Attivo Networks Deception Technology for Threat Detection

Deception and Denial for Detecting Adversaries

Detect threats early in the attack cycle by attracting the attacker away from production assets with decoys, lures, and other deception bait. Comprehensive network and endpoint deceptions work hand in hand to derail attacks and catch reconnaissance, lateral movement, and credential theft activities.

Overview

The ThreatDefend platform provides immediate value with precise detection and prevention functions based on its unique capability to simultaneously deceive attacks and deny access to sensitive objects while providing early and accurate detection.

The ThreatDefend platform’s two-pronged approach to security provides greater coverage against discovery, lateral movement, and privilege escalation activities. Deception technology misdirects attackers away from production assets to attack decoys that record their activities while gathering forensics and adversary intelligence. Denial technology goes one step further by preventing attackers from seeing or accessing valuable data and objects such as local administrator accounts, files, folders, network or cloud mapped shares, open ports and services, or Active Directory objects. Any interaction that touches the deception or the attempts to discover the hidden objects generates an alert that notifies security teams to the attacker’s presence. Denial technology is especially effective against modern-day human-driven ransomware attacks that use APT-style tactics to discover critical data for encryption and exfiltration. Deceiving and denying access provides both detection and prevention functions without affecting regular operations.

human-evolution-white

THE EVOLUTION
OF DECEPTION

Deception is not just a fancy honeypot. Honeypots first appeared in the 80’s and served as a useful function for understanding who was attacking an organization from outside the network. Commercial deception technology has come a very long way in evolving the technology to now serve as a high-fidelity in-network detection control. Honeypot limitations associated with scale and operations are now removed by using virtualization and machine-learning automation to manage creating, deploying, and operating the deception environment. The Attivo Networks ThreatDefend platform takes deception even further and into the area of active defense, which incorporates automated attack analysis, forensics, and native integrations for accelerated incident response.

THE ROLE OF DECEPTION & DENIAL IN THE ATTACK LIFECYCLE

Security investments are typically made in preventing an attack and exfiltration, This leaves a giant blind spot for
organizations as attackers that bypass the perimeter can then move laterally and steal credentials as they quietly
establish a foothold, gain privileges, and recon the network in search of their targets. Deception closes the in-network
detection gap by placing attractive endpoint lures, data deceptions, and traps throughout the network. Organizations
will immediately gain the visibility needed to derail these attacks and remediate compromised devices.

Persistence Cycle

HOW DENIAL WORKS

Denial technology prevents attackers from seeing or gaining access to information, files, and storage they could use to progress their attack with discovery, lateral movement, and privilege escalation activities. As attackers attempt to discover or access these objects, the platform raises an alert containing the details of their activities down to the process and command line level.

How Denial Works

HOW CONCEALMENT WORKS

Attackers can’t access, alter, or destroy objects they can’t see. Attivo Networks protects critical data and storage by hiding:

HOW DECEPTION WORKS

Deception works by using deceive traps and lures designed to attract an attacker into engaging and away from
production assets. Decoys are projected throughout the network along with endpoint credentials, mapped shares,
deception data or applications that will breadcrumb the attacker back to an engagement server that will alert on the
presence of an attacker.

how-deception-works

DECEPTION ARCHITECTURE

Believability is critical to enticing the attacker, and as such Attivo Networks uses real operating systems, services,
and applications that mirror match the production environment. Golden image software can also be used for 100%
matching. Integration with Active Directory will also validate deception credentials for authenticity.

deception-architecture

DECEPTION WITHIN THE SECURITY CONTROL STACK

Deception technology provides the “eyes within the network” visibility to threats that have bypassed perimeter
defenses. By laying a maze of decoys, lures, and mis-directions security teams can accurately and efficiently detect
early reconnaissance, lateral movement, and credential theft, improving detection time and reducing attacker
dwell time.

Cyber Deception For All Attack Surfaces

Attivo Networks cyber deception provides early and accurate threat detection with centralized management for an evolving attack surface.

