Support Login
Login  
 

Cyber Attacks that Begin with Reconnaissance

Home / Solutions / Cyber Attacks that Begin with Reconnaissance

Reconnaissance Attack Threat Vector

Reconnaissance attacks begin with a scan of the network from the infected endpoint to locate the asset and services an attacker wants to target. Varieties of reconnaissance include active, random IP as well as stealth scanning. A popular example of a scanning attack would be Conficker, an extremely aggressive worm that initially attacked in 2008 and has now morphed to be known as Downadup, which includes five known variants – Conficker.A through Conficker.E.

Attivo can detect all varieties of scanning with deception-based threat detection solutions. The BOTsink deception platform engages attackers by hosting network services across multiple virtual machines, IP services, and subnets luring attackers into revealing themselves as soon as they start to look for your high-value assets.

Kill Chain

A “kill chain” is the progression an attacker often follows when planning and executing an attack. Analyzing malware and tools associated with the target helps build a picture of how the attacker gained access to sensitive systems and ultimately, exfiltrate stolen data.

How Attivo Works in the Kill Chain

Attivo solutions are an effective way to engage attackers anywhere across the enterprise network – clients, servers, and services. As attackers look for high-value assets they will scan Attivo as part of the network. Once a scan, probe or ping occurs,  Attivo will immediately alert you to suspicious activity.

  • Pre-Detection: Attivo Solutions are effective in the Reconnaissance (Recon) and Delivery phases when the attackers are probing for vulnerability and identifying the assets to target and beginning their attack.
  • Attivo uses deception credentials placed on endpoints and nodes to make every device a lure that will attract the attacker to the Attivo BOTsink platform vs. company servers
  • Designed for authenticity with real operating systems and full network services, Attivo deception looks and operates exactly like other company servers. Golden images can also be loaded for additional authenticity.
  • As an attacker begins to spread in order to maintain presence and to find high value targets, lateral movement using internal reconnaissance and use of stolen credentials can happen over days, weeks or months.
  • Attivo solutions are extremely effective in detecting lateral movement within the network and east-west traffic within the data center, by luring attackers to engage with BOTsink deception servers.
  • Post-Detection: Once the attack is underway, and attackers have engaged with the Attivo Solution, in-depth visibility on the FULL cycle of the kill chain will be provided including IP addresses of infected clients.

Attivo brings a much needed addition to traditional prevention security solutions, which are based on known attack signatures. Therefore, traditional solutions by design cannot reliably detect zero-day signature-less attacks, address the use of stolen employee credentials, or protect effectively against ransomware and spear phishing campaigns.

A seamless and non-disruptive addition to existing security infrastructure, Attivo deception-based threat detection closes the gap on security vulnerabilities and provides a critical line of defense for detecting attackers before they have time to complete their attack and cause a data breach or harm to critical infrastructure.

Learn more about Attivo BOTsink Deception Technology

  • “Attivo is low effort, high impact”

    Major Finance and Accounting firm, CISO

  • “Attackers only have to be right once, while security people have to be right all the time… Deception flips that paradigm… now the criminals need to be right all of the time too”…”flawless deployment, and was done without any assistance from Attivo!”

    DJ Goldsworth, Director Security Operations and Threat Management, Aflac

  • All it takes is one breach and you would have paid for your entire (breach detection) product.

    Mike Spanbauer , Vice President of Research, NSS Labs.

  • It’s striking how many layers of obfuscation that the group adopts. These groups are innovating and becoming more creative.

    Jennifer Weedon, FireEye Strategic Analysis Manager

  • 17,000 malware alerts per week 40% of malware goes undetected

    Fred Donovan , Fierce IT security

  • There's two kinds of CIOs: ones who have been hacked and know it, and those who have been hacked and don't yet realize it. But the reality is, you've been hacked,

    Tony Scott, Federal CIO