Attivo Networks Threat Detection using Deception Technology

Visibility, Prevention, and Detection

Reduce company risk with visibility across all attack surfaces, prevention of critical data access, and early detection of attack activity.

Overview

Attivo solutions provide immediate value with in-network visibility into attack activity, prevention of malicious access to sensitive and critical data and accounts, and early detection and alerting of discovery, lateral movement, and privilege escalation activities. The company achieves this with innovations in Active Directory protection, endpoint defenses, and network security to reduce the attack surface, misdirect attack activity, and conceal sensitive or critical data.

Attackers have proven themselves capable of evading defenses to breach networks. They masquerade as legitimate employees, use stolen credentials, and take advantage of detection gaps to infiltrate a network, all while remaining undetected for extended dwell times. Security teams are challenged to be successful 100% of the time, whereas an attacker must only get lucky once. It’s now time to turn the tables on attackers with advanced solutions capable of revealing adversaries when they attempt to look or move around.

Attivo solutions provide extensive visibility into in-network attack activity across any attack surfaces, whether on-premises, in the cloud, or at remote locations. Unique cyber deception technology provide capabilities to deceive, misdirect, and hide and deny access to critical data to prevent account compromise and misinform discovery activity. They derail in-network lateral movement with early detection and alerting as attackers attempt to look or move around between systems. The mere act of observation reveals the attacker early in the attack cycle, empowering organizations to rapidly respond to threats inside the network before the attackers can cause extensive damage.

A Proactive Defense Disrupts An Attacker’s Playbook And Changes The Asymmetry Of An Attack

Visibility

Visibility

See attack activity across any attack surface, regardless of location.

Proactive Prevention

Prevention

Deny attackers from exploiting high-privileged accounts and sensitive data.

In-Network Detection

Detection

Alert on in-network discovery, lateral movement, and privilege escalation activity.

Attivo Within the Security Control Stack

Attivo solutions provide “eyes within the network” visibility to threats that have evaded perimeter defenses. By interweaving detection assets within the network, security teams can accurately and efficiently alert on discovery, lateral movement, and privilege escalation activities, improving time to detection and reducing attacker dwell time.

Attivo Within the Security Control Stack

DECEPTION DISRUPTS AN ATTACKER’S PLAYBOOK AND CHANGES THE ASYMMETRY OF AN ATTACK

dwell-time

DWELL TIME

Attackers take their time, and assume they can move slowly through the network to avoid detection.

escalation

ESCALATION

Attackers will move laterally inside the network and escalate privileges to reach critical assets.

derailing attacks

MISDIRECTION

Most attackers trust the information they steal is real and will act accordingly.

Attack Prevention and Detection

Deception and Denial work hand-in-hand to prevent and detect discovery, lateral movement, and privilege escalation attack activities. While deception misdirects attacks and gathers critical adversary intelligence, denial prevents attackers from seeing and exploiting essential information to progress their attack and compromise sensitive data.

COMPREHENSIVE COVERAGE FOR MITRE® FRAMEWORKS

MITRE frameworks are useful for understanding security risk against known adversary behavior, planning security improvements, and verifying defenses work as expected. The Attivo Networks ThreatDefend Platform provides extensive capabilities to detect many of the techniques outlined in the ATT&CK Matrix and Shield Framework, offering the industry’s most comprehensive threat detection coverage.

Attivo users see an average increase of 42% in detection rate when leveraging the Attivo Networks EDN solution with traditional endpoint security tools. To learn more, check out the TAG Cyber report on using Deception to Improve MITRE ATT&CK Test Results for Endpoint Security, the Attivo Testing Insights solution brief, and the MITRE whitepaper that maps our comprehensive coverage.

The ThreatDefend® Platform, comprised of the ADSecure™, BOTsink®, and Endpoint Detection Net (EDN) solutions – represents the industry’s most comprehensive threat detection coverage, providing organizations with 27 of the 33 defensive techniques presented in MITRE Shield. Learn more by checking out our blog and our solution brief.

Alert Efficiency with Attivo Solutions

Research shows that Attivo solutions provide organizations with a high-fidelity, low-noise attack detection solution that improves efficiency. Attivo’s cyber deception technology not only reduces the cost of data breaches, but also increases the efficiencies of typical Security Operations Center or SOC operations, thereby providing direct and measurable financial benefits for organizations of all sizes and types.

MAXIMUM SIGNAL-TO-NOISE ALERT RATIO FUNNEL

MAXIMUM SIGNAL-TO-NOISE ALERT RATIO FUNNEL

By Deploying Attivo Solutions, Organizations Can:

Comprehensive Detection Coverage

att-network

NETWORK

Early, accurate detection of network-based attack activities such as Man-in-the-Middle and reconnaissance.

att-endpoint

ENDPOINT

Visibility into endpoint discovery, lateral movement, and privilege escalation activities such as AD queries and port scans.

att-applications

APPLICATIONS

Detection of attacks targeting critical applications such as SWIFT, infrastructure control panels, or web servers.

att-data

DATA

Hide, deny access to, and detect attacks targeting data such as local files, AD, databases, or sensitive documents.

