Incident Response

Actionable alerts, forensics, and automation to accelerate incident response.

Free Active Directory Security Assessment for Unprecedented Visibility to AD Vulnerabilities

Awards

The State Of Active Directory

Don’t leave the door open for attackers to secure the “keys to the kingdom”.

increasing threats

26% Increase in Attacks in Early 2020

— Akrose Labs

point-of-sale attacks

Top threat to the retail industry

— Booz Allen Hamilton

monthly attacks

Every month, 44% of retail firms get hit by an average of 50+ cyberattacks.

— Best VPNs

median time to detection

197 days in the retail sector.

— Ponemon

Overview

The Attivo Networks Deception and Response Platform provides substantiated, actionable alerts. Its decoys record all attacker interactions to capture the forensic evidence analysts need to conduct and report on their investigations. With the Informer solution, the built in analysis engine automatically correlates attack data, enriches the information with native threat intelligence feeds, and delivers an accurate chronological session view of all attacker activity. The system automates incident response with integrations that provide automatic threat intelligence sharing, blocking, and threat hunting. The ThreatOps module can be activated to provide repeatable playbooks, providing consistent and rapid responses from a deception-based detection. These functions all simplify and increase the efficiency of the incident response process.

Benefits

Retail organizations choose Attivo Networks® deception-based threat detection for:

Benefits Subtitle

Substantiated Alerts

Based on Attacker engagement
Immediately Actionable
Responders can act with high confidence

Automated Analysis

Attack information correlation
Threat intelligence enrichment
Identify polymorphic or time-triggered activity

Active Directory Protection Coverage

Keep businesses safe by preventing the misuse of privileged credentials and accounts with continuous Active Directory assessment and attack path visibility. Expose and remediate at risk credentials and paths that provide access to an organization’s most valuable assets.

Credentials

Shadow Admins

Stale Accounts

Shared Credentials

Identity Attack Paths

Active Directory-Specific MITRE ATT&CK Techniques

Attivo Networks Active Directory protection provides comprehensive security for MITRE ATT&CK Techniques

T1003: OS Credential Dumping (Dcsynq)

Domain groups
Cloud groups
Local groups

T1069: Permission Group Discovery

T1078: Valid Accounts

T1087: Account Discovery

Local Account
Domain Account
Email Account
Cloud Account

T1135: Network Share Discovery

T1207: Rogue Domain Controller (Dcshadow)

T1482: Domain Trust Discovery

T1550: Use Alternate Authetication Material

Golden ticket attack
Silver ticket attack

T1557: Steal Or Forge Kerberos Tickets: (Kerberoasting)

Cloud Environments Supported

Attivo Active Directory Protection Solutions

Port/Service Scans

The Endpoint Detection Net Solution (Deflect Feature) Provides:

Endpoint-based port and service reconnaissance visibility and alerting
Inbound or outbound attack-related connection redirection
Host fingerprinting prevention
Native host quarantine

The Endpoint Detection Net™ Solution (Deflect Feature) Offers:

Port/Service Scans

The Endpoint Detection Net Solution (Deflect Feature) Provides:

Endpoint-based port and service reconnaissance visibility and alerting
Inbound or outbound attack-related connection redirection
Host fingerprinting prevention
Native host quarantine

Incident Response Capabilities

Attack Analysis

Threat Intelligence Development

Automated Response Actions

Malware Analysis

Native Integrations

Attack Time-Lapse Replay

Cyber Deception For All Attack Surfaces

Attivo Networks cyber deception provides early and accurate threat detection with centralized management for an evolving attack surface.

