Attivo Networks Solutions for Lateral Movement Detection

Lateral Movement Detection

Detect East/West lateral movement and attack activity as adversaries look for systems to compromise, early in the attack cycle.

[Webinar] Filling the Gaps to Detect & Stop Lateral Movement

Overview

Attackers have ways to evade defenses to gain a beachhead on an internal system, but they must then move to expand their foothold. They conduct discovery activities and reconnaissance to find critical AD object, live hosts, and services to exploit, as well as steal and reuse credentials to escalate privileges as they move around within the network.

To combat this threat, organizations are turning to the Attivo Networks ThreatDefend platform’s lateral movement defenses, which impede attackers from gathering intelligence on AD accounts, live hosts, open services, data, and credentials to disrupts their ability to compromise systems and traverse the network undetected. The platform detects and alerts on lateral movement, credential theft, network discovery, and privilege escalation activities quickly and accurately so the organization can react to these attempts early in the attack cycle and reduce the risk of a breach.

Lateral Movement Risk

High-fidelity alert

54% of techniques used to test lateral movement are missed, and 96% of lateral movement behaviors did not have a corresponding alert in the SIEM.

— Mandiant Security Effectiveness Report 2020

att-endpoint

80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials.

— Forrester

Ransomware

The vast majority of malware is written to elevate privileges and move laterally in an environment.

— FireEye M-Trends 2020

Attack-Lateral-Movement

Nearly 60% of attacks now involve lateral movement…

— Carbon Black Global Threat Report 2019

Detect and Disrupt Malicious East/West Traffic

The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities through the Endpoint Detection Net (EDN) family or products and the BOTsink deception server with overlapping and supporting functions disrupt the attack and impede the attackers’ progress. These alerts during the reconnaissance, lateral movement, and privilege escalation phases of the attack to give organizations early warning that attackers are attempting to infiltrate their networks.

Detect and Disrupt

The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities.

  • Detects attempts to steal credentials or unauthorized AD queries
  • Stores deceptive credential and data on endpoints that lead to decoys
  • Returns fake results on unauthorized AD queries that lead to decoys
  • Hides local administrator accounts, files, folders, removable storage, or cloud and network shares
  • Detects inbound or outbound attempts to fingerprint hosts or connect to non-active ports and forwards the traffic to decoys for engagement
  • Isolates attacking systems by forwarding all outbound traffic to decoys
  • Creates network decoys to engage with attackers
  • Detects network discovery and MitM activity
  • Alerts on attacker engagement
  • Records all attack and communications activities
  • Collects forensic evidence

Benefits

Organizations choose Attivo Networks detection because:

High Fidelity Detection

Early Detection

  • Get substantiated detection of discovery and lateral movement activities.
Lateral-Movement

Disrupt Lateral Movement

  • Deny attackers the ability to move laterally while remaining undetected.
Innetwork_detection

Confuse Fingerprinting

  • Derail attacker discovery attempts to fingerprint systems for attack.
Impede-Recon-and-Discovery

Impede Recon and Discovery

  • Misdirect and misinform attacker attempts to collect data for the attack
RestrictPrivilege-Escalation

Restrict Privilege Escalation

  • Negate attacker attempts to escalate privileges to progress the attack
Native-Isolationf

Native Isolation

  • Mitigate attacker damage by isolating communications to the decoy environment.

“The most important thing you do is provide me alerts based on confirmed activity… you are my eyes and ears on the inside of my network… the nerve center”

Sr Director Info Sec at Top 50 Retail Organization

Resources

SolarWinds Supply Chain Attack: Automating Incident Response to Detect Lateral Movement
There’s a Hole in Your Threat Detection Strategy—It’s Called East/West Traffic
Want stronger cybersecurity? Start by improving east-west traffic detection
Solution Brief
Accelerating SolarWinds Post-Breach Incident Response for the Fastest Lateral Movement Detection
td-platform-vid
Attivo Offers Limited-Time Software Use to Combat Privilege Escalation and Lateral Movement
td-platform-vid
Preventing Lateral Movement

Ready to find out what’s lurking in your network?

Scroll to Top