Attivo Networks Partner Integrations for an
Adaptive Defense and Continuous Threat Management
An adaptive security architecture is built upon the four core pillars of prediction, prevention, detection, and
response as outlined in Capabilities of Gartner’s Adaptive Security Architecture: December 2015.
The report sets an efficient structure for outlining why it is critical for solutions within each of these categories
to share information and automate responses to build a stronger defense, improve policies, and to better
meet compliance expectations.
This paper will serve to share how Attivo Networks® solutions fit into this eco-system and strengthen an
organization’s overall defense against cyber threats. The Attivo ThreatDefend™ Deception and Response
platform is built to disrupt an attack, detect in-network threats, and to defend against all forms of known
and unknown attackers.
Predict the Attack
Having a baseline understanding of your security infrastructure, compliance requirements, associated
threat risks, and exposure are first steps in establishing an organization’s security posture and preparing
for cyber threats. Each company’s ultimate “attack score” is by design different, since some are more
targeted due to the value of their information or critical infrastructure. Others may be driven by compliance
criteria, noting that compliance should never be mistaken for having a lock-tight security system. Another
consideration should be based upon other factors such as ability to keep systems updated and of
course the risk of human error. Windows XP-based systems are commonly used in hospitals and in critical
infrastructure, which given their mission critical nature, are not able to be taken off-line for regular security
patch and maintenance updates. This is also compounded by end of life-cycle product management
where systems are often left operating well after a manufacturer stops updating its software.
© 2017 Attivo Networks. All rights reserved.
www.attivonetworks.com
Inherent use of default passwords can also leave doors open for attackers. Human mistakes play an equal
role in creating security backdoors. Sometimes it is simply an error of clicking on the wrong email or URL and
other times, misconfigurations or weak passwords can be the cause.
The ThreatDefend portfolio includes ThreatPath™, which provides organizations the ability to do vulnerability
and attack path assessments. An attacker’s modus operandi is to use compromised credentials to gain
network persistence and move laterally within the network to reach to their destination from the initial
infection point. The Attivo ThreatPath solution will take an attacker’s view of the network and illustrate the
paths which an attacker will most likely take to compromise a target asset. Drill down is provided so that
policies and misconfigurations are understood and can be changed to mitigate risk. This also provides
insight into the greatest points of vulnerability and where additional detection measures should be placed.
The ThreatPath solution can be used as a form of continuous pentesting to understand ongoing risks that
arise from network and end-point changes.
Prevention
The security fundamentals start with preventing attackers from being able to get into the networks. Typical
prevention systems include firewalls, gateway, sandbox, network access control, endpoint security, and
other systems that keep track of known attacks and block them from entering the network. Some will use
intelligence to look for known attack patterns in addition to signatures to block these attacks.
The ThreatDefend platform extends the value of prevention systems by sharing attack information and
signatures of newly found attacks that can be manually or automatically applied to block and isolate an
attacker. The Attivo solution integrates with major prevention vendors through APIs and/or their information
sharing platforms, making it fast and efficient to set up and manage.
Automation set up can be done within the Attivo Dashboard User Interface (UI) and can be as simple as
adding the key id and setting the alert threshold for automation action. Alternatively, some automations
can be set up from the prevention system vendor’s information sharing platform.
Technology Integration Partners:
Network Access Control:
Endpoint Security:
*ON ROADMAP
© 2017 Attivo Networks. All rights reserved.
www.attivonetworks.com
Attack Prevention Integration
Detection
A modern day security posture assumes the network has been compromised and that there are infections
within the network. Zero-day attacks, stolen credential, man-in-the-middle attacks, ransomware, phishing,
and insider attacks are just some of the many ways that an attacker will get in to launch their attack.
Alternative approach and detects attackers without the use of known attack patterns or signatures.
Deception takes a new approach that uses decoys and lures to deceive and misdirect an attacker
into engaging. Once an attacker is engaged the attack is forensically analyzed and attack information
provided to alert security operations teams and to update prevention systems with the information to block
and quarantine the attack.
The Attivo ThreatDefend Portfolio includes the BOTsink Deception Platform, which is comprised of
engagement servers, decoys, deception lures, analysis engine, and ThreatStrike End-point Deception Suite,
which includes deception credentials, ransomware lures, phishing submission, and other active bait to
attract an attacker into engaging.