Cloud

AWS, Azure, OpenStack, Google

Data Center Network

Distributed, microsegmented, private, public, hybrid

Corporate LAN

User, guest, wireless, wired

Endpoint

Mac, Windows, Linux, credentials, mapped shares, profile data

Cloud

AWS, Azure, OpenStack, Google

Data Center Network

Distributed, microsegmented, private, public, hybrid

Corporate LAN

User, guest, wireless, wired

Endpoint

Mac, Windows, Linux, credentials, mapped shares, profile data

“The most important thing you do is provide me alerts based on confirmed activity… you are my eyes and ears on the inside of my network.. the nerve center”

— CISO, FORTUNE 500 FINANCIAL SERVICES FIRM

Closing The Detection Gaps For All Threat Vectors

100Perimeter & endpoint security solutions cannot reliably stop attacks from all vectors and methods. This has resulted in attacker dwell times averaging 101+ days (M-Trends 2018 Report). Deception technology plays a critical role in changing this paradigm by detecting attacks that have bypassed other security controls, early and accurately, regardless of the methods used to compromise the network. Since deception uses traps and lures to detect an adversary, the solution is not reliant on signatures or database look up. This makes deception scalable and capable of reliably detecting attackers using ever-changing attack methods and targeting rapidly evolving attack surfaces.

Zero-day Exploitation

Credential Theft/reuse

Network Reconnaissance

Active Directory Reconnaissance

Communication Over Https

Man-in-the-middle Attack

Use Cases

01 Early Warning System

Hiding data, cyber deception, and misdirections reveal attackers early as they look to conduct reconnaissance, steal credentials, and to move laterally in order to escalate their attack.

02Easy to Deploy

Deception and concealment are non-disruptive technologies to set up. Deployment is simple and automated, accomplished in as little as day. Credential customization and deployment is fast and easy with a wide variety of options. Active Directory protection and assessments happen at the endpoints in in the cloud with no impact to production AD controllers.

03Actionable Alerts

High fidelity alerts are based on attacker engagement with decoys, deception credentials, port scanning, or other bait. Each alert is actionable with attack details for prompt incident response.

04Low Maintenance and Attention

Machine-learning is applied to create dynamic deception campaigns that simplify ongoing deception environment authenticity, refresh, and redeploy after a compromise is detected. Engagement-based alerts prevent false-positives, automate attack analysis and incident response actions, and remove operation burden.

05Strengthens Overall Defenses

Extensive 3rd party integrations accelerate incident response and reduce the meantime to remediation. Automations will accelerate blocking, quarantine, and threat hunting, while repeatable playbooks streamline incident response.

Sequence

01 Attacker compromises a system
02Attacker enumerates local files and folders
03Attacker queries for local administrator accounts

Deception For Ongoing Assessment And Compliance

Deception plays an important role in proving network resiliency. Blue teams can go into Pen Tests with confidence that they will be able to detect and record the actions of their Red team adversary. One of the benefits of the ThreatDefend platform is its ability to not only detect early reconnaissance and credential theft, but also in its ability to record and report on every move for the proof that they are well equipped to detect and quickly respond to threats. These reports can also be crucial for proving company and supplier compliance.

Think that deception wont be effective if the Red team knows its installed. You will be pleasantly surprised that Attivo Networks detection passes with flying colors, even when the attacker anticipates it is installed. Want to see what an attacker would see or how it will hold up against the adversary? Check out the BOTsink vulnerability emulator or ThreatInject tools to see what an attacker will see when looking for deception.

Learn More

Deception use cases for retail organizations

In-Network Visibility

Deception use cases for retail organizations

In-Network Visibility

Retail organizations manage a complicated network that can include corporate and business assets, remote store networks, customer-facing web applications, and networks that operate Point-of-Sale systems. The Attivo Networks ThreatDefend deception and response platform is uniquely suited to provide eyes-inside-the-network visibility to all areas of a retail organization’s IT infrastructure. Benefits include the ability to quickly detect targeted attacks, unknown threats, and policy violations that may come from external, supplier, or internal threat actors.

