key.

Only users with the Senior security officer role can reset saved public keys of devices.

To reset saved device public keys:

1. Use the web interface to connect to the Central Node with the Senior security officer role.
2. Select the Assets section.
3. On the Devices tab, select the devices for which you want to reset saved public keys.
4. Right-click one of the selected devices to open the context menu.
5. In the context menu, select Reset public key.

   This opens a confirmation prompt window.

6. In the prompt window, click OK.

Editing the settings of a secret

When editing the settings of a secret, you can change its type or set different credentials.

After secret settings, including the secret name, are modified, the new settings are applied in the active polling jobs in which the secret has been specified before. If you change the type of the secret, errors may occur the next time these jobs are started if the new type of the secret does not match connector settings.

To edit the settings of a secret:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Select the secret that you want to edit.

   The details area is displayed in the right part of the web interface window.

4. Click Edit.
5. Edit the settings as needed. You can edit the settings in the same way as when you adding a secret.

   Critical information of the secret (passwords and the private key of the certificate) is not openly displayed. You can only replace the critical information of the secret with new critical information using the links above the fields with credentials.

Deleting secrets

You can delete secrets from the Kaspersky Anti Targeted Attack Platform secret storage.

Before deleting a secret, we recommend specifying a different secret or a different polling method in the active polling jobs that use this secret. If the deleted secret is specified in an active polling job, errors will occur the next time the job is run.

To delete secrets:

1. Log in to the web interface with the application administrator account.
2. Select the Settings section, Secrets subsection.
3. Select the secrets that you want to delete.
4. Click Delete.

   This opens a confirmation prompt window.

5. In the confirmation prompt window, confirm the deletion of the secrets.