Written by: Marc Feghali, Co-Founder and VP of Product Management – Organizations have widely adopted the Attivo ThreatDefend platform to detect attackers and their in-network activity quickly. Driven by customer demand for large scale deployment support, the company has now added the BOTsink 7500 to its BOTsink family of products.
The Attivo Networks BOTsink servers provide customers with the ability to detect, engage, and analyze network-based attacks and complements the Attivo Endpoint Detection Net (EDN) suite to engage with credential-based attacks.
Using dynamic deception techniques and a matrix of distributed decoy systems, the entire network becomes a trap designed to deceive attackers and their automated tools. As an early warning system for in-network threats, the Attivo BOTsink solution quickly and accurately detects threats that have evaded other security controls. The solution efficiently detects attacker reconnaissance and lateral movement without relying on known attack patterns or signatures.
The Attivo solution works by projecting decoys that appear indistinguishable from real production assets, designed to engage and misdirect an attacker. For authenticity, decoys run full operating systems and services, and organizations can customize them with production “golden images” to blend in better with other network assets. Out-of-the-box decoy deception campaigns cover a wide variety of attack surfaces and include configurations that appear identical to production servers, endpoints, industrial control systems, IoT devices, point-of-sale units, network infrastructure, and VOIP systems.
The solution creates a deception ecosystem for the adversary that includes application, data, database, and endpoint deceptions to detect attacks from all attack vectors early in the attack cycle. Once an attacker engages, the system analyzes their movement, methods, and actions, generating high-fidelity alerts and visual maps containing a time-lapsed attack replay. Security operations teams gain the adversary intelligence they need to understand the attack fully and analyze the root cause. The Attivo Networks solution delivers substantiated engagement-based alerts with all the details required for incident handling and response, in a format designed for optimal attack information sharing and forensic reporting.
Operators can view attack details within a comprehensive threat intelligence dashboard that presents actionable, detailed drill-downs and delivers various forensic reports. Over 30 native integrations with third-party tools provide automated blocking, enable quarantining to accelerate incident response, and support threat hunting.
The Attivo Networks BOTsink family offers a range of systems to meet the diverse needs of organizations. The BOTsink solutions are available as physical appliances, virtual appliances, or cloud instances. The BOTsink family can also project deception into remote locations, requiring minimal additional resources. Hardened, FIPS-compliant versions are also available.
- The BOTsink 3000 series is scaled to support small to medium-sized deployments while offering a full range of deception functionality. The physical appliance is a 1RU chassis designed for easy deployment.
- The BOTsink 5000 series is designed for larger organizations or deployments and supports the full range of configuration options, delivering roughly twice the capacity of the 3000 series. The physical unit is a 1RU chassis built with the standard features expected for a datacenter deployment.
- The BOTsink 7500 provides optimal capacity and performance within a highly flexible platform that enables customers to configure a purely Windows, purely Linux, or a mixed environment depending on their needs. The system ships with Windows Servers and Windows Workstations VMs along with other Linux systems. Organizations can replace all native operating systems with custom golden images with plenty of resources to spare. Natively the system hosts over 2,000 decoy IPs from 150 VLANs and can easily scale beyond that with our ThreatDirect technology. The BOTsink 7500 supports 20,000 EDN clients on its own and can scale to hundreds of thousands of endpoints when paired with an ACM.
- The Attivo Central Manager (ACM) provides a centralized platform to manage and control a distributed BOTsink deployment. Like all members of the BOTsink family, the ACM supports a full range of deployment options.
In short, you should choose the BOTsink 7500 if you need:
- Faster capabilities
- Run intensive applications on decoys requiring higher memory and compute
- Greater SSD storage, increased memory for all virtual machines, and more than double the number of processor cores
- Bigger deployments
- Supports 20,000 endpoints and up to 150 VLANs
- To manage a large number of endpoints – 20,000
- For configuring as Windows Decoys or all Linux Decoys
- Addressing the requirement for up to 6 Windows Server Decoys
We are pleased to introduce the Attivo Networks BOTsink 7500 and welcome your feedback.