“The Informer” for Defenders Needing a Quick Response to Threats
Authored by: Carolyn Crandall, Attivo Networks CMO and Chief Deception Officer – I know Sun Tzu quotes are overdone, but this was so fitting, it just made sense to use it in relation to our Informer release. One of Sun Tzu’s most famous pieces of advice was “know thy enemy.” Those three simple words remain as relevant today as they were 2,500 years ago. And while the enemies we face now are different from those faced by the famous philosopher-general, the lesson remains the same: knowledge is power.
Today, Attivo is arming cybersecurity professionals with the Informer solution, a deception-based intelligence collection offering that delivers real-time forensics with enhanced threat visibility. Recently demoed at RSAC 2019, the Informer is the latest expansion to the Attivo Networks ThreatDefend™ Detection and Response Platform, adding in-depth, hard-to-assemble views of attacker activity in order to accelerate intelligence-driven response and remediation.
With the release of the Informer, cybersecurity professionals are better equipped to rapidly gather, understand, and disseminate adversary intelligence critical to stopping an attack. The Informer solution empowers organizations of any size to effectively remediate and remove reentry points left by even the most sophisticated and determined adversary. By reducing the amount of time required to find an attacker (dwell time) and respond to the threat (mean-time-to-remediation), this new ThreatDefend™ feature significantly mitigates risk and strengthens organizations’ overall security posture.
The amount of information collected and delivered by the Informer solution is not only all in one place, it’s also extensive. Let’s break it down. The Informer delivers an accurate chronological session view of the attacker activity from specific IP addresses—as well as host systems and network characteristics. It also captures forensic information on the attacker, including volatile memory, registry, and file changes, along with lateral movement and network activities, collectively improving containment, eradication, and recovery times. This information is aggregated and displayed clearly, concisely, and fully indexed, making it simple to analyze and act on.
Critical attack details such as memory forensics, endpoint activity, initial compromise intelligence, network packet capture, exploit code, targeted files, and system logs are all made available from a single dashboard. This consolidated view saves valuable time typically spent manually gathering and accessing attack data. The Informer also displays an attacker’s available lateral movement paths, highlighting possible target systems and open 1st, 2nd, and 3rdlevel attack paths. This visibility provides the security team with a comprehensive view into the attack paths an attacker would see—and likely use—to advance their attacks.
In addition to the comprehensive visibility and adversary intelligence the Attivo solution provides, the Informer will also trigger automated responses to these threats through native integrations or predefined ThreatOps™ playbooks. This significantly accelerates incident response time, increasing efficiency and reducing the effort required to respond to an attack.
The ability to detect in-network infections and respond quickly is critical to any cybersecurity operation. Globally, the average dwell time that an attacker is currently afforded sits around 79 days. That’s ample time for an intruder to establisha foothold, create back doors, and, all too often, complete their mission. By using the Informer solution, organizations will up their game, greatly improving their ability to quickly investigate and respond to threats while reducing the defender’s response time from hours to minutes.
It has never been easier to “know thy enemy,” as most security tools are designed to simply deflect an attack. The Informer changes this by providing clear, concise, and consolidated adversary intelligence, simplifying the steps needed after an attack and saving organizations valuable time and money. By streamlining investigation, the Informer puts cybersecurity professionals in a better position than ever to effectively respond to, eradicate, and remediate attacks.
To learn more about the Informer solution and how Attivo Networks solutions accelerate incident response, click here.