SC 2020 Awards
Info Security Products Guide 2020 Gold
Astors award platinum 2019


Detecting malicious insiders is difficult.  Organizations, however, can gain an advantage by leveraging the ThreatDefend detection and response platform to identify insider threats, whether they are an employee, contractor, supplier, or other trusted third party.  Security teams can quickly detect unauthorized network scans, credential theft, and reuse, or attempts to access and steal data by creating synthetic deceptive assets intermingled with the production environment.  By creating deception servers, file shares, credentials, documents with beaconing capabilities, files, databases, and other decoy elements, deceptions are planted to quickly detect policy violations or malicious activity from insider threats.

The Insider Threat Risk

Icon for insider threats

Data Risk

57% of database breaches involve insider threats within an organization.

Mitigate Cyber Risk

Incident Causes

Employee or contractor negligence is responsible for two out of three insider threat incidents.

Supplier Contractors

Supplier contractors

94.3% of executives have low to moderate confidence in their 3rd party risk management tools and technology.

Median time to Detection

Time to Remediate

On average, it takes 72 days to contain an insider threat.

Deception for Insider Threats

Policy Violations

Employees and contractors are expected to follow policies and contracts that define permitted behavior on the network, but how do organizations confirm compliance?  The ThreatDefend platform accurately detects activities outside the bounds of normal duties, such as reconnaissance scans or unapproved access.

ThreatStrike deceptive credentials are used to detect when insiders use unauthorized credentials or abuse privileges to access sensitive files and systems.  BOTsink network decoys alert when users attempt to misuse equipment, or install unauthorized applications such as cryptomining software. DecoyDocs can also be deployed for identifying unauthorized file access and for insight into a threat actor’s intent. With the recording capabilities and forensic capture the platform provides, organizations gain the evidence necessary to support administrative, disciplinary, or legal actions.

Whether organizations disclose their use of deception to confirm policy compliance is a strategic decision.  Notifying employees of deception can act as a deterrent against policy violations or malicious behavior.  Organization who chose not disclose deception do so for better threat intelligence, monitoring, and compliance enforcement.

Employee Error

Employees and contractor negligence causes the majority of insider threat incidents.  Users can accidentally click on a malicious link and infect their system with malware.  They can open a phishing email and mistakenly answer the sender or execute a malicious payload.  Users that unknowingly get infected become vectors for an attack.  They can mistakenly use an account with escalated privileges and then fail to log off when they finish, inadvertently allowing insider access to sensitive data. Organizations in the cloud have additional concerns, as shared security models can lead to improperly configured access controls, which can result in accidental insider exposures.  No matter how much annual security and phishing awareness training organizations give to employees, mistakes happen.

The ThreatDefend platform acts as a safety net when such mistakes lead to exposures that an attacker can exploit. The platform alerts when a user accidentally gets infected with a network-capable malware like ransomware as it tries to spread to deceptive shares mapped to the user system.  The ThreatStrike solution identifies when attackers steal deceptive privileged credentials and reuse them without the owner’s knowledge.  People make mistakes.  The ThreatDefend platform alerts when attackers take advantage of them.

Forensics & Recording

When a compromise is discovered by an incident response team, the priority trends towards quick remediation so that the attack doesn’t have the opportunity to spread. While this is useful in preventing the attack from causing further damage as it spreads, it does not offer many opportunities to collect threat intelligence. This is where the ThreatDefend platform adds value. Within the deception environment, the platform can safely record all attack activity and forensic evidence. This information can then be used for threat and adversary intelligence development without risking production systems.

The BOTsink appliance decoys record all disk, memory, and network activity from the moment attackers engage with them. The platform makes these forensic artifacts available, whether it is a memory forensic report, a network packet capture, a file written to disk, or a command entered by the attacker. The platform can visually replay this activity or correlate it in a chronological dashboard view by session for each attacker. This equips security teams with the data necessary to determine malicious intent and develop threat and adversary intelligence. It can also export all the activity records and forensic evidence for administrative or legal proceedings, making it a powerful tool for investigations.


Configuring IT and Security infrastructure with error-free configurations is challenging for many organizations. Systems are added and removed on a regular basis. Firewall administrators modify filtering rules to address issues but as personnel rotate and documentation gets stale, some of these rules persist with no historical perspective as to why they were added. IT administrators must juggle group membership and access permissions, sometimes providing inherited permissive rights to a user that does not need them. Misconfigured network equipment can allow unauthorized traffic across network boundaries. Cloud permissions could allow public access to private data.

The ThreatDefend platform identifies these misconfigurations when they engage with decoys which alert when scans find them from non-whitelisted sources, indicating potential misconfigurations with networking devices, segmentation firewalls, or routers. The ThreatPath solution identifies privileged credentials and misconfigurations on endpoints that attackers can misuse, whether to a network location or in the cloud infrastructure. The platform identifies such misconfigurations that could lead to a compromise for the IT and Security teams to address before an attacker takes advantage of them.

3rd Party Island Hopping

Attackers targeting organizations with highly secure infrastructures often attack third parties in the supply chain that are not as protected. This technique, called ‘island hopping’ allows the attacker to indirectly attack the primary target. Network-based island hopping involves an attacker leveraging a network to ‘hop’ onto an affiliate network. This can take the form of attackers targeting an organization’s managed security services provider (MSSP), partner, or supplier. It can also be seen in attacks on the supply chain, either directly from the factory or in transit.

The ThreatDefend platform defends against this technique by detecting unauthorized activity from a third party connection, such as scanning or network activity outside of the defined bounds of the connection agreement. The platform provides information useful for vendor certification risk scoring. Suppliers using a deception capability can show the validating organization that they have the requisite security controls to keep both entities secure. Island hopping is difficult to detect, but the ThreatDefend platform can alert and provide visibility on such activities to better secure the organization.

Mergers & Acquisitions

Organizations that engage in Mergers and Acquisitions ( M&A ) must validate the security of the acquired entity before connecting it to their corporate network infrastructure or risk being compromised. This validation can be time-consuming, requiring security audits, configurations checks, and other activities to determine the acquired network has a clean security bill of health. Attackers will often target an acquired entity after the M&A announcement either as a step in an island hopping attack or as hidden threat that activates once the networks are conjoined.

The ThreatDefend platform gives organizations a means of identifying latent threats and validating security hygiene both before and after an M&A announcement. Prior to announcing the acquisition, the organization can place a BOTsink appliance into the subsidiary network to identify any latent pre-existing threats. Once they establish that the network is free of attackers and infections, they can leave the BOTsink appliance in the acquired network as they announce the acquisition with the knowledge that the subsidiary can become a target for island hopping attacks. With the BOTsink in place, they can identify and remediate any successful infiltrations before merging the networks.

Insider Threats Detected

Insider Threat Employee


Insider Threat Contractor


Insider Threat Supplier/Local Files


Mergers and Acquisitions



Organizations choose Attivo Networks Deception Technology for insider threat detection because:

High Fidelity Detection

High Fidelity Detection

  • Substantiated detection of unauthorized insider threat activity


  • Insight into misconfigurations and exposed credentials that create opportunities for threat actors to exploit.


  • A high interaction deception environment tracks and records activities that can be used for human resource or legal action.
Scalability Benefits


  • A single solution that effectively scales for high efficacy detection across all types of insider threats

Find out how deception can help you with mitigating  insider threats.