Support Login

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

If you agree to these terms, please click here.

OVERVIEW

Attivo deception provides immediate value by providing “eyes inside the network” visibility and accurate detection alerting based upon decoy engagement or attempts to use deception credentials, most notably early in the attack cycle.

For years, attackers have successfully used deception tactics for breaching networks. They masquerade as legitimate employees, using stolen credentials and deceptive measures to infiltrate a network, all while remaining undetected for lengthy dwell times. Security teams are challenged in that they have to be successful 100% of the time, whereas an attacker only has to get lucky once. It’s now time to turn the tables on attackers and use deception against them. Outwitting an adversary is rarely accomplished without a balance of defensive and offensive measures

Deception brings the offense into the realm of cybersecurity with the ability to deceive and misdirect an attacker into revealing themselves. All, without false positive alert fatigue and the burden of operational overhead associated with traditional detection methods. Attivo stands apart in that the company uniquely empowers organizations with capabilities they cannot achieve with other security controls: the capacity to outmaneuver the attacker, force them to execute flawlessly, and ultimately derail their efforts using their beloved approach of deception.

THE EVOLUTION
OF DECEPTION

Deception is not just a fancy honeypot. Honeypots were first introduced in the 80’s and served as a useful function for understanding who was attacking an organization from outside the network. Commercial deception technology has come a very long way in evolving the technology to now serve as a high-fidelity in-network detection control. Honeypot limitations associated with scale and operations are now removed through the use of virtualization and machine-learning automation for managing the creation, deployment, and operations of the deception environment. The Attivo Networks ThreatDefend takes deception even further and into the area of active defense, which incorporates automated attack analysis, forensics, and native integrations for accelerated incident response.

DECEPTION DISRUPTS AN ATTACKER’S PLAYBOOK
AND CHANGES THE ASYMETRY OF AN ATTACK

DWELL TIME

Attackers take their time, and assume they can move slowly through the network to avoid detection.

ESCALATION

Attackers will move laterally inside the network and escalate privileges to reach critical assets.

derailing attacks
MISDIRECTION

Most attackers trust the information they steal is real and will act accordingly.

HOW DECEPTION WORKS

Deception works by using deceive traps and lures designed to attract an attacker into engaging and away from
production assets. Decoys are projected throughout the network along with endpoint credentials, mapped shares,
deception data or applications that will breadcrumb the attacker back to an engagement server that will alert on the
presence of an attacker.

DECEPTION ARCHITECTURE

Believability is critical to enticing the attacker, and as such Attivo Networks uses real operating systems, services,
and applications that mirror match the production environment. Golden image software can also be used for 100%
matching. Integration with Active Directory will also validate deception credentials for authenticity.

DECEPTION WITHIN THE SECURITY CONTROL STACK

Deception technology provides the “eyes within the network” visibility to threats that have bypassed perimeter
defenses. By laying a maze of decoys, lures, and mis-directions security teams can accurately and efficiently detect
early reconnaissance, lateral movement, and credential theft, improving detection time and reducing attacker
dwell time.

CREATING ATTRACTIVE ATTACK SURFACES

NETWORK

High interaction, authentic
decoys designed to attract
attacker during
reconnaissance and
lateral movement.

ENDPOINT

Credentials and mapped
shares attract and
breadcrumb attackers into
deception environment,
quickly revealing attacks
on endpoints.

APPLICATIONS

Create deception
environments that appear as
production applications
such as SWIFT, web
services, print services etc.

DATA

Plant deceptive files to gain
a better understanding of
areas being targeted for
theft and geolocation
services.

CLOSING THE DETECTION GAPS FOR ALL THREAT VECTORS

Perimeter & endpoint security solutions cannot reliably stop attacks from all vectors and methods. This has resulted in
attacker dwell times averaging 101+ days (M-Trends 2018 Report). Deception technology plays a critical role in
changing this paradigm by detecting attacks that have bypassed other security controls, early and accurately,
regardless of the methods used to compromise the network. Since deception uses traps and lures to detect an
adversary, the solution is not reliant on signatures or database look up. This makes deception scalable and capable of
reliably detecting attackers using ever-changing attack methods and targeting rapidly evolving attack surfaces.

