By; Carolyn Crandall , CMO
Mid 2016, Frost and Sullivan released a Stratecast report on Deception as a Security Discipline – Going on the Offensive in the Cybersecurity Battlefield. In this report, author Michael Suby, takes a close look at deception technology and speaks to why deception should be established as a security discipline within all organizations. In the report, he provides insight into how deception works, why it is such a compelling technology, and four attributes he believes organizations should consider when deciding whether deception is for them. These four attributes are: authenticity, vitality, automation, and ambition. As we round out the year of 2016, I want to add some additional insight into enhancements to the Attivo ThreatMatrix Platform since the report.
Here is what he had to say about Attivo with updates posted under what’s new.
In creating a believable deception tailored to an organization’s unique system circumstances and assets to protect, the Attivo ThreatMatrix Platform supports deception-building capabilities across a wide range of virtual machine types; supervisory/process control devices, protocols and standards commonly used in supervisory control and data acquisition (SCADA), and Internet of Things (IoT) systems; and credentials. Credentials are particularly noteworthy, as they are: (1) highly attractive to attackers, as they are the access keys to valuable assets; (2) diverse in type and operating system; (3) numerous; and (4) unique to each organization. In addition to providing extensive support for credential type and operating system (Windows, Mac, and Linux), Attivo offers wizards, administrative tools, and directory integrations to help its customers in creating and updating deception credentials: based on the organization’s policies, geographic footprint, and even quantity.
Attivo announced Camouflage which provides the highest levels of authenticity by adding in dynamic behavioral deception, which will self-learn environments, automate deployment, and evade attacker identification and fingerprinting by respinning after attacker engagement.
Recurring reconnaissance is also employed by Attivo, not for exploitation purposes as with attackers, but to produce a heat map of the organization’s systems to determine where and what breadcrumbs to put in place, and the dimensions of the deception environment hosted in the ThreatMatrix BOTsink deception server.
With regard to adapting to the evolution in attacker methods, the ThreatMatrix platform has purpose-built mechanisms to mitigate email phishing attacks, and file encrypting ransomware. To identify and mitigate email phishing attacks, questionable emails with their file attachments are sent by users to the ThreatMatrix BOTsink deception server, where the email and its attachments are activated in this controlled environment (a replication of the organization’s production system), to assess intent. Since the end-to-end process is occurring in real-time, and the user involvement is limited to pressing a “click to send” icon in the email client).
The mechanism for identifying the existence of file encrypting ransomware, so its propagation can be contained, differs slightly from the email phishing mechanism. Rather than triggered by users sending questionable emails, the ransomware—as it moves laterally to encrypt more local user files and the more coveted network drives—is lured into the BOTsink deception server, where analysis is conducted as the ransomware encrypts documents in the BOTsink network drives (fake documents in fake network drives). Supported with clear evidence on the existence of ransomware and its code, the organization can confidently initiate steps to contain the spread, such as quarantining the infected subnet; and remediate infected devices by first conducting a targeted scan for the ransomware.
Attivo has added in advanced ransomware detection and quarantine capabilities, support for micro-segmented networks, and has expanded the platform for Point of Sale (POS) systems, in addition its current ICS-SCADA and IoT support. The company was also named a Platinum winner in the Astors AST Awards in recognition for being the best solution for Homeland Security Intrusion Detection and Prevention.
In the previous two attributes, features of the ThreatMatrix Platform that cross over into this Automation attribute were noted. They include establishing and maintaining deception realism and automated mechanisms to fight phishing and ransomware attacks. Also, pertaining to automating deception realism, Attivo customers can upload golden images of their end-user devices and services into BOTsink. Of high importance for security analysts is the ability to seamlessly work across multi-vendor, multi-technology security infrastructure to support operations—namely, detection forensics and incident response. This, too, is an Attivo ThreatMatrix Platform feature, and a feature that crosses over into the next solution attribute: Ambition. Over the last year, Attivo has established technology integrations with multiple security vendors in detection forensics (SIEM) and incident response (perimeter defenses). Two partners were interviewed in preparing this insight: Blue Coat Systems and ForeScout Technologies. A common theme that bubbled up was assisting their customers’ ability to mitigate risk faster and with greater confidence, by incorporating ThreatMatrix high-fidelity alerts into automated and semi-automated incident response policies (e.g., block, quarantine, and remediate). On SIEM integrations, ThreatMatrix high-fidelity alerts and detailed IOC are automatically fed into SIEM forensic engines. Combined with the SIEM’s other IOC sources, vulnerability knowledge, client-specific vulnerability assessments, and global threat intelligence, the SIEM’s forensics capabilities are further augmented.
Attivo has completed additional integrations for automated blocking and quarantine with Carbon Black, HP Aruba ClearPath, CheckPoint R80 and Intel Security – McAfee solutions. Attivo is pleased was selected, by Intel Security, as a Finalist for the Distinguished Intel Security 2016 DEVCON Award.
Strongly fitting into this attribute is the upcoming Attivo ThreatPath feature. The noteworthy aspect of ThreatPath is threat prevention. With ThreatPath, threat prevention is accomplished by: (1) continuously and transparently gathering information about the customers’ production network, systems, and devices via dissolvable or persistent agents; (2) combining that information with knowledge of attacker behaviors accumulated by Attivo; (3) defining the pathways attackers would likely follow; and then (4) producing high-fidelity incident prevention recommendations back to the customer, which correspond to those likely pathways to vulnerable assets. The ambitious aspect of ThreatPath is in advancing the security value of Attivo from its initial core value of deception-improved incident response to the proactive incident prevention.
Attivo continues to innovate and add features and functionality for ease of deployment, scalability, and operation. In addition to improvements in the BOTsink user interface, the company has added in adversary tracking that tracks the movements of an attack over time. This information is conveniently displayed in topographical maps or tables for easy viewing.
We are extremely pleased with the recognition we are receiving for our ThreatMatrix Deception and Response Platform. As industry leaders in the space, we know that cyber-attacks move quickly and change even quicker. We have been enhancing our platform constantly over the past two years, in many instances at the direct request of our customers. The result is a solution they say has unparalleled accuracy and effectiveness today. Our commitment is to evolve the application of deception well beyond its initial use and into additional areas of visibility, automations, and accelerated incident response for cyber defense. In 2017, Attivo will continue to roll out additional enhancement so that users of the Attivo ThreatMatrix platform have the most comprehensive and complete solution for advanced threat detection and accelerated incident response.