OVERVIEW

Attackers have ways to evade defenses to gain a beachhead on an internal system, but they must then move to expand their foothold. They conduct discovery activities and reconnaissance to find critical AD object, live hosts, and services to exploit, as well as steal and reuse credentials to escalate privileges as they move around within the network.

To combat this threat, organizations are turning to the Attivo Networks ThreatDefend platform’s lateral movement defenses, which impede attackers from gathering intelligence on AD accounts, live hosts, open services, data, and credentials to disrupts their ability to compromise systems and traverse the network undetected. The platform detects and alerts on lateral movement, credential theft, network discovery, and privilege escalation activities quickly and accurately so the organization can react to these attempts early in the attack cycle and reduce the risk of a breach.

Lateral Movement Risk

High-fidelity alert

54% of techniques used to test lateral movement are missed, and 96% of lateral movement behaviors did not have a corresponding alert in the SIEM.

80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials.

Ransomware

The vast majority of malware is written to elevate privileges and move laterally in an environment.

Nearly 60% of attacks now involve lateral movement…

Detect and Disrupt Malicious East/West Traffic

The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities through the Endpoint Detection Net (EDN) family or products and the BOTsink deception server with overlapping and supporting functions disrupt the attack and impede the attackers’ progress. These alerts during the reconnaissance, lateral movement, and privilege escalation phases of the attack to give organizations early warning that attackers are attempting to infiltrate their networks.

Detect and Disrupt

The ThreatDefend platform offers mechanisms to detect and disrupt intelligence gathering, network discovery, credential theft, and other lateral movement activities.

  • EDN

    • Detects attempts to steal credentials or unauthorized AD queries
    • Stores deceptive credential and data on endpoints that lead to decoys
    • Returns fake results on unauthorized AD queries that lead to decoys
    • Hides local administrator accounts, files, folders, removable storage, or cloud and network shares
    • Detects inbound or outbound attempts to fingerprint hosts or connect to non-active ports and forwards the traffic to decoys for engagement
    • Isolates attacking systems by forwarding all outbound traffic to decoys


  • BOTsink server

    • Creates network decoys to engage with attackers
    • Detects network discovery and MitM activity
    • Alerts on attacker engagement
    • Records all attack and communications activities
    • Collects forensic evidence

BENEFITS

Organizations choose Attivo Networks Deception Technology for insider threat detection because:

High Fidelity Detection

Early Detection

  • Get substantiated detection of discovery and lateral movement activities.

Disrupt Lateral Movement

  • Deny attackers the ability to move laterally while remaining undetected.

Confuse Fingerprinting

  • Derail attacker discovery attempts to fingerprint systems for attack.

Impede Recon and Discovery

  • Misdirect and misinform attacker attempts to collect data for the attack

Restrict Privilege Escalation

  • Negate attacker attempts to escalate privileges to progress the attack

Native Isolation

  • Mitigate attacker damage by isolating communications to the decoy environment.

“The most important thing you do is provide me alerts based on confirmed activity… you are my eyes and ears on the inside of my network… the nerve center”

Sr Director Info Sec at Top 50 Retail Organization

Find out how deception can help you with mitigating  insider threats.