Attivo BOTsink® Deception Decoy Technology for Threat Detection

BOTsink® Deception Decoy Technology for Threat Detection

The BOTsink® Solution Offers Network-Based Threat Deception for Post-Compromise Threat Detection.

Introduction to BOTsink® Animated Video

Awards for the BOTsink® Solution

BOTsink® for Network-Based Threat Detection

The Attivo BOTsink® solution stands guard inside your network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.

Why Customers Choose the BOTsink® Solution

  • Recon & Lateral Movement Detection

  • Authentic & Attractive Decoys

  • Easy To Deploy & Operate

  • High-fidelity Alerts

  • Automations For Incident Response

BOTsink® for MITRE ATT&CK Analysis

Built-in alert classifications following industry-standard MITRE ATT&CK categories.

  • Map detected events to MITRE ATT&CK matrix
  • Identifies categories and subcategories to aid in analysis
  • Exports the alerts with MITRE category tagging to SIEM to integrate with existing analysis workflows
  • Outputs data per system, per attack, and per event for faster analysis and response
  • Identify evasion techniques that are effective against the current security posture for gap analysis
  • Use MITRE analysis to identify control effectiveness to specific techniques
deception-for-penimg

Substantiated And Actionable Alerting

Alerts generated by the Attivo BOTsink solution come from attacker engagement with a decoy. This results in high-fidelity alerts of confirmed attacker activities, substantiated with details and forensically captured evidence to support investigations for an actionable response.

  • Actionable alerts are created from attacker engagement or credential reuse.
  • High fidelity alerts are substantiated with details rom attacker engagement.
  • Full forensics make for actionable response.

BOTsink® for Comprehensive Attack Surface Coverage

Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.

Decoys for Early Detection of Reconnaissance & Lateral Movement Activity

servers-img

Servers

endpoint

endpoints

active-directory-2

Active Directory

application-img

Application

data-img

Data

Specialized Devices

IoT

Medical IoT

ICS/SCADA

POS

Network Infrastructure

BOTsink Deceptions

Deception Authenticity to Match Production Environments.

server-icon-large

Server Decoy

Windows, Linux

decoy-icon-large

Endpoint Decoy

Windows, Linux, Mac

icon-pos-large

Specialized Decoy

IOT, ICS, POS…

application-icon-large

Application

SWIFT, Web, 25+Services

data-icon-large

Data

Data, Database, DecoyDocs

active-directory-large

Active Directory

Directory Services

BOTSINK® USE CASES

— Decoy engagement-based detection
— Not reliant on signatures to detect attacks
— No pattern matching or database look up

— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence

— Decoys to address all attack surfaces
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router

— Early detection of MitM attacks
— Attack replay to better understand movement

— Data deceptions to misdirect attack
— DecoyDocs for counterintelligence on attacker intent
— Geolocation tracking of opened documents

— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing

— Automate manual IR tasks for efficiency
— Basic and advanced user interface
— Reduce time to respond, increase consistency
— Automate analysis and threat hunting
— Record all response activities for post-incident report

Detect In-Network Malicious Actors & Insiders with BOTsink®

Deceive external and internal threats (employees, suppliers, contractor) into revealing themselves.

  • Server, endpoint, application, data, and database deceptions provide the most comprehensive threat deception across all networks.
  • Early detection of network reconnaissance and lateral movement.
  • Catch attacks like Man-in-the-Middle.
  • Real Windows and Linux operating systems and services appear as authentic production assets and create attractive targets for attacker.
  • Golden-image customization for the utmost authenticity.
  • Threat deception for evolving attack surfaces.
  • Scalability for data centers, cloud, user networks, remote office, and specialty networks.
  • Detection is driven by engagement with network decoys, deception documents, deceptive credentials, and applications.
  • Alerts are substantiated, high-fidelity, and actionable, removing false positive fatigue.
  • Does not need tuning to be effective, providing immediate detection value.

“I’VE HAD THE OPPORTUNITY TO SEE THE BOTSINK THROUGH SEVERAL VERSIONS AND IT JUST KEEPS GETTING BETTER AND BETTER. THERE IS NO DOUBT THAT IT IS A TRUE NEXT GENERATION SECURITY TOOL.”

