Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 1 of 7 PageID #: 4309
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 1 of 7 PagelD #: 4309
`
`EXHIBIT 10
`
` EXHIBIT 10
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 2 of 7 PageID #: 4310
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 2 of 7 PagelD #: 4310
`
`e-break-before:always;color:-#000000">
`
`Table of Contents
`
`Orca Knowledge Base: Article for Review
`
`Paae: 1
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0001854
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 3 of 7 PageID #: 4311
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 3 of 7 PagelD #: 4311
`
`Attack Paths View
`
`Attack Paths display the timeline of events of how an adversary can exploit a found vulnerability, from
`start to finish.
`
`To navigate to the Attack Path view,from the left-side menu click Security Views > Attack Paths.
`
`Risk Score
`
`Attack Paths are assessed by Orca to generate a Risk Score, which ranks the potential harm an
`attacker could cause.
`
`Ranging between 1-10, the Risk Score is the average score of two combined variables calculated by
`Orca:
`
`e Probability Score: Accounting for the simplicity of the initial access point, Orca estimates the
`probability of an adversary executing the given Attack Path and reaching the Crown Jewels
`e Impact Score: Orca estimates the damagethat could be causedif an adversary reaches the
`Crown Jewels
`
`Risk Scores are categorized according to the potential business impact the Attack Path could have on
`an organization and follow the same score range asAlerts:
`
`e Critical: Scores 9.0-10.0
`
`e High: Scores 7.0-8.9
`e Medium: Scores 5.0-6.9
`
`e Low: Scores 3.0-4.9
`
`e Informational: Scores 1.0-2.9
`
`Orca Knowledge Base: Article for Review
`
`Page: 101
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0001955
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 4 of 7 PageID #: 4312
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 4 of 7 PagelD #: 4312
`
`The Flow of an Attack Path
`
`Below is an example of an Attack Flow:
`
`et gl,
`
`
`
`Internet
`Facing Port
`
`Adversary’sInitial
`Access
`
`Lateral
`Movement
`
`Crown Jewels
`
`1. An adversary enters the targeted entity via an internet-facing port.
`Non-internet-facing Attack Paths are also shown, with a lower score. This is to prevent the
`possibility of an attack, in case the entry point gets connected to the internet, either
`intentionally or unintentionally.
`
`2. The adversary's initial network accessis typically an endpoint vulnerability that they were
`able to leverage.
`3. The adversary most often moveslaterally through the targeted network. They maintain
`persistence as they move close to your mostcritical business assets.
`4. Nowthat the adversary has located the Crown Jewels, the targeted entity is at its most
`vulnerable. The adversarywill likely stop here, typically asking for ransom, performing denial
`of service, or significantly damaging the organization's reputation.
`
`What are Crown Jewels?
`
`Crown Jewels are the most business-critical assets of your organization.
`
`Assets are given the status Crown Jewel when they have one or moreofthe following features:
`
`e IAM rofes/users with administrative rights.
`
`e VMs containing PIl alerts and sensitive keys on the system.
`e Data resources, such as S3 buckets and databases, containing Pll alerts, and sensitive keys
`
`on the system.
`e Serverless functions with administrative rights or sensitive keys in the function itself.
`
`Alternatively, to manually enable and define Crown Jewels, navigate to Alerts > Select an Alert >
`Quick View > Asset Info > Mark as Crown Jewel.
`
`BLOAT ISG
`
`ASSET FO
`
`Crown jewel
`jolaek oe ceri: dawn
`
`Orca Knowledge Base: Article fer Review
`
`Page: 102
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0001956
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 5 of 7 PageID #: 4313
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 5 of 7 PagelD #: 4313
`
`Alerts
`
`Alerts draw your attention to risks detected on your cloud assets. The alerts provide information about
`the risk and allow you to take the appropriate actions: automatically or manually resolve an issue,
`perform maintenance, or other actions.
`
`All alerts that are detected in your cloud environment are displayed on the Alerts page. You can
`configure different viewsto filter the alerts requiring more attention, or to group alerts by their
`properties.
`
`You can also perform different actions on alerts, for example, change their status according to your
`workflow,or create tickets for the alerts in different ticketing systems. Orca provides alert remediation
`tools: you can configure auto remediation for some alerts, or perform Orca-recommended or your own
`steps to remediate the alert manually.