Lateral Movement to POS Systems

Deception use cases for retail organizations

Lateral Movement to POS Systems

POS systems have proven to be a prime target to be breached because of the large financial gains that can be made. Attivo Networks empowers retail organizations by providing efficient detection of attacks targeting POS management severs an lateral movement throughout the network. The ThreatDefend™ platform can accurately detect threats by identifying the infected clients being used by attackers to propagate the attack. The solution significantly reduces detection time, providing the context retail organizations need for remediation of an attack and to mitigate the risk of an attacker’s return.

IoT Threats

Deception use cases for retail organizations

IoT Threats

As the amount of devices connected to the Internet of Things (IoT) continues to explode, the serious security complications surrounding these devices must be addressed by retail organizations concerned about protecting critical customer data.

The Attivo Networks platform can be configured to look identical to the IoT devices on an organizations network (signage, card readers, environmental control systems, etc.); engagement servers and decoys appear as real production IoT servers and services, deceiving attackers into thinking they’re authentic. By engaging with decoys and not with production devices, the attacker reveals themselves and can then be quarantined and studied for detailed forensics.

Mergers and Acquisitions

Deception use cases for retail organizations

Mergers and Acquisitions

The Attivo Networks platform has a proven track record in playing a crucial role during M&A due diligence and post-acquisition integration for retail organizations. By detecting hidden threats, identifying security deficiencies, and providing risk visibility, these insights can be applied to mitigate risk and to strengthen the combined organization’s overall security posture. The platform can instantly detect and alert on suspicious behavior that may arise from new network access including insiders, suppliers, and contractors, and will provide detailed forensics to understand and quickly react/respond to anomalous behavior.

Insider Threats

Deception use cases for retail organizations

Insider Threats

It has become increasingly important for retail organizations to be able to identify and stop attacks from within. Whether these threats are from employees, contractors, or suppliers, insider threats start with the advantage of already being inside—often with privileged access to the network and sensitive information. Deception technology is a tried-and-proven technique for outmaneuvering the adversary. Applying deception technology allows retail organizations to effectively protect sensitive assets and data from an insider threats and provides tools needed to quickly and accurately detect and identify suspicious or malicious insider activity.

Business Value

Early and Accurate Detection of Network Attack Activity to Minimize Organizational Risk

Reconnaissance

Detect reconnaissance from human and automated attacker.

Alerting

Reduce false positives. Receive only high-fidelity alerts.

Derailing Attacks

Create virtual landmines to efficiently derail attacks.

Reconnaissance

Detect reconnaissance from human and automated attacker.

Alerting

Reduce false positives. Receive only high-fidelity alerts.

Derailing Attacks

Create virtual landmines to efficiently derail attacks.

Reconnaissance

Detect reconnaissance from human and automated attacker.

Alerting

Reduce false positives. Receive only high-fidelity alerts.

Derailing Attacks

Create virtual landmines to efficiently derail attacks.

Securing The Enterprise When Employees Work Remotely

Active Directory Reconnaissance

Real time visibility on attempts to enumerate hosts on the VPN network segment.

Active Directory Reconnaissance

Real time visibility on attempts to enumerate hosts on the VPN network segment.

Active Directory Reconnaissance

Real time visibility on attempts to enumerate hosts on the VPN network segment.

A Proactive Defense Disrupts An Attacker’s Playbook And Changes The Asymmetry Of An Attack

Visibility

See attack activity across any attack surface, regardless of location.

Prevention

Deny attackers from exploiting high-privileged accounts and sensitive data.

Detection

Alert on in-network discovery, lateral movement, and privilege escalation activity.

MITRE ATT&CK®

Tag Cyber Report

Testing Insights

MITRE Coverage

Attivo users see an average increase of 42% in detection rate when leveraging the Attivo Networks EDN solution with traditional endpoint security tools. To learn more, check out the TAG Cyber report on using Deception to Improve MITRE ATT&CK Test Results for Endpoint Security, the Attivo Testing Insights solution brief, and the MITRE whitepaper that maps our comprehensive coverage.