Introduction to BOTsink Animated Video

Awards

SC 2020 Awards
Info Security Products Guide 2020 Gold
Astors award platinum 2019

Network-Based Threat Detection

The Attivo BOTsink solution stands guard inside your network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.

Why Customers Choose Botsink
Recon & Lateral Movement Detection
Authentic &
Attractive Decoys
Easy to Deploy & Operate
High-Fidelity
Alerts
Automations for Incident Response

BOTsink for MITRE ATT&CK Analysis

Built-in alert classifications following industry-standard MITRE ATT&CK categories.

  • MITRE ATT&CK Classifications

    • Map detected events to MITRE ATT&CK matrix
    • Identifies categories and subcategories to aid in analysis


  • SOC workflow integrations

    • Exports the alerts with MITRE category tagging to SIEM to integrate with existing analysis workflows
    • Outputs data per system, per attack, and per event for faster analysis and response


  • Support control evaluations

    • Identify evasion techniques that are effective against the current security posture for gap analysis
    • Use MITRE analysis to identify control effectiveness to specific techniques

Substantiated and Actionable Alerting

Alerts generated by the Attivo BOTsink solution come from attacker engagement with a decoy. This results in high-fidelity alerts of confirmed attacker activities, substantiated with details and forensically captured evidence to support investigations for an actionable response.

  • Actionable alerts are created from attacker engagement or credential reuse.

  • High fidelity alerts are substantiated with details rom attacker engagement.

  • Full forensics make for actionable response.

BOTsink Deception & Decoys

Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.

Decoys for Early Detection of Reconnaissance & Lateral Movement Activity

Servers
Endpoints
Active Directory
Application
Data
Specialized Devices

IoT

Medical IoT

ICS/SCADA

POS

Network Infrastructure

IoT

Medical IoT

Industrial Control

POS

Router Infrastructure

BOTsink DECEPTIONS

Deception Authenticity to Match Production Environments.

Server Decoy

Windows, Linux

Endpoint Decoy

Windows, Linux, Mac

Specialized Decoy

IOT, ICS, POS…

Application

SWIFT, Web, 25+Services

Data

Data, Database, DecoyDocs

Active Directory

Directory Services

Server Decoy

Windows, Linux

Endpoint Decoy

Windows, Linux, Mac

Specialized Decoy

IOT, ICS, POS…

Application

SWIFT, Web, 25+Services

Data

Data, Database, DecoyDocs

Active Directory

Directory services

USE CASES

  • Early Threat Detection


    — Decoy engagement-based detection
    — Not reliant on signatures to detect attacks
    — No pattern matching or database look up

  • Lateral Movement Threat Detection


    — In-network threat detection
    — Detect early reconnaissance
    — Detect lateral movement
    — Detect activities used to maintain presence

  • Evolving Attack Surface


    — Decoys to address all attack surfaces
    — User Network
    — Data Center
    — Cloud (AWS, Azure, Google, OpenStack)
    — Specialized: IOT, ICS, POS, SWIFT, Router

  • Man-in-the-Middle Attacks


    — Early detection of MitM attacks
    — Attack replay to better understand movement

  • Data & DecoyDoc Deceptions


    — Data deceptions to misdirect attack
    — DecoyDocs for counterintelligence on attacker intent
    — Geolocation tracking of opened documents

  • Compliance Breach Investigation M&A Visibility


    — Demonstrate in-network detection
    — Forensics to demonstrate resolution
    — Trust but verify M&A visibility
    — Blue Team’s choice control during Pen Testing

  • Skills Shortage & Ability to Respond to Incidents


    — Automate manual IR tasks for efficiency
    — Basic and advanced user interface
    — Reduce time to respond, increase consistency
    — Automate analysis and threat hunting
    — Record all response activities for post-incident report

Early and Accurate
Detection of
In-Network Malicious
Actors & Insiders

Deceive external and internal threats (employees, suppliers, contractor) into revealing themselves.

  • COMPREHENSIVE

    • Server, endpoint, application, data, and database deceptions provide the most comprehensive threat deception across all networks.
    • Early detection of network reconnaissance and lateral movement.
    • Catch attacks like Man-in-the-Middle.


  • AUTHENTIC & ATTRACTIVE DECOYS

    • Real Windows and Linux operating systems and services appear as authentic production assets and create attractive targets for attacker.
    • Golden-image customization for the utmost authenticity.