Dr. Peter Stephenson, Phd – Cybersecurity Analyst And Researcher

Engage the Adversary with BOTsink®

Unlike other deception solutions, the Attivo BOTsink solution projects fully customizable OS decoys that adversaries can interact with fully. The decoys create a sandbox environment that records all attacker activity while deceiving them into engaging for far longer than with typical emulated honeypots. This results in the most detailed information and evidence for supporting investigations and developing adversary intelligence.

understand

CENTRALIZE

Threat Intelligence

visualize

View

Attack Details, Maps & Replay

workflow-logo

ACTIVATE

Incident Response

threatstike-orange-analyze

ACCESS

Attack & Forensic Reporting

BOTsink® for Attack Analysis Automation

Capture Threat, Adversary, and Counterintelligence to strengthen overall defenses.

  • Built in sandbox automates attack correlation & analysis improving time to remediation.
  • Gain threat intelligence by identifying indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
  • Automate malware and phishing emails analysis.
  • Sandboxed attacker engagement with full interactivity.
  • Record all attack activity on decoy disk, memory, and network layers.
  • Watch lateral movement & record C&C communications.
  • Data loss tracking and geolocation beaconing.
  • Gain understanding of attacker intent.
  • Standard and advanced dashboard settings for simple operation.
  • Optional Central Manager provides a consolidated on-premise or cloud central management.
  • Extensive integrations for information sharing.

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

early-detection-mac
centralized-icon
Optimized for Fast Response
view-attack-icon
Views by Severity, Time, Type
activate-icon
Central Management
visualization-icon
leverage integrations for automated incident response
reporting
linitiate responses directly from the dashboard

BOTsink® for Vulnerability Assessment & Attack Visualization

Reduce risk and mean time to response with credential vulnerability and attack visualization tools.

  • Topographical maps show attacker movement.
  • Time-lapsed attack replay tracks changes over periods of time.
  • Valuable for Man-in-the-Middle and other attacks that are difficult to understand.
  • Network visualization maps show adds and changes to devices on the network.
  • See where deception is deployed for risk profiling.
  • Full interaction decoys collect and develop IOCs to quickly identify other compromised systems.
  • Native integrations accelerate automated or manual threat hunting.

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

attack-visualization
view-attack-icon
Visualize Attacks
settings-icon
Understand Cross VLAN Attacks
redo-icon
Time-lapsed Playback
deploy-icon
Deploy Deception
defense-icon
Strengthen Defenses

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

network-visualization
bell-icon
Notification of Device Changes
watch-icon
Watch Network Adjustments
redo-icon
Time-Lapsed Playback
settings-icon
Understand Deception Deployed
defense-icon
Strengthen Defenses

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.

MITRE ATT&CK EVENT CLASSIFICATION
view-attack-icon
Categorize alerts by technique
settings-icon
Speeds and aids analysis
redo-icon
Assists in remediation
deploy-icon
Helps identify defensive gaps
defense-icon
Integrates with SOC workflows

Active Defense Partners

Native integrations for improved workflow management, information sharing and simplifying incident response with automated blocking, quarantine, and threat hunting.

  • Extensive integrations accelerate incident response with automated blocking, isolation, and threat hunting.
  • Incident response can be manually activated within dashboard or fully automated.
  • Automate workflow process from response to trouble ticket remediation.
  • Faster, predictable response actions.
  • Query SIEMs for deception credential failed logins.
  • Share attack info for more efficient threat hunting.
  • Reduce SIEM processing cycles through shared detection alerts.

Attivo Networks: Native Partner Integrations

Integrations and Playbooks for Automated Incident Response

ATTIVO NETWORKS: NATIVE PARTNER INTEGRATIONS

ThreatOps® Incident Response Automation

A component of the BOTsink®, the ThreatOps® solution empowers organizations to build and automate threat defense playbooks. These playbooks are based on integrations with existing security infrastructure and create repeatable incident response workflows to automate manual tasks, increasing productivity while reducing errors and operational overhead. With integrated solutions that enable information sharing, network blocking, endpoint isolation, or threat hunting, the playbooks can automate a policy-based incident response to reduce the time to respond to a fast-moving or repeat attack.

