Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Awards for the BOTsink® Solution
BOTsink® for Network-Based Threat Detection
The Attivo BOTsink® solution stands guard inside your network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of the attack, organizations gain the advantage of time to detect, analyze, and stop an attacker.
Why Customers Choose the BOTsink® Solution
Recon & Lateral Movement Detection
Authentic &
Attractive Decoys
Easy to Deploy & Operate
High-Fidelity
Alerts
Automations for Incident Response
BOTsink® for MITRE ATT&CK Analysis
Built-in alert classifications following industry-standard MITRE ATT&CK categories.
MITRE ATT&CK Classifications
- Map detected events to MITRE ATT&CK matrix
- Identifies categories and subcategories to aid in analysis
SOC workflow integrations
- Exports the alerts with MITRE category tagging to SIEM to integrate with existing analysis workflows
- Outputs data per system, per attack, and per event for faster analysis and response
Support control evaluations
- Identify evasion techniques that are effective against the current security posture for gap analysis
- Use MITRE analysis to identify control effectiveness to specific techniques
Substantiated and Actionable Alerting
Alerts generated by the Attivo BOTsink solution come from attacker engagement with a decoy. This results in high-fidelity alerts of confirmed attacker activities, substantiated with details and forensically captured evidence to support investigations for an actionable response.
Actionable alerts are created from attacker engagement or credential reuse.
High fidelity alerts are substantiated with details rom attacker engagement.
Full forensics make for actionable response.
BOTsink® for Comprehensive Attack Surface Coverage
Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.
Decoys for Early Detection of Reconnaissance & Lateral Movement Activity
Servers
Endpoints
Active Directory
Application
Data
Specialized Devices
IoT
Medical IoT
ICS/SCADA
POS
Network Infrastructure
IoT
Medical IoT
Industrial Control
POS
Router Infrastructure
BOTsink DECEPTIONS
Deception Authenticity to Match Production Environments.
Server Decoy
Windows, Linux
Endpoint Decoy
Windows, Linux, Mac
Specialized Decoy
IOT, ICS, POS…
Application
SWIFT, Web, 25+Services
Data
Data, Database, DecoyDocs
Active Directory
Directory Services
Server Decoy
Windows, Linux
Endpoint Decoy
Windows, Linux, Mac
Specialized Decoy
IOT, ICS, POS…
Application
SWIFT, Web, 25+Services
Data
Data, Database, DecoyDocs
Active Directory
Directory services
BOTSINK® USE CASES
Early Threat Detection
— Decoy engagement-based detection
— Not reliant on signatures to detect attacks
— No pattern matching or database look up
Lateral Movement Threat Detection
— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence
Evolving Attack Surface
— Decoys to address all attack surfaces
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router
Man-in-the-Middle Attacks
— Early detection of MitM attacks
— Attack replay to better understand movement
Data & DecoyDoc Deceptions
— Data deceptions to misdirect attack
— DecoyDocs for counterintelligence on attacker intent
— Geolocation tracking of opened documents
Compliance Breach Investigation M&A Visibility
— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing
Skills Shortage & Ability to Respond to Incidents
— Automate manual IR tasks for efficiency
— Basic and advanced user interface
— Reduce time to respond, increase consistency
— Automate analysis and threat hunting
— Record all response activities for post-incident report
Detect In-Network Malicious Actors & Insiders with BOTsink®
Deceive external and internal threats (employees, suppliers, contractor) into revealing themselves.
COMPREHENSIVE
- Server, endpoint, application, data, and database deceptions provide the most comprehensive threat deception across all networks.
- Early detection of network reconnaissance and lateral movement.
- Catch attacks like Man-in-the-Middle.
AUTHENTIC & ATTRACTIVE DECOYS
- Real Windows and Linux operating systems and services appear as authentic production assets and create attractive targets for attacker.
- Golden-image customization for the utmost authenticity.
ATTACK SURFACE SCALABILITY
- Threat deception for evolving attack surfaces.
- Scalability for data centers, cloud, user networks, remote office, and specialty networks.
