With its Deception and Response Platform, Attivo Networks addresses the main weakness of most deception technology, having to rely on other programs to respond to an attack once revealed by the deception network.
Deception technology, deploying fake assets inside real networks to trick and catch attackers, shows an incredible amount of promise within cybersecurity as the technology grows. Even as hackers learn to expect that deception assets will be hidden among their targets, deception tools seem more than capable of keeping one step ahead. So long as the deceptive assets are supported with lures and breadcrumbs on production systems to make them look real, attackers will inevitably wander into the traps and reveal themselves.
However, not everything is perfect in the world of deception. Most of the programs in the market today, while very good at alerting to the presence of an attacker, do nothing in terms of remediation of the problem – other than perhaps to offload that responsibly to another program or to humans working a network SIEM module. In many ways, they end up being like the dog chasing cars in that old story, putting a ton of effort into catching their quarry, but almost no thought into what to do once they have successfully latched on.
The Attivo Deception and Response Platform aims to change all that, adding native and even automatic response capabilities to its already powerful deception frontend. This is coupled with other powerful tools and applications like internal sandboxing, ransomware protection, user training and even phishing sample submissions, all supported by robust, accurate deception.
The Attivo platform is divided up into four components, BOTsink, ThreatStrike, ThreatPath and ThreatOPs. Together they form the complete detection and response capabilities, starting with deploying decoys and making them look like real clients, protecting credentials and preventing ransomware outbreaks, plotting the attack paths of attackers and blocking them from reentering a network once purged, and tracking everything in a ticketing system suitable for confirmation checking or auditing. But it all starts with deploying deception.
The platform is normally deployed on-premises as an appliance, though a cloud version is also available. (Our test was done with a physical server.) Each appliance can support up to 384 deception devices, which can take on the capabilities and configurations of real network assets like servers and clients, or even ones that are specific to certain industries like infusion drug pumps in healthcare or point of sale devices in retail. You simply load up the golden image for the device you want to deceptively replicate and have it deployed in a network in such a way as to mirror other real assets that it’s imitating. After that, decoys and lures are placed to make the deception points come alive and appear to be in constant use.