The Attivo Solution
The ThreatDefend Deception and Response Platform is designed to make the entire network a trap and to force the attacker to have to be right 100% of the time or risk being discovered. The solution combines distributed, high interaction deception lures and decoys designed to provide early visibility into in-network threats, efficient continuous threat management, and accelerated incident response. The solution is based on six pillars, which include visibility, real-time detection, malware and phishing analysis, forensic reporting, incident handling, and response.
Attivo Deception & Response Platform
The Attivo BOTsink® deception solution provides the foundation of the ThreatDefend™ Deception and Response Platform. Using dynamic deception techniques and a matrix of distributed decoy systems, the entire network becomes a trap designed to deceive in-network attackers and their automated tools. As an early warning system for in-network threats, the solution efficiently detects attacker reconnaissance and their lateral movement. Not reliant on known attack patterns or signatures, the BOTsink solution accurately detects threats that have by passed prevention security controls. The BOTsink deception works by projecting decoys that appear indistinguishable from production assets with the intent to engage and misdirect an attacker. For authenticity, decoys run real operating systems and services and can be customized with production “golden images” to better blend in with other network assets. These decoys are then deployed across all network segments to detect lateral movement. The platform also utilizes dynamic deception at the endpoints, luring and guiding the attacker into the deception “hall of mirrors” environment. Once the attacker engages, the Attack Threat Analysis (ATA) engine analyzes their movement, methods, and actions, generating high-fidelity alerts and visual maps containing attack time-lapsed replay.
These engagement-based alerts include the substantiated attack detail required for incident andling and response and can be used for attack information sharing and forensic reporting. Attack details can be viewed within a threat intelligence dashboard with actionable drill-downs or through a variety of forensic reports, while 3rd party integrations provide automated blocking, quarantine, and threat hunting to accelerate incident response.
The Attivo ThreatStrike Endpoint solution, part of the modular ThreatDefend Platform, provides early and accurate detection of targeted attacks on endpoints and servers. Customizable and non-intrusive, this agentless deception technology places bait and breadcrumbsthat lead to an engagement server, where an alert is raised, attacks are analyzed, and actions to quarantine the infected system are activated. To reach sensitive network data, attackers will compromise computers to steal passwords and hashes that can then be used to move laterally within the network and escalate privileges to advance their attack. The ThreatStrike solution is an agentlesstechnology that dynamically plants deception credentials, lures, and deception network drives for ransomware detection.
ThreatPath™ Attack Path Vulnerability Assessment
The Attivo ThreatPath™ solution, part of the modular ThreatDefend™ Platform, provides continuousattack path vulnerability assessment of likely lateral movement avenues that an attacker would taketo compromise a network. The solution exposes and provides visual graphs to the paths an attackerwould traverse through the internal network based on misconfigured systems and misused or orphaned credentials. Integrations with workflow and incident management systems like Service Now and JIRA can be activated inside the dashboard and used for automating remediation notifications and processes.
The ThreatOps™ solution accelerates incident response by adding repeatable playbook functionality to the ThreatDefend™ platform. The ThreatOps solution is an add-on license to the BOTsink® or ACM appliances and is designed to combine and automate technology and processes to streamline and improve incident handling and attack investigation. The solution works by gathering attacker engagement information from the BOTsink deception server, memory forensics, and other sources, empowering security staff with the ability to create and define playbooks based on their security policies.
Building on the BOTsink solution’s 3rd party integrations with prevention systems (Firewall, NAC, End-point, SIEM) that automatically block and quarantine attacks, the ThreatOps playbooks streamline incident response by applying an organization’s security policies in the form of a customized playbook. The playbook automates incident response instructions, saving organizations hours of time in responding to and remediating attacks. Adding the ThreatOps solution to the ThreatDefend platform helps companies better address the dramatic increase in security incidents and corresponding attack information. In a time when security teams are understaffed, this can increase the number of incidents they can address and reduces the chance that an unaddressed incident becomes the path to a breach.
Additionally, through BOTsink integrations with companies like Carbon Black®, ForeScout®, and McAfee®, the sharing of attack information enables customers to threat hunt for forensic artifacts in other parts of the network and confirm they have eradicated the attack. ThreatOps Playbooks are applied to the threat hunting process for repeatable automation.