BOTsink® Deception Decoy Technology for Threat Detection
The BOTsink® Solution Offers Network-Based Threat Deception for Post-Compromise Threat Detection.
BOTsink Deception Platform
The following are components of the BOTsink distributed deception platform.
Incident Response Playbook Automation.
Attivo Central Manager.
Introduction to BOTsink® Animated Video
BOTsink® for Network-Based Threat Detection
The Attivo BOTsink® solution stands guard inside your network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.
Why Customers Choose the BOTsink® Solution
Recon & Lateral Movement Detection
Authentic & Attractive Decoys
Easy To Deploy & Operate
Automations For Incident Response
BOTsink® for MITRE ATT&CK Analysis
Built-in alert classifications following industry-standard MITRE ATT&CK categories.
- Map detected events to MITRE ATT&CK matrix
- Identifies categories and subcategories to aid in analysis
- Exports the alerts with MITRE category tagging to SIEM to integrate with existing analysis workflows
- Outputs data per system, per attack, and per event for faster analysis and response
- Identify evasion techniques that are effective against the current security posture for gap analysis
- Use MITRE analysis to identify control effectiveness to specific techniques
Substantiated And Actionable Alerting
Alerts generated by the Attivo BOTsink solution come from attacker engagement with a decoy. This results in high-fidelity alerts of confirmed attacker activities, substantiated with details and forensically captured evidence to support investigations for an actionable response.
- Actionable alerts are created from attacker engagement or credential reuse.
- High fidelity alerts are substantiated with details rom attacker engagement.
- Full forensics make for actionable response.
BOTsink® for Comprehensive Attack Surface Coverage
Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.
Decoys for Early Detection of Reconnaissance & Lateral Movement Activity
Deception Authenticity to Match Production Environments.
Windows, Linux, Mac
IOT, ICS, POS…
SWIFT, Web, 25+Services
Data, Database, DecoyDocs
BOTSINK® USE CASES
— Decoy engagement-based detection
— Not reliant on signatures to detect attacks
— No pattern matching or database look up
— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence
— Decoys to address all attack surfaces
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router
— Early detection of MitM attacks
— Attack replay to better understand movement
— Data deceptions to misdirect attack
— DecoyDocs for counterintelligence on attacker intent
— Geolocation tracking of opened documents
— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing
— Automate manual IR tasks for efficiency
— Basic and advanced user interface
— Reduce time to respond, increase consistency
— Automate analysis and threat hunting
— Record all response activities for post-incident report
Detect In-Network Malicious Actors & Insiders with BOTsink®
Deceive external and internal threats (employees, suppliers, contractor) into revealing themselves.
- Server, endpoint, application, data, and database deceptions provide the most comprehensive threat deception across all networks.
- Early detection of network reconnaissance and lateral movement.
- Catch attacks like Man-in-the-Middle.
- Real Windows and Linux operating systems and services appear as authentic production assets and create attractive targets for attacker.
- Golden-image customization for the utmost authenticity.
- Threat deception for evolving attack surfaces.
- Scalability for data centers, cloud, user networks, remote office, and specialty networks.
- Detection is driven by engagement with network decoys, deception documents, deceptive credentials, and applications.
- Alerts are substantiated, high-fidelity, and actionable, removing false positive fatigue.
- Does not need tuning to be effective, providing immediate detection value.
“I’VE HAD THE OPPORTUNITY TO SEE THE BOTSINK THROUGH SEVERAL VERSIONS AND IT JUST KEEPS GETTING BETTER AND BETTER. THERE IS NO DOUBT THAT IT IS A TRUE NEXT GENERATION SECURITY TOOL.”
— Dr. Peter Stephenson, Phd – Cybersecurity Analyst And Researcher
Engage the Adversary with BOTsink®
Unlike other deception solutions, the Attivo BOTsink solution projects fully customizable OS decoys that adversaries can interact with fully. The decoys create a sandbox environment that records all attacker activity while deceiving them into engaging for far longer than with typical emulated honeypots. This results in the most detailed information and evidence for supporting investigations and developing adversary intelligence.
Attack Details, Maps & Replay
Attack & Forensic Reporting
BOTsink® for Attack Analysis Automation
Capture Threat, Adversary, and Counterintelligence to strengthen overall defenses.
- Built in sandbox automates attack correlation & analysis improving time to remediation.
- Gain threat intelligence by identifying indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
- Automate malware and phishing emails analysis.
- Sandboxed attacker engagement with full interactivity.
- Record all attack activity on decoy disk, memory, and network layers.
- Watch lateral movement & record C&C communications.
- Data loss tracking and geolocation beaconing.
- Gain understanding of attacker intent.
- Standard and advanced dashboard settings for simple operation.
- Optional Central Manager provides a consolidated on-premise or cloud central management.
- Extensive integrations for information sharing.
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
BOTsink® for Vulnerability Assessment & Attack Visualization
Reduce risk and mean time to response with credential vulnerability and attack visualization tools.
