Attivo Networks adds response capabilities to deception deployments

With its Deception and Response Platform, Attivo Networks addresses the main weakness of most deception technology, having to rely on other programs to respond to an attack once revealed by the deception network.

7 response

Deception technology, deploying fake assets inside real networks to trick and catch attackers, shows an incredible amount of promise within cybersecurity as the technology grows. Even as hackers learn to expect that deception assets will be hidden among their targets, deception tools seem more than capable of keeping one step ahead. So long as the deceptive assets are supported with lures and breadcrumbs on production systems to make them look real, attackers will inevitably wander into the traps and reveal themselves.

However, not everything is perfect in the world of deception. Most of the programs in the market today, while very good at alerting to the presence of an attacker, do nothing in terms of remediation of the problem – other than perhaps to offload that responsibly to another program or to humans working a network SIEM module. In many ways, they end up being like the dog chasing cars in that old story, putting a ton of effort into catching their quarry, but almost no thought into what to do once they have successfully latched on.

The Attivo Deception and Response Platform aims to change all that, adding native and even automatic response capabilities to its already powerful deception frontend. This is coupled with other powerful tools and applications like internal sandboxing, ransomware protection, user training and even phishing sample submissions, all supported by robust, accurate deception.

Deploying Attivo

The Attivo platform is divided up into four components, BOTsink, ThreatStrike, ThreatPath and ThreatOPs. Together they form the complete detection and response capabilities, starting with deploying decoys and making them look like real clients, protecting credentials and preventing ransomware outbreaks, plotting the attack paths of attackers and blocking them from reentering a network once purged, and tracking everything in a ticketing system suitable for confirmation checking or auditing. But it all starts with deploying deception.

The platform is normally deployed on-premises as an appliance, though a cloud version is also available. (Our test was done with a physical server.) Each appliance can support up to 384 deception devices, which can take on the capabilities and configurations of real network assets like servers and clients, or even ones that are specific to certain industries like infusion drug pumps in healthcare or point of sale devices in retail. You simply load up the golden image for the device you want to deceptively replicate and have it deployed in a network in such a way as to mirror other real assets that it’s imitating. After that, decoys and lures are placed to make the deception points come alive and appear to be in constant use.

The number and type of included deception types is constantly evolving based on client needs, and Attivo says it only takes about 30 to 60 days to create new ones for organizations with never-before-seen assets. 

The Attivo platform is extremely powerful, and most of the functions in terms of response actions are self-contained. For example, users can quarantine a system that is being used as a launch platform by an attacker, or expire the credentials of a user who has been compromised.

Attivo main console John Breeden/IDG

The main console gives a quick look at the network, the deception points, and any threats that are occurring – in real time – within the protected enterprise.

And with the reality of IT staffing these days being that higher-tier experts are expensive and difficult to hire and maintain, the Attivo platform counters with extremely in-depth tutorial pages that pop up by default in response to an alert. These pages go well beyond a simple description of the alert, detailing the danger that the revealed attack represents and suggesting responses – many of which can be initiated right from the Attivo console. Less experienced analysists, armed with these descriptions, should be able to properly respond to attacks while also learning new skills along the way.

Attivo attack help John Breeden/IDG

Unlike most security programs, Attivo does not assume that every analyst is familiar with every type of attack, and the proper response. The program details each type of attack it encounters, and provides suggestions as to remediation, training users in the process.

Organizations with mature cybersecurity platforms can skip the internal Attivo toolset and instead employ their existing defensive architecture to counter threats. In that case, the Attivo platform can be easily integrated into defenses using a drag and drop interface called The Playbook, which also requires almost no training. We were up and running with Playbook in less than five minutes.

Attivo drag and drop rule John Breeden/IDG

Setting up automatic response rules is done by simply dragging and dropping them into a flowchart-like environment called Playbook. It’s extremely easy, and eliminates errors, even when working with less experienced analysts.

During our test, we used Playbook to route specific attack information to Splunk for further remediation, while an automatic IP blocking process went to a Palo Alto firewall for execution. Designing a response plan for threats captured by the Attivo platform doesn’t change any of the other tools already in place; it simply enlists their help in mitigating specific types of threats first found by the deception network. Or, you can still manually use Attivo to respond to many of the threats, only sending information about your actions to the other platforms or SIEM.

Additional features

In addition to the deception network as a defense, the Attivo platform includes quite a few extra weapons. One of the most powerful is the ability to configure a sandbox to run within the main console that is already hosting the deception projections.

Each Attivo appliance comes with six Linux and six Windows licenses for spinning up a sandbox based on the appropriate OS. For example, we choose Windows Server 2012 for our testing, one of the six options available out of the box under Windows. If you want to create a sandbox for an OS flavor or type that is not included, Attivo allows this, but you would need to provide the license to host it. The 12 that are included inside the appliance by default cover the most common types of network server assets.

The sandbox is surprisingly powerful, especially given that the same appliance is also hosting the deception network. It may not be able to host as many sandbox sessions as a dedicated appliance, but given that it will only be employed against threats from the deception network, or those directly submitted to it, it’s more than adequate. For example, we set our test sandbox to spend up to 10 minutes on each suspected file, and it still processed 144 samples per day, a good balance between intensity and volume. The sandbox was also highly useful, exploding malware and finding all the things that it was trying to do like changing registry keys, reaching out to command and control servers and side-loading malware – all of which was contained in a detailed report at the end of the analysis.

Attivo has even built new features on top of the sandbox, such as phishing protection for e-mail. That feature works by setting up a dedicated mailbox to catch phishing scams. Any mail that comes into the fake box is considered a possible attack, or at the very least spam, since it’s not really in use. It’s basically another component to the deception network. Any files or attachments sent into the fake mailbox are automatically sandboxed.

But it goes a bit beyond that. Once implemented, a button can be added to a user’s e-mail client that allows them to submit suspected phishing mail for analysis. When pushed, the mail is forwarded to the fake box and the sandboxing begins. Once identified as an attack, Attivo can automatically block the IP addresses, e-mail address and other factors used in the attack to prevent other users from accidentally clicking on a link or engaging with an attacker.

Attivo phishing email John Breeden/IDG

Because the appliance driving the Attivo software comes with the ability to setup a sandbox, suspected phishing e-mails can be sent into it by IT staff or even concerned users. Each gets a full analysis of any hidden intent hiding inside the e-mail, hyperlinks or attached files.

Final analysis

It’s clear that Attivo Networks took an already robust deception platform and used it to add more functionality, features – and most importantly – response capability. This addresses the one main weakness of most deception technology, having to rely on other programs to respond to an attack once revealed by the deception network. The Attivo platform offers quick response capabilities and the ability to interact with third-party programs for additional backup, configured using an intuitive drag and drop interface that requires very little training. After that, things like internal sandboxing and phishing e-mail protection are just icing on the cake of an already very impressive product.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)