  • ATTACK SURFACE SCALABILITY

    • Threat deception for evolving attack surfaces.
    • Scalability for data centers, cloud, user networks, remote office, and specialty networks.


  • ACCURATE DETECTION

    • Detection is driven by engagement with network decoys, deception documents, deceptive credentials, and applications.
    • Alerts are substantiated, high-fidelity, and actionable, removing false positive fatigue.
    • Does not need tuning to be effective, providing immediate detection value.

“I’ve had the opportunity to see the BOTsink through several versions and it just keeps getting better and better.  There is no doubt that it is a true next generation security tool.”

DR. Peter Stephenson, PhD – cybersecurity analyst and researcher

Engage the Adversary

Unlike other deception solutions, the Attivo BOTsink solution projects fully customizable OS decoys that adversaries can interact with fully. The decoys create a sandbox environment that records all attacker activity while deceiving them into engaging for far longer than with typical emulated honeypots. This results in the most detailed information and evidence for supporting investigations and developing adversary intelligence.

Centralize

Threat intelligence

View

Attack Details, Maps & Replay

Activate

Incident Response

Access

Attack & Forensic Reporting

BOTsink for Attack
Analysis Automation

Capture Threat, Adversary, and Counterintelligence to strengthen overall defenses.

  • MALWARE & ATTACK ANALYSIS

    • Built in sandbox automates attack correlation & analysis improving time to remediation.
    • Gain threat intelligence by identifying indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
    • Automate malware and phishing emails analysis.


  • IN-DEPTH FORENSICS

    • Sandboxed attacker engagement with full interactivity.
    • Record all attack activity on decoy disk, memory, and network layers.
    • Watch lateral movement & record C&C communications.


  • DECOYDOCS & COUNTERINTELLIGENCE

    • Data loss tracking and geolocation beaconing.
    • Gain understanding of attacker intent.


  • THREAT INTELLIGENCE DASHBOARD

    • Standard and advanced dashboard settings for simple operation.
    • Optional Central Manager provides a consolidated on-premise or cloud central management.
    • Extensive integrations for information sharing.

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations.  Drag and drop the tiles into the workspace and identify the information to send.  Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories.  View summary information and quickly filter on specific phases for faster analysis and response.

Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows

BOTsink for
Vulnerability
Assessment & Attack
Visualization

Reduce risk and mean time to response with credential vulnerability and attack visualization tools.

  • ATTACK VISUALIZATION

    • Topographical maps show attacker movement.
    • Time-lapsed attack replay tracks changes over periods of time.
    • Valuable for Man-in-the-Middle and other attacks that are difficult to understand.


  • NETWORK VISUALIZATION TOOLS

    • Network visualization maps show adds and changes to devices on the network.
    • See where deception is deployed for risk profiling.


  • ACCELERATED THREAT HUNTING

    • Full interaction decoys collect and develop IOCs to quickly identify other compromised systems.
    • Native integrations accelerate automated or manual threat hunting.

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations.  Drag and drop the tiles into the workspace and identify the information to send.  Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories.  View summary information and quickly filter on specific phases for faster analysis and response.

Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations.  Drag and drop the tiles into the workspace and identify the information to send.  Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories.  View summary information and quickly filter on specific phases for faster analysis and response.

Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations.  Drag and drop the tiles into the workspace and identify the information to send.  Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories.  View summary information and quickly filter on specific phases for faster analysis and response.

Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows

Active Defense Partners

Native integrations for improved workflow management, information sharing and simplifying incident response with automated blocking, quarantine, and threat hunting.

  • AUTOMATION

    • Extensive integrations accelerate incident response with automated blocking, isolation, and threat hunting.
    • Incident response can be manually activated within dashboard or fully automated.
    • Automate workflow process from response to trouble ticket remediation.
    • Faster, predictable response actions.


  • SIEM INTEGRATION

    • Query SIEMs for deception credential failed logins.
    • Share attack info for more efficient threat hunting.
    • Reduce SIEM processing cycles through shared detection alerts.

Attivo Networks: Native Partner Integrations

Integrations and Playbooks for Automated Incident Response

Integrations and Playbooks for Automated Incident Response

ThreatOps Incident Response Automation

A component of the BOTsink, the ThreatOps solution empowers organizations to build and automate threat defense playbooks. These playbooks are based on integrations with existing security infrastructure and create repeatable incident response workflows to automate manual tasks, increasing productivity while reducing errors and operational overhead. With integrated solutions that enable information sharing, network blocking, endpoint isolation, or threat hunting, the playbooks can automate a policy-based incident response to reduce the time to respond to a fast-moving or repeat attack.