- Topographical maps show attacker movement.
- Time-lapsed attack replay tracks changes over periods of time.
- Valuable for Man-in-the-Middle and other attacks that are difficult to understand.
- Network visualization maps show adds and changes to devices on the network.
- See where deception is deployed for risk profiling.
- Full interaction decoys collect and develop IOCs to quickly identify other compromised systems.
- Native integrations accelerate automated or manual threat hunting.
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Active Defense Partners
Native integrations for improved workflow management, information sharing and simplifying incident response with automated blocking, quarantine, and threat hunting.
- Extensive integrations accelerate incident response with automated blocking, isolation, and threat hunting.
- Incident response can be manually activated within dashboard or fully automated.
- Automate workflow process from response to trouble ticket remediation.
- Faster, predictable response actions.
- Query SIEMs for deception credential failed logins.
- Share attack info for more efficient threat hunting.
- Reduce SIEM processing cycles through shared detection alerts.
Attivo Networks: Native Partner Integrations
Integrations and Playbooks for Automated Incident Response
ThreatOps® Incident Response Automation
A component of the BOTsink®, the ThreatOps® solution empowers organizations to build and automate threat defense playbooks. These playbooks are based on integrations with existing security infrastructure and create repeatable incident response workflows to automate manual tasks, increasing productivity while reducing errors and operational overhead. With integrated solutions that enable information sharing, network blocking, endpoint isolation, or threat hunting, the playbooks can automate a policy-based incident response to reduce the time to respond to a fast-moving or repeat attack.
Why Customers Choose ThreatOps® Playbooks
Playbook Incident Response Automation
Accelerate mean-time-to-remediation with native integrations that automate response actions and can be turned into repeatable processes and playbooks.
Automated response to common incidients
Defined playbooks for common attacks
Addresses skill gaps with consistent processes
Shares attack data for automated remediation
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
BOTsink® PRODUCT OFFERINGS
Solutions are available as a virtual machine, appliance, or service.
BOTsink 3000 Series
— MIDMARKET NETWORK DECEPTION
Designed for smaller networks and the mid-market, this solution provides quick and easy network deception.
BOTsink 5000 Series
— ENTERPRISE-CLASS NETWORK DECEPTION
BOTsink 7000 Series
— HIGH-PERFORMANCE NETWORK DECEPTION
With twice the resources of the 5000 series, the 7000 series can easily accommodate more demanding decoy environments.
Attivo Central Manager
— ENTERPRISE-WIDE MANAGEMENT
Centralized management and operations for all deception fabric assets, whether on-premises, in the cloud, or at remote sites.
Simple, Scalable Deployment for Evolving Threats & Attack Surface
Flexible deployment options backed by network self-learning, simplified deployment, and ongoing operations.
- Flexible deployment options and machine-learning for ongoing campaign authenticity & refresh.
- Designed to non-disruptively deploy & scale across all attack surfaces.
- Simplified deployment model.
- Intelligent self-learning to automate deployment.
- Self-learning campaign proposals to automate refresh.
- Centralized threat intelligence dashboard.
- Attack visualization tools.
- Integrations for actionable incident response.
- Central Manager for central global deployment management.
- Integration with EDR Tools.
- Output to any SIEM via syslog.
- Integrates with specific SIEMs, with an available Splunk ES App.
- Integrates with existing SOC tools and processes.
BOTsink for Cloud
For Private, Public, Hybrid Clouds
Easily deploy the BOTsink in AWS, Azure, Google, OpenStack and other cloud environments.
BOTsink for Data Centers
For In-house, Hosted, And Microsegmented Datacenters
Deploy BOTsink decoy deception to quickly detect lateral movement within your data centers.
BOTsink for User Networks
For Wired And Wireless User Networks
Add BOTsink decoy deception to user networks with configurations for Windows, Linux, Mac.
BOTsink for IoT
for a variety of IoT Devices
Customize your BOTsink to appear as medical IoT devices, printers, video cameras, or other IoT devices.
BOTsink for ICS-SCADA
for Industrial Control
Customize your BOTsink to appear as HMI and supervisory control servers within industrial control environments.
BOTsink for Infrastructure
for Networked devices
Customize your BOTsink to appear as routers within your user networks and data centers.
ThreatDirect – VM
Extend Network Deception
Extends network threat deception to remote and branch offices, the cloud, and for distributed and micro-segmented networks without the need for a local appliance.
Attivo Central Manager (ACM)
Central Intelligence & Management
Manages and centralizes threat intelligence and configurations of geographically distributed physical, virtual, and cloud deployments.
Google Cloud Platform
Manage Service for Active Directory on Google Cloud Platform
Secure Hosted AD on Google Cloud using ADSecure
Microsoft Azure IoT Edge
Microsoft Azure Security Center for IoT Edge
Deploy Azure IoT modules as decoys for early and accurate threat detection.