The ThreatDefend™ BOTsink Deception Platform
• Is designed for user networks, data centers, cloud, IOT, and ICS-SCADA environments
• Runs real operating systems, customizable services, and provides the ability to load golden
images to match the production environment
• Deceptions includes data, server, application, and Active Directory
• Is available as an appliance, VM or cloud VM; a central manager (ACM) is also available to
manage large deployments
• Once an attacker is engaged, the BOTsink Multi-Dimensional Correlation Engine (MCDE)
will safley allow the attack to playout within its VMs for forensic analysis including Tactics,
Techniques, and Procedure (TTP)
• Communications can also be opened with command and control to gain additional insight on
tools and methods; this can also be very effective to gain understanding of polymorphic and
time triggered events
• Unlike a typical sandbox, there is no attack time limitation and security teams can let the attack
play out as long as needed. The environment will automatically rebuild once the analysis session
has ended
• Man in the Middle attacks can also be forensically analyzed and advanced spoofing
techniques are detected
• Saves time and effort by automating analysis and reporting of phishing and malware attacks
reducing the risk of human error that results from clicking on a suspicious attachment or URL
© 2017 Attivo Networks. All rights reserved.
www.attivonetworks.com
The ThreatSrike™ End-point Deception Suite
• Provides authentic Windows, Mac, and Linux deception lures
• Deception credential bait will appear as user credentials, browsing credentials and cookies,
email client credentials, SecureShell (SSH), and more
• Ransomware deceptions will appear as networks drives to attackers
• To simplify analysis of suspicious phishing emails, a plugin in can be automatically pushed to
end-points so that users can easily submit suspicious emails
• The suite is agent-less and can be deployed through the BOTsink server, ForeScout, Casper, and
Microsoft Active directory
The BOTsink Deception Platform has integrations with SIEM products to query and alert on usage of
deceptive credentials in the enterprise.
SIEM:
*ON ROADMAP
SIEM Integration: Unified Reporting and Stolen Credential Alerts
Response
Once an attack has been identified, the priority then becomes how fast can the attack be understood,
isolated, and blocked from causing further harm. Today, there are many tools that operate in silos making it
challenging for organizations to quickly shut down and remediate systems. In some cases, attack files need
to be sent to vendors for signatures to be created and this can also cause delays in preventing further harm.
The ThreatDefend Deception and Response Platform is designed to simplify and expedite this process
creating full attack forensic analysis and providing infected IP addresses and C&C addresses so that
the attack can be promptly quarantined and blocked. Attack forensics will also include the necessary
information to understand what activity in the “Kill Chain” the attacker was executing and additional drill
down to information so that SHA1 and forensic artifacts can be researched in other devices. Integrations
with malware database companies such as Virus Total, provide additional attack reporting enrichment.
© 2017 Attivo Networks. All rights reserved.
www.attivonetworks.com
Malware Database Providers:
Integration Partners to Accelerate Incident Response
Summary
The Attivo ThreatDefend Deception and Response Platform plays a critical role in empowering an adaptive
defense with real-time detection of threats, attack vulnerability assessments, attack forensic analysis, and
the integrations to dramatically accelerate incident response. Technology integrations with partners serves
as a force multiplier effect, which improves existing technologies, process, and resource productivity,
making them better and ultimately reducing the time to detect and remediate an exploit or malicious
threat actor. Working hand-in-hand with our partners, Attivo Networks will continue to expand its platform
and 3rd party integrations to deliver the fastest detection and incident response to stop attackers in their
tracks.
About Attivo Networks
Attivo Networks® provides the real-time detection and analysis of inside-the-network threats. The Attivo
ThreatDefend™ Deception and Response Platform detects stolen credentials, ransomware, and targeted
attacks within user networks, data centers, clouds, SCADA, and IoT environments by deceiving an attacker
into revealing themselves. Comprehensive attack analysis and actionable alerts empower accelerated
incident response. www.attivonetworks.com
© 2017 Attivo Networks. All rights reserved. www.attivonetworks.com
Attivo Networks, ThreatDefend, and ThreatPath are registered trademarks of Attivo Networks, Inc.
All other trademarks are of their respective companies.
Follow us on Twitter @attivonetworks