cloud

Cloud

AWS, Azure, OpenStack, Google

data-center-network

Data Center Network

Distributed, microsegmented, private, public, hybrid

corporate-lan

Corporate LAN

User, guest, wireless, wired

endpoint

Endpoint

Mac, Windows, Linux, credentials, mapped shares, profile data

specialized

SPECIALIZED

ICS/SCADA, POS, telecom, IoT medical devices, infrastructure

application

APPLICATION

SWIFT, data, database, document

distributed

DISTRIBUTED

Remote office, branch office

active-directory-1

ACTIVE DIRECTORY

Trusted domains, deceptive systems and user accounts

SPECIALIZED DECOY CAPABILITIES

DEVICE

Decoys that Mirror-Match Production Assets

cisco-switches

Cisco Switches

cisco-router

Cisco Routers

cisco-tele

Cisco Telephony

ics

ICS/SCADA

loT

loT

medical

Medical loT

pos

Point of Sale

SERVICES

Deceptive Decoy Services to Misdirect Attacks

camera-streaming

Camera Streaming

files-transfer

File Transfer

print-server

Print Server

remote

Remote Access

web-server

Web Server

APPLICATION

Deceptive Applications to Entice Attackers

big-data

Big Data

database

Database

docker

Dock Apps

retail

Retail Web Portal

switft-1

Swift

Closing The Detection Gaps For All Threat Vectors

Perimeter & endpoint security solutions cannot reliably stop attacks from all vectors and methods. This has resulted in
attacker dwell times averaging 101+ days (M-Trends 2018 Report). Deception technology plays a critical role in
changing this paradigm by detecting attacks that have bypassed other security controls, early and accurately,
regardless of the methods used to compromise the network. Since deception uses traps and lures to detect an
adversary, the solution is not reliant on signatures or database look up. This makes deception scalable and capable of
reliably detecting attackers using ever-changing attack methods and targeting rapidly evolving attack surfaces.

zero-day

Zero-day Exploitation

credential-theft

Credential Theft/reuse

network

Network Reconnaissance

active-directory

Active Directory Reconnaissance

communication

Communication Over Https

man-in-the-middle

Man-in-the-middle Attack

DETECTING THE ADVERSARY

Threats arise from in a variety of factors and can come in the form of external threat actors. External adversaries,
insiders, contractors, and suppliers are all capable of creating risk and potentially breaching an organization. Since they
all are within the perimeter, many traditional security controls are in effective or unreliable as they try to learn
behaviors and alert on suspicious behavior. A different approach to in-network detection must be applied. These
security controls must be capable and accurate in detecting nefarious, policy violation, and risks from human error.

Deception plays a critical role in detecting adverse behavior and in alerting on employee conduct outside of authorized
practices. This could relate to unauthorized access, BYOD devices, undesirable activities, and insight into M&A
integrations. One simple touch of the deception environment provides a substantiated alert with details of attempted
actions. This provides the proof often required to take corrective and even legal action to protect an organization’s
data, IP, patents, and other operating controls.

external

EXTERNAL

employee

Employees

suppliers

Suppliers

contractor

Contractors

merger

Mergers & Aquisitions

pen

Pen Testers

Use Cases

— Decoy engagement-based detection
— Not reliant on signatures to detect attacks
— No pattern matching or database lookup

— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence

— Decoys to address all attack surfaces
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router

— Early detection of MitM attacks
— Attack replay to better understand movement

— Data deceptions to misdirect attack
— DecoyDocs for counterintelligence on attacker intent
— Geolocation tracking of opened documents

— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing

— High-fidelity alerts are actionable
— Basic and advanced user interface
— Easy to deploy and operate
— Automations for attack analysis and incident response

— Hide and Deny Ransomware Access to local, network, and cloud files and shares
— Delay encryption with high-interaction engagement technology to stall the attack

deception-for-penimg

Deception For Ongoing Assessment And Compliance

Deception plays an important role in proving network resiliency. Blue teams can go into Pen Tests with confidence that they will be able to detect and record the actions of their Red team adversary. One of the benefits of the ThreatDefend platform is its ability to not only detect early reconnaissance and credential theft, but also in its ability to record and report on every move for the proof that they are well equipped to detect and quickly respond to threats. These reports can also be crucial for proving company and supplier compliance.

Think that deception wont be effective if the Red team knows its installed. You will be pleasantly surprised that Attivo Networks detection passes with flying colors, even when the attacker anticipates it is installed. Want to see what an attacker would see or how it will hold up against the adversary? Check out the BOTsink vulnerability emulator or ThreatInject tools to see what an attacker will see when looking for deception.

phone-icon

SPEAK TO A DECEPTION SPECIALIST

Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.

TOP TECHNOLOGY

DECEPTION TECHNOLOGY RECOMMENDED AS TOP 10
STRATEGIC TECHNOLOGY TREND FOR 2018

GARTNER, INC.

Resources

Solution Brief
A Discussion on Deception Technology
at-a-glance
Deception Technology – Much more than a Honeypot
td-platform-vid
How to Evaluate Deception Platforms and Checklist
Solution Brief
Attivo Networks Survey Report: Top Threat Detection Concerns & Trends

Perspectives

What’s Lurking Deep In Your Network?
Fox News and Carolyn Crandall Talk Deception Technology
Behind the Mask Interview with Director of Cybersecurity George Insko
Spotlight Series – What makes Deception Technology Uniquely Valuable

Spotlight

Attivo Networks® ThreatDefend™ Deception and Response Platform Overview

Ready to find out what’s lurking in your network?

Scroll to Top