Cyber Attacks that Begin with Reconnaissance

Reconnaissance Attack Threat Vector

Reconnaissance attacks begin with a scan of the network from the infected endpoint to locate the asset and services an attacker wants to target. Varieties of reconnaissance include active, random IP as well as stealth scanning. A popular example of a scanning attack would be Conficker, an extremely aggressive worm that initially attacked in 2008 and has now morphed to be known as Downadup, which includes five known variants – Conficker.A through Conficker.E.

Attivo can detect all varieties of scanning with deception-based threat detection solutions. The BOTsink deception platform engages attackers by hosting network services across multiple virtual machines, IP services, and subnets luring attackers into revealing themselves as soon as they start to look for your high-value assets.

Kill Chain

A “kill chain” is the progression an attacker often follows when planning and executing an attack. Analyzing malware and tools associated with the target helps build a picture of how the attacker gained access to sensitive systems and ultimately, exfiltrate stolen data.

How Attivo Works in the Kill Chain

Attivo solutions are an effective way to engage attackers anywhere across the enterprise network – clients, servers, and services. As attackers look for high-value assets they will scan Attivo as part of the network. Once a scan, probe or ping occurs,  Attivo will immediately alert you to suspicious activity.

  • Pre-Detection: Attivo Solutions are effective in the Reconnaissance (Recon) and Delivery phases when the attackers are probing for vulnerability and identifying the assets to target and beginning their attack.
  • Attivo uses deception credentials placed on endpoints and nodes to make every device a lure that will attract the attacker to the Attivo BOTsink platform vs. company servers
  • Designed for authenticity with real operating systems and full network services, Attivo deception looks and operates exactly like other company servers. Golden images can also be loaded for additional authenticity.
  • As an attacker begins to spread in order to maintain presence and to find high value targets, lateral movement using internal reconnaissance and use of stolen credentials can happen over days, weeks or months.
  • Attivo solutions are extremely effective in detecting lateral movement within the network and east-west traffic within the data center, by luring attackers to engage with BOTsink deception servers.
  • Post-Detection: Once the attack is underway, and attackers have engaged with the Attivo Solution, in-depth visibility on the FULL cycle of the kill chain will be provided including IP addresses of infected clients.

Attivo brings a much needed addition to traditional prevention security solutions, which are based on known attack signatures. Therefore, traditional solutions by design cannot reliably detect zero-day signature-less attacks, address the use of stolen employee credentials, or protect effectively against ransomware and spear phishing campaigns.

A seamless and non-disruptive addition to existing security infrastructure, Attivo deception-based threat detection closes the gap on security vulnerabilities and provides a critical line of defense for detecting attackers before they have time to complete their attack and cause a data breach or harm to critical infrastructure.