ACCURATE DETECTION
- Detection is driven by engagement with network decoys, deception documents, deceptive credentials, and applications.
- Alerts are substantiated, high-fidelity, and actionable, removing false positive fatigue.
- Does not need tuning to be effective, providing immediate detection value.
“I’ve had the opportunity to see the BOTsink through several versions and it just keeps getting better and better. There is no doubt that it is a true next generation security tool.”
Engage the Adversary with BOTsink®
Unlike other deception solutions, the Attivo BOTsink solution projects fully customizable OS decoys that adversaries can interact with fully. The decoys create a sandbox environment that records all attacker activity while deceiving them into engaging for far longer than with typical emulated honeypots. This results in the most detailed information and evidence for supporting investigations and developing adversary intelligence.
Centralize
Threat intelligence
View
Attack Details, Maps & Replay
Activate
Incident Response
Access
Attack & Forensic Reporting
BOTsink® for Attack Analysis Automation
Capture Threat, Adversary, and Counterintelligence to strengthen overall defenses.
MALWARE & ATTACK ANALYSIS
- Built in sandbox automates attack correlation & analysis improving time to remediation.
- Gain threat intelligence by identifying indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
- Automate malware and phishing emails analysis.
IN-DEPTH FORENSICS
- Sandboxed attacker engagement with full interactivity.
- Record all attack activity on decoy disk, memory, and network layers.
- Watch lateral movement & record C&C communications.
DECOYDOCS & COUNTERINTELLIGENCE
- Data loss tracking and geolocation beaconing.
- Gain understanding of attacker intent.
THREAT INTELLIGENCE DASHBOARD
- Standard and advanced dashboard settings for simple operation.
- Optional Central Manager provides a consolidated on-premise or cloud central management.
- Extensive integrations for information sharing.
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
Network Visualization
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses
Attack Visualization
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses
Playbook Configuration
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows
BOTsink® for Vulnerability Assessment & Attack Visualization
Reduce risk and mean time to response with credential vulnerability and attack visualization tools.
ATTACK VISUALIZATION
- Topographical maps show attacker movement.
- Time-lapsed attack replay tracks changes over periods of time.
- Valuable for Man-in-the-Middle and other attacks that are difficult to understand.
NETWORK VISUALIZATION TOOLS
- Network visualization maps show adds and changes to devices on the network.
- See where deception is deployed for risk profiling.
ACCELERATED THREAT HUNTING
- Full interaction decoys collect and develop IOCs to quickly identify other compromised systems.
- Native integrations accelerate automated or manual threat hunting.
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard
Network Visualization
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses
Attack Visualization
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses
Playbook Configuration
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard
Network Visualization
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses
Attack Visualization
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses
Playbook Configuration
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard
Network Visualization
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses
Attack Visualization
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses
Playbook Configuration
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows
Active Defense Partners
Native integrations for improved workflow management, information sharing and simplifying incident response with automated blocking, quarantine, and threat hunting.
AUTOMATION
- Extensive integrations accelerate incident response with automated blocking, isolation, and threat hunting.
- Incident response can be manually activated within dashboard or fully automated.
- Automate workflow process from response to trouble ticket remediation.
- Faster, predictable response actions.
SIEM INTEGRATION
- Query SIEMs for deception credential failed logins.
- Share attack info for more efficient threat hunting.
- Reduce SIEM processing cycles through shared detection alerts.
Attivo Networks: Native Partner Integrations
Integrations and Playbooks for Automated Incident Response
ThreatOps® Incident Response Automation
A component of the BOTsink®, the ThreatOps® solution empowers organizations to build and automate threat defense playbooks. These playbooks are based on integrations with existing security infrastructure and create repeatable incident response workflows to automate manual tasks, increasing productivity while reducing errors and operational overhead. With integrated solutions that enable information sharing, network blocking, endpoint isolation, or threat hunting, the playbooks can automate a policy-based incident response to reduce the time to respond to a fast-moving or repeat attack.
