Support Login

Threat Detection

Deception-Based Threat Detection for Comprehensive and Adaptive Security Defense

A well-designed deception system is designed to fit non-disruptively into an organization’s existing security ecosystem. Deception and decoy solutions provide an additional line of defense for networks, data centers, cloud and SCADA environments to address the situations where attackers have bypassed prevention security systems and real-time notification of inside the network threats is required.

Security Infrastructure Solutions

Today’s cyber attacks come in a variety of threat vectors, which can include attacks that start with reconnaissance, stolen credentials, phishing or ransomware attacks. Attackers are in general either scanning a network to find hosts with services or applications to compromise or seeking to exfiltrate employee credentials or data. Either way, attackers and their automation tools rely on the responses they receive throughout the attack process they undertake to achieve success in their attacks. Real-time detection bundled with attack forensic analysis play a critical role changing the playing field against attackers.  The hunters now become the hunted, putting the power of control back into an organization’s hands.



Deception Servers and Deception Lures

  • Deception servers and deception lures are based on creating attractive bait and a matrix of deception servers designed to lure attackers into engaging.  Comprehensive deception solutions include endpoint, server, and application level deceptions. Additionally, a deception platform will include the ability to provide attacker identification and forensics, which can be used to understand an attackers methodology, intent, and to defend against the cyber attack.
  • Deception techniques are not necessarily new to security. However, significant technology advances and new approaches to deception are delivering additional capabilities, better scalability, and improved manageability over legacy approaches such as decoydocs.

Attacks That Begin With Reconnaissance

Attacks begin with a scan of the network from the infected endpoint to locate the asset and services an attacker wants to target.

  • The Attivo solutions engage attackers by hosting network services across multiple virtual machines, IP services, and subnets luring attackers into revealing themselves as soon as they start to look for your high-value assets.

Attacks That Begin With Stolen Credentials

Attacker exploits the infected endpoint to extract credentials and location of the assets that it wants to target.

  • The Attivo ThreatStrike Endpoint Solution provides a customizable and nonintrusive technology that lures such targeted attacks to its solution to detect infected endpoints, servers, and VMs.

Save Your BitCoins: Deception for Ransomware Detection

Organizations with some of the best-in-class prevention system are demonstrating that they cannot reliably stop ransomware attacks. SentinelOne’s new Global Ransomware Report 2018 found that ransomware is now something that more than half (56%) of companies have faced in the past two months. That’s up from 48% who said the same thing in the firm’s 2017 report.

45% of US companies hit with a ransomware attack last year paid at least one ransom, but only 26% of these companies had their files unlocked. Companies paying the ransom were attacked again 73% of the time.

  • New malware strains go undetected by signature-based systems
  • Polymorphic malware is hard to detect and stop
  • The web exploits utilized legitimate looking java scripts and are bypassing security prevention systems

Deception is playing a critical role in protecting against ransomware attacks such as WannaCry, Qakbot and Locky. Not reliant on known signatures or attack patterns, Attivo can deceive the attacker into engaging. High interaction deception techniques engage and occupy the attacker, providing security teams the time needed to quarantine the infected system before the attack can spread and cause additional damage.


Pre-Emptive Spear Phishing Management

  • Phishing scams are designed to take advantage of software and security weaknesses and a general lack of victim awareness and education to succeed. Masquerading as a familiar and reliable source, phishing scammers convince victims that their messages are legitimate and deceive them into providing confidential and financial information.

  • To mitigate the risks posed by spear phishing, organizations can leverage the Attivo BOTsink® solution as a complement to their existing security technologies to detect threats that are inside their network and to identify the intent and maliciousness of a phishing campaign.

Insider Threat Visibility and Detection

Privilege escalation, abuse of privileged accounts and data exfiltration represent serious issues associated with insider security compromises. The Attivo Deception and Response Platform provides the visibility and detection for insiders, suppliers, and trusted 3rd party organizations that inherently bypass most security controls.

  • Deception decoys lay traps to detect reconnaissance
  • Deception credentials misdirect privileged account escalation
  • ThreatPath shows exposed credentials and misconfigurations


Stealing logins and passwords on the endpoint is not the only way attackers can compromise credentials. They can launch Man-in-the-middle attacks on the network to capture credentials in transit. Detecting MITM attackers can be challenging since they operate in the subnets and generally beyond the scope of traditional network security applications.

  • Automatic or manual detection of MitM attack methods looking to steal credentials and data
  • Capture in transit credential theft

Active Directory

Integrated deception into the production AD environment gives organizations a line of defense within their AD infrastructure while increasing the authenticity of deception objects at the network and endpoint.

  • Coverage for a broad range of directory-based identity-related services, including: Domain Services, lightweight Directory Services, Certificate, Federation Services – single sign on, Rights Management Services
  • Integration for verifying deception credential authenticity

Defense in Depth for Amazon Web Services

Amazon Web Services (AWS) has seen tremendous adoption of its public cloud offerings. Although AWS offers a wide range of security controls, Amazon makes it clear that public clouds entail a shared security model. The ThreatDefend Solution provides an adaptive defense with:

  • Scalable, signatureless detection of advanced threats and targeted attacks
  • Lateral movement threat detection designed for cloud data centers with large volumes of data.

Scalable Threat Detection for Azure Cloud

Azure cloud adoption is growing at unprecendent rates, driven by the need for on-demand scalable infrastructure. However, security controls have not been able to keep up and provide accurate and early detection of in-network threats. The ThreatDefend solution for Azure addresses this with:

  • Scalable, signatureless detection of advanced threats and targeted attacks
  • Lateral movement threat detection designed for cloud data centers with large volumes of data

Detect and Quarantine threats in the OpenStack SDDC

OpenStack integration provides organizations with efficient and effective detection of inside-the-network threats for virtualized software defined data centers (SDDC).

  • Security group policies can be set enabling the automatic quarantine of infected VM’s
  • Containment of an attacker prevents movement to other VMs to maintain persistence

Deception for ICS-SCADA Network Protection

With SCADA systems becoming increasingly vulnerable to sophisticated and persistent hackers, air-gap and prevention only security solutions are not able offer the reliable protection needed to defend against a cyber attack. An effective strategy to secure your SCADA network is to take a defense-in-depth approach that includes prevention solutions and deception technology for inside-the-network threat detection.

First Deception-based Threat Detection Platform for Internet of Things (IoT)

IoT networks bring in a diverse amount of connected devices and can introduce multiple points of vulnerabilities in the networks. The Attivo Networks Deception Platform is designed to detect cyber attackers regardless of whether the attack is a targeted, stolen credential, ransomware, or insider threat. Customers can configure the Attivo Deception Platform to look identical to IoT systems based on  XMPP, COAP, MQTT, HL7 and DICOM based PACS servers in their networks.


Point-Of-Sale Attack Systems

The Role of Early Detection for Breach Prevention

Point-of-Sale System Attacks researches the environment of Point-of-Sale (POS) device vulnerabilities and articulates how POS attacks happen, the anatomy of a POS attack, and how deception can play a powerful role in protecting against cyber attacks. More than just analyzing the environment, Point-of-Sale System Attacks analyzes three separate case studies on potential attacks on large, regional, and mid-size organizations while providing unique insight on the best practices for organizations to protect themselves against POS attacks.

Distributed Deception Platforms for Automated Incident Handling

ThreatOps™ accelerates incident handling by automatically correlating attack information within one dashboard to score and create playbooks.

  • Incident scoring and playbooks for repeatable processes
  • Automatic quarantine and attack blocking with 3rd party integrations
  • Threat hunting through Attivo and NAC integration