Product: ThreatDefend™ Detection and Response Platform
What we liked: A well-polished platform; one of the more mature solutions we’ve seen in this space.
Security professionals are clearly recognizing the promise offered by this additional layer of detection, with many new industry segments adapting the deception model to their discrete infrastructure landscapes. Attivo’s ThreatDefend approaches deception at the platform level with a comprehensive collection of dynamic traps and lures that attract intruders to imitation networks, offsite connections, IoT-related endpoints, cloud applications, and point of sale networks.
A new name to our roster, Attivo has operated within the space since 2015 and demonstrates exceptional vendor growth. Savvy attackers will expect to interact within specific surfaces and endpoints. This could mean IoT-connected medical devices within a healthcare system or logic controllers in a manufacturing setting. Therefore, it is crucial to the deception that these expectations are met to draw in intruders ever deeper within the deceptive net.
ThreatDefend platform sits on a trunk port and is scalable with up to 100 VLANs per box and an unlimited number of IPs that can be assigned dynamically. We are especially keen on the superbly thought-out Shuffle button, a practical utility that changes hosts names, MAC addresses, IP addresses, and adjusts the number of endpoint decoys with the click of a button. There’s no need to build everything from scratch or manually change decoys. The same ease of use applies when adding new components to your existing system. ThreatDefend can set alerts for any new real VLANs and endpoints for analysts to coordinate and build new parameters into the deception strategy.
However capable the detection-oriented functions of the platform, we should not ignore the requirements of gathering forensic information. Based on engagement with an adversary, ThreatDefend safely collects attacker TTPs, IOCs, and counterintelligence for insight into attacker capabilities, goals, and the information they are seeking to exfiltrate. This analysis is done after detection when ThreatDefend is poised to grab malicious URLS and analyze pertinent details about the intruder’s goals. Similar efforts involve extracting a payload and performing an initial analysis in order to capture the full attack’s TCP scheme.