Closing Threat Detection Gaps for All Attack Vectors

Perimeter and endpoint security solutions cannot reliably stop attacks from all vectors and methods. This has resulted in attacker dwell times averaging 56+ days (M-Trends 2020 Report). Attivo solutions play a critical role in changing this paradigm by detecting attacks that have evaded other security controls, early and accurately, regardless of the methods used to compromise the network. The solutions uses cyber deception technologies that are not reliant on signatures or database look-up but instead alert on confirmed attack activity. This makes Attivo scalable and capable of reliably detecting attackers using ever-changing attack methods and targeting rapidly evolving attack surfaces.

alert icon

Critical Data Compromise

credential-theft

Credential Theft/reuse

network

Network Reconnaissance

active-directory

Active Directory Reconnaissance

Port & Service Exploitation

PORT & SERVICE EXPLOITATION

man-in-the-middle

Man-in-the-middle Attack

DETECTING THE ADVERSARY

Threats arise from a variety of factors and can come in the form of internal or external threat actors. Outside adversaries, insiders, contractors, and suppliers are all capable of creating risk and potentially breaching an organization. Since they all are within the perimeter, many traditional security controls are ineffective or unreliable as they try to learn behaviors and alert on suspicious activities that deviate from normal baselines. Organizations must apply a different approach to in-network detection. These security controls must be capable and accurate in detecting nefarious activities, policy violation, and risks from human error.

Attivo solutions play a critical role in detecting adversary behavior and in alerting on employee conduct outside of authorized practices. This could relate to unauthorized access, BYOD devices, undesirable activities, and insight into M&A integrations. One interaction with an Attivo solution provides a substantiated alert with details of attempted actions. This provides the proof often required to take corrective and even legal action to protect an organization’s data, IP, patents, and other operating controls.

external

EXTERNAL

employee

EMPLOYEES

suppliers

SUPPLIERS

contractor

CONTRACTORS

merger

MERGERS & ACQUISITIONS

pen

PEN TESTERS

Use Cases

— Detect discovery activity
— Not reliant on signatures to detect attacks
— No pattern matching or database look up

— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence

— Detects across every attack surface
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router

— Early detection of MitM attacks
— Attack replay to better understand movement

— Misdirect attacks away from production data
— DecoyDocs for counterintelligence on attacker intent
— hide and deny access to sensitive data and storage

— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing

— High-fidelity alerts are actionable
— Basic and advanced user interface
— Easy to deploy and operate
— Automations for attack analysis and incident response

deception-for-penimg

Attivo Solutions for Ongoing Assessment and Compliance

The Attivo ThreatDefend platform plays an important role in proving network resiliency. Blue teams can go into Pen Tests with confidence that they can detect and record the actions of their Red team adversaries. One of the benefits of the ThreatDefend platform is its ability to not only detect Active Directory and other forms of reconnaissance and credential theft, but also in its ability to record and report on every move for the proof that they are well-equipped to detect and respond quickly to threats. These reports can also be crucial for proving company and supplier compliance.


Think that the ThreatDefend platform won’t be effective if the Red team knows it’s installed? You will be pleasantly surprised that the platform passes with flying colors, even when attackers anticipate the presence of cyber deception. Want to see what an attacker would see or how it will hold up against the adversary? Check out the ThreatDefend platform and request a demo.

phone-icon

SPEAK TO A SECURITY SPECIALIST

Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.

Visibility & Detection

“The most important thing you do is provide me alerts based on confirmed activity. You are my eyes & ears on the inside of my network… the nerve center”

Sr Director InfoSec at Top 50 Retail Organization

Resources

Solution Brief
Game Changing Breach Defense by Dramatically Improving Endpoint Security
at-a-glance
Using a Commercial Deception Solution to Improve MITRE ATT&CK Test Results for Endpoint Security
td-platform-vid
MITRE ATTACK: Augmenting Endpoint Defenses with the Attivo Networks® EDN Solution
Solution Brief
9 Notable 2020 CISO Challenges - Are They the Same as Yours?
View More Resources

CONTENT

Attivo Deception MITRE Shield Mapping
Cyber Deception Significantly Reduces Data Breach Costs & Improves SOC Efficiency
Customer and Analyst Quotes
Ransomware Mitigation

Spotlight

eBook: Deception-Based Threat Detection

Ready to find out what’s lurking in your network?

Scroll to Top