`
`Orca Knowledge Base: Article for Review
`
`Page: 129
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0001983
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 6 of 7 PageID #: 4314
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 6 of 7 PagelD #: 4314
`
`Auto Remediation
`
`With auto remediation, you can automatically respond to and fix security risks directly in Orca. Auto
`remediation is supported for a wide range ofalerts.
`
`The remediation solution infrastructure resides in your environment, so you havefull control and
`ownership of the compute asset that executes the remediation actions.
`
`Basedon the principle of least privilege, the remediation role deployed in your account only includes
`the permissions to perform the required auto-remediation actions.
`
`To use auto remediation:
`
`1. Enable it for your account(s).
`2. Start remediating alerts automatically.
`
`How Does Auto Remediation Work?
`
`Auto remediation processes vary across the different cloud service providers.
`
`AWS
`
`Orca's auto remediation is a separate AWS Cloud Formation stack deployed in your environment. The
`remediation role allows a local Lambda Function to make changesin your environment.
`
`1. Orca sends remediation instructions to an AWS SQS Queue, whichtriggers a Lambda
`Function.
`
`2. The Lambda Function then calls the appropriate action to remediate the alert(s).
`
`Sends
`Remediation
`message
`
`
`
`
`amdda Function
`
` CustomerOrganization
`Main Account
`
`Triggers
`
`os
`
`~
`
`
`
`Remediation
`505
`
`Remediztion
`Lambda Function
`
`
`
`Assume
`Role
`
`
`
`
`a
`
`
`
`
`
`Remediation
`
`
`
`/
`TAM Role
`wt
`
`
`j
`
`Mulliple-Account Connection Privileges
`
`With multiple-account connection, the full auto remediation deployment is generated in the
`management account only. Child accounts only include a role that allows the Lambda function to
`perform the remediation actions on them.
`
`Orca Knowledge Base: Article for Review
`
`Page: 203
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0002057
`
`

`

`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 7 of 7 PageID #: 4315
`Case 1:23-cv-00758-JLH-SRF Document 166-11 Filed 10/09/24 Page 7 of 7 PagelD #: 4315
`
`Discovery
`
`Overview
`
`Discoveryis a tool intended to query your security data within the Orca Platform. It provides a user-
`friendly graph-based approachto creating queries, not requiring a deep understanding of the
`database structure or knowledge of any query language.
`
`Discovery provides an easy andeffective way for cloud security engineers, compliance auditors, or
`DevOpsengineers to query their entire cloud environment and gain broad visibility. Using Discovery,
`you can select assets, infrastructure, applications, and other objects and furtherfilter them by means
`of an intelligentfiltering component.
`
`Discovery also provides the capability of saving the most valuable and frequent of your queries,
`exporting results to a variety of formats, and sharing them with your team members.
`
`Features
`
`Discovery hasthe following features:
`
`e Graph-based query builder. Visual representation of your query as a graph allows you to
`easily understand which objects are searched, whichfilters are applied, and what are the
`relations between the objects
`Improved data modeling. For a clear and easy search, the query objects are grouped by
`categories and subcategories. To enhance convenience, each category is marked by its own
`color.
`
`e Easy visual navigation through query objects andfiltering conditions
`Reusability. Discovery allows you to save the created queries and configurations as views,
`share them within the organization, and edit and reuse them whenever you want
`e Consumability. Discovery query results can be exported to different formats, such as CSV,
`
`JSON, and API Request, and used in scheduled reports
`e Customizability. You can configure the set of columns displayed in the query results and sort
`the resulting view in any order you want
`
`Discovery 0.0 (Sonar)
`
`Sonar is an advanced searchtool that assumes knowledge and understanding of the Orca database
`structure and the query language. Sonarallows you to retrieve any information from your database.
`Orca custom alerts and automations are based on the Sonar queries.
`
`Limitations
`
`e Discovery: Alerts can't be generated and tickets can't be created based on the Discovery
`query results.
`e Compatibility: There is no compatibility between the queries created using Sonar and using
`Discovery. This means that a query created and saved in Sonar can't be opened and executed
`in Discovery, and vice versa.
`
`Orca Knowledge Base: Article for Review
`
`Page: 1478
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`ORCA_0003332
`
`