Why Customers Choose ThreatOps® Playbooks

  • REDUCED TIME-TO-RESPOND

  • Consistent Processes

  • Automated Response

  • Simplified Operations

  • Faster Remediation

Playbook Incident Response Automation

Accelerate mean-time-to-remediation with native integrations that automate response actions and can be turned into repeatable processes and playbooks.

workflow-logo

Workflow

Automated response to common incidients

repeatable-logo

REPEATABLE

Defined playbooks for common attacks

standardized-logo

STANDARDIZED

Addresses skill gaps with consistent processes

threatstike-orange-defend

DEFEND

Shares attack data for automated remediation

THREATOPS INTEGRATIONS

Block

Quarantine

Access Control

Isolate

Threat Hunt

Remediate

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

macbook-threatops
box-icn
AUTOMATE INCIDENT RESPONSE
wire-con
CONSISTENT, ACCURATE PROCESSES
book-icon
WORKBOOKS FOR COMMON ATTACKS
simplify-icon
SIMPLIFY IR OPERATIONS
chat-icon
SHARE ATTACK DATA WITH PARTNERS

BOTsink® PRODUCT OFFERINGS

Solutions are available as a virtual machine, appliance, or service.

BOTsink 3000 Series

— MIDMARKET NETWORK DECEPTION

Designed for smaller networks and the mid-market, this solution provides quick and easy network deception.

BOTsink 5000 Series

— ENTERPRISE-CLASS NETWORK DECEPTION

Designed for enterprise and telecommunications networks, this solution provides scalable network deception for large and global organizations.

BOTsink 7000 Series

— HIGH-PERFORMANCE NETWORK DECEPTION

With twice the resources of the 5000 series, the 7000 series can easily accommodate more demanding decoy environments.

Attivo Central Manager

— ENTERPRISE-WIDE MANAGEMENT

Centralized management and operations for all deception fabric assets, whether on-premises, in the cloud, or at remote sites.

Simple, Scalable Deployment for Evolving Threats & Attack Surface

Flexible deployment options backed by network self-learning, simplified deployment, and ongoing operations.

  • Flexible deployment options and machine-learning for ongoing campaign authenticity & refresh.
  • Designed to non-disruptively deploy & scale across all attack surfaces.
  • Simplified deployment model.
  • Intelligent self-learning to automate deployment.
  • Self-learning campaign proposals to automate refresh.
  • Centralized threat intelligence dashboard.
  • Attack visualization tools.
  • Integrations for actionable incident response.
  • Central Manager for central global deployment management.
  • Integration with EDR Tools.
  • Output to any SIEM via syslog.
  • Integrates with specific SIEMs, with an available Splunk ES App.
  • Integrates with existing SOC tools and processes.

Deployment Options

BOTsink for Cloud

For Private, Public, Hybrid Clouds

Easily deploy the BOTsink in AWS, Azure, Google, OpenStack and other cloud environments.

BOTsink for Data Centers

For In-house, Hosted, And Microsegmented Datacenters

Deploy BOTsink decoy deception to quickly detect lateral movement within your data centers.

BOTsink for User Networks

For Wired And Wireless User Networks

Add BOTsink decoy deception to user networks with configurations for Windows, Linux, Mac.

BOTsink for IoT

for a variety of IoT Devices

Customize your BOTsink to appear as medical IoT devices, printers, video cameras, or other IoT devices.

BOTsink for ICS-SCADA

for Industrial Control

Customize your BOTsink to appear as HMI and supervisory control servers within industrial control environments.

BOTsink for Infrastructure

for Networked devices

Customize your BOTsink to appear as routers within your user networks and data centers.

ThreatDirect – VM

Extend Network Deception

Extends network threat deception to remote and branch offices, the cloud, and for distributed and micro-segmented networks without the need for a local appliance.

Attivo Central Manager (ACM)

Central Intelligence & Management

Manages and centralizes threat intelligence and configurations of geographically distributed physical, virtual, and cloud deployments.

Google Cloud Platform

Manage Service for Active Directory on Google Cloud Platform

Secure Hosted AD on Google Cloud using ADSecure

Microsoft Azure IoT Edge

Microsoft Azure Security Center for IoT Edge

Deploy Azure IoT modules as decoys for early and accurate threat detection.

Spotlight

ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™): A Definitive Market Guide to Deception Technology

Resources

3rd Party Analysis of BOTsink Solution
Use Cases to Defeat Advanced Attackers
9 CISO Challenges: Are They the Same As Yours?
Attivo Perspectives on Gartner Deception Solution Comparison

Perspectives

Solution Brief
Attivo Networks® BOTsink® Family Data Sheet
td-platform-vid
Attivo Networks Portfolio Overview
td-platform-vid
BOTsink® Decoys and Engagement Servers

Ready to find out what’s lurking in your network?

Scroll to Top