ZERO-DAY
EXPLOITATION
CREDENTIAL
THEFT/REUSE
NETWORK
RECONNAISSANCE
ACTIVE DIRECTORY
RECONNAISSANCE
COMMUNICATION
OVER HTTPS
MAN-IN-THE-MIDDLE
ATTACK

THE ROLE OF DECEPTION IN THE ATTACK LIFECYCLE

Security investments are typically made in preventing an attack and exfiltration, This leaves a giant blind spot for
organizations as attackers that bypass the perimeter can then move laterally and steal credentials as they quietly
establish a foothold, gain privileges, and recon the network in search of their targets. Deception closes the in-network
detection gap by placing attractive endpoint lures, data deceptions, and traps throughout the network. Organizations
will immediately gain the visibility needed to derail these attacks and remediate compromised devices.

DETECTING THE ADVERSARY

Threats arise from in a variety of factors and can come in the form of external threat actors. External adversaries,
insiders, contractors, and suppliers are all capable of creating risk and potentially breaching an organization. Since they
all are within the perimeter, many traditional security controls are in effective or unreliable as they try to learn
behaviors and alert on suspicious behavior. A different approach to in-network detection must be applied. These
security controls must be capable and accurate in detecting nefarious, policy violation, and risks from human error.

Deception plays a critical role in detecting adverse behavior and in alerting on employee conduct outside of authorized
practices. This could relate to unauthorized access, BYOD devices, undesirable activities, and insight into M&A
integrations. One simple touch of the deception environment provides a substantiated alert with details of attempted
actions. This provides the proof often required to take corrective and even legal action to protect an organization’s
data, IP, patents, and other operating controls.

EXTERNAL
EMPLOYEES
SUPPLIERS
CONTRACTORS
MERGERS &
ACQUISITIONS
PEN TESTERS

USE CASES

  • Early Threat Detection

    • — Decoy engagement-based detection
    • — Not reliant on signatures to detect attacks
    • — No pattern matching or database look up


  • Lateral Movement Threat Detection

    • — In-network threat detection
    • — Detect early reconnaissance
    • — Detect lateral movement
    • — Detect activities used to maintain presence


  • Evolving Attack Surface

    • — Decoys to address all attack surfaces
    • — User Network
    • — Data Center
    • — Cloud (AWS, Azure, Google, OpenStack)
    • — Specialized: IOT, ICS, POS, SWIFT, Router


  • Man-in-the-Middle Attacks

    • — Early detection of MitM attacks
    • — Attack replay to better understand movement


  • Data & DecoyDoc Deceptions

    • — Data deceptions to misdirect attack
    • — DecoyDocs for counterintelligence on attacker intent
    • — Geolocation tracking of opened documents


  • Compliance Breach Investigation M&A Visibility

    • — Demonstrate in-network detection
    • — Forensics to demonstrate resolution
    • — Trust but verify M&A visibility
    • — Blue Team’s choice control during Pen Testing


  • Skills Shortage & Ability to Respond to Incident

    • — High-fidelity alerts are actionable
    • — Basic and advanced user interface
    • — Easy to deploy and operate
    • — Automations for attack analysis and incident response

DECEPTION FOR ONGOING ASSESSMENT AND COMPLIANCE

Deception plays an important role in proving network resiliency. Blue teams can go into Pen Tests with confidence that they will be able to detect and record the actions of their Red team adversary. One of the benefits of the ThreatDefend platform is its ability to not only detect early reconnaissance and credential theft, but also in its ability to record and report on every move for the proof that they are well equipped to detect and quickly respond to threats. These reports can also be crucial for proving company and supplier compliance.

Think that deception wont be effective if the Red team knows its installed. You will be pleasantly surprised that Attivo Networks detection passes with flying colors, even when the attacker anticipates it is installed. Want to see what an attacker would see or how it will hold up against the adversary? Check out the BOTsink vulnerability emulator or ThreatInject tools to see what an attacker will see when looking for deception.

LEARN MORE

SPEAK TO A DECEPTION SPECIALIST

Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.

Top Technology

Deception Technology Recommended as Top 10
Strategic Technology Trend for 2018

GARTNER, inc.