This article is third in a five-part series developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the Attivo Networks solution offering and how it can be integrated into enterprise networks to reduce cybersecurity risk.
ThreatDefend platform overview
The Attivo Networks ThreatDefend solution is a deception-based platform that provides early and accurate detection of in-network threats and automation to accelerate attack analysis and incident response. The platform is based on decoys, lures, application, and data deceptions that misdirect, deter, and derail threats at initial compromise or that are moving laterally within the network.
The platform covers everything from legacy infrastructure to modern cloud architectures, and is simple to deploy from user networks, data centers, clouds, ROBOs, or in specialized environments based on machine self-learning deception preparation, deployment, and operations. The solution stands apart from other deception platforms in its approach to deception authenticity and in its inclusion of automated attack analysis and extensive native integrations for incident response.
The platform base involves BOTsink Engagement Servers, which support the central management of the deceptive deployment. These servers can be implemented as a physical, virtualized, or cloud instance. The primary BOTsink management functions include handling of alerts, coordination of analysis, and support for forensics, reporting, visibility tools, and integration of deception with enterprise security control systems.
The ThreatDefend Detection and Response platform includes BOTsink network deception; ThreatStrike endpoint deception; ThreatDirect distributed environment support for remote office and branch offices (ROBO) and microsegmented networks, and workloads in the cloud; ThreatOps incident response playbook orchestration; and ThreatPath for attack surface reduction by providing visibility into exposed attack paths that could be leveraged by malicious actors to advance an attack (see Figure 1).
Figure 1. ThreatDefend platform components
The ThreatDefend platform supports customized deployment of the functions most relevant to a given commercial enterprise. This facilitates easy deployment for large organizations, mid-sized companies, government entities, and service providers that offer detection managed services. This permits each entity to scale their deception deployment at their own pace and around the risk management needs of their organization.
Integrating ThreatDefend into an enterprise
Unlike other cyber security controls, the Attivo Networks ThreatDefend platform provides proactive in-network cyber security protection for all eight of the primary target components of the modern enterprise architecture. This broad security coverage of targets (see list below) facilitates accurate and efficient detection for legacy devices through the most modern cloud deployments.
1. Cloud Services – Cloud-hosted deception allows protection for application workloads hosted publicly or privately.
2. Data Center Network – Deception in the datacenter detects lateral East-West traversal, common in many advanced attacks.
3. Corporate Local Area Network – The traditional LAN remains an important target for deception processing.
4. Deployed Endpoints – Deceptive endpoint credentials planted at the endpoint are critical for detecting credential theft and reuse as well as proactively leading attackers to the deception environment.
5. Specialized Devices – Deception offers early detection in difficult to secure, specialized networks that are often an easier entry point for attackers. This includes IoT, ICS-SCADA, routers, switches, telecommunications, Point of Sale, and other specialized devices in which operations or innovations have come at the expense of security.
6. Software Applications – Software applications are high value targets for introduction of deceptive processing. Deception can be quite effective in setting up decoy application servers for accurate detection and for building threat intelligence on what an attacker is targeting and how they are attacking.
7. Remote and Branch Offices – The remote office branch office (ROBO) in an enterprise can be protected in an easy, cost-effective manner through forwarders, allowing organizations to scale efficiently to distributed environments.
8. Directory Services – This is an important location for deception since advanced attacks use directory services such as Active Directory to guide lateral traversal and escalate privileges. AD deceptions also play an important role in validating authenticity and the believability of endpoint deception credentials.
These virtual and physical components of an enterprise’s deception environment create the attractive decoys and breadcrumb lures that facilitate collection of engagement-based attack data, telemetry, and intelligence to the ThreatDefend platform for processing, analysis, interpretation, visualization, and reporting. Integration of the platform into an enterprise security stack is straightforward and complements DMZ protections at the perimeter such as firewall and IPS, as well as enterprise controls such as SIEM, EDR/AV, and GRC (see Figure 2).
Figure 2. General network configuration for ThreatDefend
Native integrations will also enhance the functionality of existing controls by automating the sharing of threat intelligence and incident response actions such as blocking, isolation, and threat hunting.
Attacks addressed by ThreatDefend
The Attivo Networks ThreatDefend Deception platform is designed to detect and respond to the most advanced offensive attack methods encountered in the modern enterprise. These techniques are used by malicious actors ranging from mischievous threat actors and disgruntled employees, to well-funded nation-state military teams targeting critical infrastructure:
- Reconnaissance – The first step in most cyber exploits involves the offense performing basic reconnaissance to collect information about a target environment.
- Ransomware and Crypto-mining Attacks – An increasingly frequent attack on the integrity of an enterprise involves ransomware demands after files have been seized via encryption or for the stealthy use of resources for crypto-mining.
- Advanced Persistent Threats – The most capable offensive actors utilize advanced persistent threats (APTs) to remain undetected inside a targeted enterprise for extended periods.
- Stolen Credentials – Most attacks include the theft of user credentials during some stage in the threat lifecycle.
- Man-in-the-Middle Attacks – The unauthorized collection of sensitive data via man-in-the-middle attacks has been a staple of most disclosure breaches.
The nature of cyber exploits continues to evolve in the coming years, likely to include more insidious attacks on cloud and mobility aspects of the modern enterprise. For many (thousands of) years, deception has played a powerful role in outmaneuvering the adversary. The ThreatDefend platform has brought commercially viable deception to the enterprise. The deceptive solutions offered by Attivo Networks have not only delivered exceptionally effective detection controls for today, but also a design that will withstand the test of time based upon ever-changing attack vectors and evolving attack surfaces.
After the holidays, article four in the series will go further into explaining how to apply deception for creating a proactive defense, including strategies for deception deployment, post-compromise incident response, and mitigation against returning attackers.