OVERVIEW
In-network threat detection can occur at the endpoint or within the network. Network-based deception addresses the attack tactics that start at the network level where attackers seek to enumerate the environment to find usernames and info on groups, shares, and services on networked computers or to harvest credentials by attempting a Man-in-the-Middle attack. This detection method is universally recognized for its ability to deliver high fidelity alerts because they are based on actual attacker engagement.
To reduce the risk of a successful attack, network-based deception is used to derail attempts at reconnaissance early in the attack cycle. Human or automated attackers will see devices that appear as production systems, where they are, in fact, decoys designed to mimic them. Deception devices that run full-OS decoys create the highest levels of authenticity. Emulated systems can also be effective for certain use cases and environments. Today’s cyber deception platforms have removed the operational issues associated with early-day honeypots and now use machine-learning to learn the environment automatically. This acquired information is then used to automate deployment and make ongoing operations to maintain authenticity extremely simple, no longer needing highly skilled experts to operate. High-interaction cyber deception platforms also provide the means to gather adversary intelligence safely for faster triage and remediation.
The Network Threat Detection Challenge
Zero Day Threats
Unknown threats, mistakes, and misconfigurations can allow attackers to bypass prevention solutions.
Cloud Threats
Shared security, containers, and serverless environments create unique detection challenges.
IoT / ICS Threats
Not all endpoints can run AV or produce logs for analysis ie: ICS, IoT, network infrastructure.
Increasing Dwell Times
73 Days to find an in-network attacker. Deception can reduce dwell times by 91%.
BUSINESS VALUE
Early and Accurate Detection of Network Attack Activity to Minimize Organizational Risk
Reconnaissance
Detect reconnaissance from human and automated attacker.
Alerting
Reduce false positives. Receive only high-fidelity alerts.
Derailing Attacks
Create virtual landmines to efficiently derail attacks.
Detection Coverage
Detection coverage for on-premises, cloud, and specialized environments.
Machine-learning
Machine-learning for automated operations.
Threat Intelligence
Safely gather adversary intelligence including TTP’s and IOCs.
Learn Attacker Intent
Decoy documents serve as bait and to reveal attacker targets.
Incident Response
Automate incident response via native integrations.
Dwell Time
Reduce time attackers remain undetected and response time.
Network-Based Threat Deception
Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.
Decoys for Early Detection of Reconnaissance & Lateral Movement Activity
Servers
Endpoints
Active Directory
Application
Data
Specialized Devices
IoT
Medical IoT
Industrial Control
POS
Router Infrastructure
IoT
Medical IoT
Industrial Control
POS
Router Infrastructure
BENEFITS
The ThreatDefend platform provides extensive endpoint protection functions that prevent attacker lateral movement. Deceptive credentials and shares protect production assets by redirecting attackers away from operational systems and into a decoy engagement environment.
High-fidelity detection
Gain early and accurate threat detection of human and automated attackers targeting networked systems and devices. Golden image customization delivers optimal authenticity
Cloud Threat Detection
Improve visibility into threat activity within an organization’s cloud environment
Industrial Control Threat Detection
Achieve awareness of attacks targeting ICS/SCADA systems
IoT Threat Detection
Improve security over IoT devices on the network
Network Infrastructure Threat Detection
Learn when attackers target routers, switches, and other networking infrastructure
Scalability and ease of operation
Coverage for a wide-variety of endpoints and machine-learning for automated learning and deployment
Gather company-centric threat-Intelligence
Capabilities to collect adversary intelligence and forensic data empower faster triage
Accelerate Incident Response
Integrations with EPP and EDR solutions facilitate automated incident response
USE CASES
Early Threat Detection
— Decoy engagement-based detection
— Not reliant on signatures to detect attacks
— No pattern matching or database look up
Lateral Movement Threat Detection
— In-network threat detection
— Detect early reconnaissance
— Detect lateral movement
— Detect activities used to maintain presence
Evolving Attack Surface
— Decoys to address all attack surfaces
— User Network
— Data Center
— Cloud (AWS, Azure, Google, OpenStack)
— Specialized: IOT, ICS, POS, SWIFT, Router
Man-in-the-Middle Attacks
— Early detection of MitM attacks
— Attack replay to better understand movement
Data & DecoyDoc Deceptions
— Data deceptions to misdirect attack
— DecoyDocs for counterintelligence on attacker intent
— Geolocation tracking of opened documents
Compliance Breach Investigation M&A Visibility
— Demonstrate in-network detection
— Forensics to demonstrate resolution
— Trust but verify M&A visibility
— Blue Team’s choice control during Pen Testing
Skills Shortage & Ability to Respond to Incident
— High-fidelity alerts are actionable
— Basic and advanced user interface
— Easy to deploy and operate
— Automations for attack analysys and incident response
SPEAK TO A DECEPTION SPECIALIST
Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.
“If you don’t know what threats are inside your network, then deception-based detection is your answer.”
SPOTLIGHT
Deception Based Threat Detection eBook