Support Login

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.

 

Deception Campaigns

Deception Campaigns for Deception Authenticity

Maintaining decoy, credential, and deception object authenticity and attractiveness is core to the efficacy and manageability of deception-based threat detection. Attivo Networks provides a variety of deployment options and approaches to keep the deception environment fresh. These deployment options are included through the BOTsink management platform, SCCM, and REST API.  To simplify and facilitate deployment at scale, the BOTsink includes the ability to create deception campaigns, which deploy decoy services based on machine learning in the environment.  The deception campaigns auto-propose deployment options and facilitate auto-deployment of decoys based on factors such as reconnaissance or suspicious activity.

How Deception Campaigns Work

In the initial deployment, the security team will customize the decoys to reflect what is in the network, or import “golden images” into the decoy environment to more accurately match the systems present. The BOTsink® solution will use machine learning to analyze the network and identify devices, operating systems, and services present in the network. Once the BOTsink solution has learned the network, it will suggest decoy deployments on each VLAN and customize the decoys to match the device characteristics found there.

The BOTsink will designate the appropriate types and numbers of decoys to deploy to each VLAN based on what it learned of the network.  The security team can add, edit, or further customize the campaigns to their liking, changing any characteristic on the decoys, such as the naming convention, IP addresses, account names, etc.

Customization includes:

  • Types of operating systems found on the VLAN
  • IP addresses
  • MAC address customizations
  • Naming convention
  • Services offered on each decoy
  • Account formats
  • Credentials
  • Web pages
  • And more

Attivo Deception Campaigns also encompass the ThreatStrike deception credentials and lures.  As the BOTsink customizes the decoys, it will also create new ThreatStrike deceptive credentials and ransomware lures based on the user credentials that the BOTsink has learned or the security team has specified.

The security team can then either initiate the proposed Campaign once they have configured it to their liking or set the configuration to automatically deploy based on parameters that they set.  Automatic deployments can be set on a periodic basis or at the security team’s discretion, which could be based on suspicion of a network infection or other factors that would motivate a team to want to reset their deception synthetic network. With each reset the BOTsink solution will automatically adjust the deception campaigns and prevent an adversary from learning the network, fingerprinting the deception environment, and avoiding interaction. The ability to use deception campaigns and apply adaptive deception will empower organizations to better control the attack surface and change the game board on attackers, increasing attacker costs and the complexity of their attempt to breach the organization.