Why Customers Choose ThreatOps® Playbooks
Reduced
Time-to-Respond
Consistent
Processes
Automated
Response
Simplified
Operations
Faster
Remediation
Playbook Incident Response Automation
Accelerate mean-time-to-remediation with native integrations that automate response actions and can be turned into repeatable processes and playbooks.
Workflow
Automated response to common incidents
Repeatable
Defined playbooks for common attacks
Standardized
Addresses skill gaps with consistent processes
Defend
Shares attack data for automated remediation
ThreatOPS Integrations
Block
Quarantine
Access Control
Isolate
Threat Hunt
Remediate
Block
Quarantine
Access Control
Isolate
Threat Hunt
Remidiate
Early Detection with Actionable Threat Intelligence
Centrally managed deception environment and quickly take action on threats detected. Easily drill down into attack detail and streamline operations with automations for attack analysis and response.
Optimized for Fast Response
Views by Severity, Time, Type
Central Management
Leverage integrations for automated incident response
Initiate responses directly from the dashboard
Network Visualization
Quickly discover adds and changes of devices on the network. Watch how your network changes overtime and easily understand where deception is operating and identify opportunities to strengthen defenses.
Notification of Device Changes
Watch Network Adjustments
Time-Lapsed Playback
Understand Deception Deployed
Strengthen Defenses
Attack Visualization
Quickly visualize attacks on the network and improve your understanding of cross VLAN attacks. Watch how attacks play out over time and apply these learnings to strengthening defenses.
Visualize Attacks
Understand Cross VLAN Attacks
Time-lapsed Playback
Deploy Deception
Strengthen Defenses
Playbook Configuration
Create repeatable playbooks using a simple visual interface that shows all currently configured integrations. Drag and drop the tiles into the workspace and identify the information to send. Define the parameters that will automatically trigger the playbook or initiate it manually from within the dashboard.
AUTOMATE INCIDENT RESPONSE
CONSISTENT, ACCURATE PROCESSES
WORKBOOKS FOR COMMON ATTACKS
SIMPLIFY IR OPERATIONS
SHARE ATTACK DATA WITH PARTNERS
MITRE ATT&CK EVENT CLASSIFICATION
Accurately tag and display events with the appropriate MITRE ATT&CK techniques categories. View summary information and quickly filter on specific phases for faster analysis and response.
Categorize alerts by technique
Speeds and aids analysis
Assists in remediation
Helps identify defensive gaps
Integrates with SOC workflows
BOTsink® PRODUCT OFFERINGS
Solutions are available as a virtual machine, appliance, or service.
BOTsink 3000 Series
- Midmarket Network Deception
Designed for smaller networks and the mid-market, this solution provides quick and easy network deception.
BOTsink 5000 Series
- Enterprise-class Network Deception
Designed for enterprise and telecommunications networks, this solution provides scalable network deception for large and global organizations.
BOTsink 7000 Series
- High-Performance Network Deception
With twice the resources of the 5000 series, the 7000 series can easily accommodate more demanding decoy environments.
Attivo Central Manager
- Enterprise-wide Management
Centralized management and operations for all deception fabric assets, whether on-premises, in the cloud, or at remote sites.
Simple, Scalable Deployment for Evolving Threats & Attack Surface
Flexible deployment options backed by network self-learning, simplified deployment, and ongoing operations.
SIMPLE & SCALABLE
- Flexible deployment options and machine-learning for ongoing campaign authenticity & refresh.
- Designed to non-disruptively deploy & scale across all attack surfaces.
MACHINE-LEARNING DEPLOYMENT & REFRESH
- Simplified deployment model.
- Intelligent self-learning to automate deployment.
- Self-learning campaign proposals to automate refresh.
EASY TO OPERATE
- Centralized threat intelligence dashboard.
- Attack visualization tools.
- Integrations for actionable incident response.
CENTRAL MANAGEMENT
- Central Manager for central global deployment management.
- Integration with EDR Tools.
- Output to any SIEM via syslog.
- Integrates with specific SIEMs, with an available Splunk ES App.
- Integrates with existing SOC tools and processes.
Deployment Options
SPOTLIGHT
ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™): A Definitive Market Guide to Deception Technology
