How Attivo Works in the Kill Chain
Attivo solutions are an effective way to engage attackers anywhere across the enterprise network – clients, servers, and services. As attackers look for high-value assets they will scan Attivo as part of the network. Once a scan, probe or ping occurs, Attivo will immediately alert you to suspicious activity.
- Pre-Detection: Attivo Solutions are effective in the Reconnaissance (Recon) and Delivery phases when the attackers are probing for vulnerability and identifying the assets to target and beginning their attack.
- Attivo uses deception credentials placed on endpoints and nodes to make every device a lure that will attract the attacker to the Attivo BOTsink platform vs. company servers
- Designed for authenticity with real operating systems and full network services, Attivo deception looks and operates exactly like other company servers. Golden images can also be loaded for additional authenticity.
- As an attacker begins to spread in order to maintain presence and to find high value targets, lateral movement using internal reconnaissance and use of stolen credentials can happen over days, weeks or months.
- Attivo solutions are extremely effective in detecting lateral movement within the network and east-west traffic within the data center, by luring attackers to engage with BOTsink deception servers.
- Post-Detection: Once the attack is underway, and attackers have engaged with the Attivo Solution, in-depth visibility on the FULL cycle of the kill chain will be provided including IP addresses of infected clients.
Attivo brings a much needed addition to traditional prevention security solutions, which are based on known attack signatures. Therefore, traditional solutions by design cannot reliably detect zero-day signature-less attacks, address the use of stolen employee credentials, or protect effectively against ransomware and spear phishing campaigns.
A seamless and non-disruptive addition to existing security infrastructure, Attivo deception-based threat detection closes the gap on security vulnerabilities and provides a critical line of defense for detecting attackers before they have time to complete their attack and cause a data breach or harm to critical infrastructure.