Why Customers Choose ThreatOPS Playbooks
Reduced
Time-to-Respond
Consistent
Processes
Automated
Response
Simplified
Operations
Faster
Remediation

Playbook Incident Response Automation

Accelerate mean-time-to-remediation with native integrations that automate response actions and can be turned into repeatable processes and playbooks.

Workflow

Automated response to common incidents

Repeatable

Defined playbooks for common attacks

Standardized

Addresses skill gaps with consistent processes

Defend

Shares attack data for automated remediation

ThreatOPS Integrations

Block

Quarantine

Access Control

Isolate

Threat Hunt

Remediate

Block

Quarantine

Access Control

Isolate

Threat Hunt

Remidiate

Early Detection with Actionable Threat Intelligence

Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.

Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard

Network Visualization

Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.

Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses

Attack Visualization

Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.

Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses

Playbook Configuration

Create repeatable playbooks using a simple visual interface that shows all currently configured integrations.  Drag and drop the tiles into the workspace and identify the information to send.  Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.

AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS

MITRE ATT&CK EVENT CLASSIFICATION

Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories.  View summary information and quickly filter on specific phases for faster analysis and response.

Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows

BOTsink PRODUCT OFFERINGS

Solutions are available as a virtual machine, appliance, or service.

BOTsink 3000 Series

  • Midmarket & User Network Deception

Designed for smaller networks and the mid-market, this solution provides quick and easy network deception.

BOTsink 5000 Series

  • Enterprise-class Network Deception

Designed for enterprise and telecommunications networks, this solution provides scalable network deception for large and global organizations.

Simple, Scalable Deployment for Evolving Threats & Attack Surface

Flexible deployment options backed by network self-learning, simplified deployment, and ongoing operations.

  • SIMPLE & SCALABLE

    • Flexible deployment options and machine-learning for ongoing campaign authenticity & refresh.
    • Designed to non-disruptively deploy & scale across all attack surfaces.


  • MACHINE-LEARNING DEPLOYMENT & REFRESH

    • Simplified deployment model.
    • Intelligent self-learning to automate deployment.
    • Self-learning campaign proposals to automate refresh.


  • EASY TO OPERATE

    • Centralized threat intelligence dashboard.
    • Attack visualization tools.
    • Integrations for actionable incident response.


  • CENTRAL MANAGEMENT

    • Central Manager for central global deployment management.
    • Integration with EDR Tools.
    • Output to any SIEM via syslog.
    • Integrates with specific SIEMs, with an available Splunk ES App.
    • Integrates with existing SOC tools and processes.

Deployment Options

BOTsink for Cloud

for Private, Public, Hybrid Clouds
Easily deploy the BOTsink in AWS, Azure, Google, OpenStack and other cloud environments.

BOTsink for Data Centers

FOR IN-HOUSE, HOSTED, AND MICROSEGMENTED DATACENTERS
Deploy BOTsink decoy deception to quickly detect lateral movement within your data centers.

BOTsink for User Networks

For Wired and Wireless User Networks
Add BOTsink decoy deception to user networks with configurations for Windows, Linux, Mac.

BOTsink for IoT

for a variety of IoT Devices
Customize your BOTsink to appear as medical IoT devices, printers, video cameras, or other IoT devices.

BOTsink for ICS-SCADA

for Industrial Control
Customize your BOTsink to appear as HMI and supervisory control servers within industrial control environments.

BOTsink for Infrastructure

for Networked devices
Customize your BOTsink to appear as routers within your user networks and data centers.

ThreatDirect – VM

Extend Network Deception
Extends network threat deception to remote and branch offices, the cloud, and for distributed and micro-segmented networks without the need for a local appliance.

Attivo Central Manager (ACM)

Central Intelligence & Management
Manages and centralizes threat intelligence and configurations of geographically distributed physical, virtual, and cloud deployments.

Google Cloud Platform

Manage Service for Active Directory on Google Cloud Platform
Secure Hosted AD on Google Cloud using ADSecure

Microsoft Azure IoT Edge

Microsoft Azure Security Center for IoT Edge
Deploy Azure IoT modules as decoys for early and accurate threat detection.