Monday03 October 2022

Attivo Networks rolls in incident response and controls into their deception Featured

Reading time is around minutes.

Black Hat USA 2017 - Las Vegas, NV.
Another company that we have the chance to sit down with was Attivo Networks. Attivo, if you are not familiar with them specialize in network deception through the use of projected systems. These are systems that do not really exist in the network but that occupy space and would appear real to someone looking at the network from behind the scenes. They use different methods to make these systems appear to be real including mapped drives (that are invisible to an actual user). This way when a system on the network is compromised an attacker might be fooled into interacting with a deception system and give themselves away.

At Black Hat 2017 Attivo was talking up their deception tactics as well as some new features that they have rolled into the system. One of these systems is a form of incident response that was a natural extension of the product. As you might imagine part of a deception system is going to be alerting and tracking what an attacker does once they have hit part of the deception network. Attivo already had their own attack analysis engine built in so that they can identify a real coordinated attack from false positives and that naturally led to incident response.
Some of you might be wondering what network deception actually is, or you might be wondering how Attivo is different from traditional honey pots. Well in reality any deception is a form of honey pot as you are giving information, in the form of systems or intelligence, that you hope an attacker will take and in doing so set off alarms. You can also increase their time in your environment, if you are lucky, you can identify some of their toolset and their tactics. Both of these later items give you valuable information to prepare for future attacks.

Attivo works in an interesting way. While many other deception systems require extra resources (storage, CPU, memory, IP Addresses), Attivo works by projecting their realistic systems into an existing IP space without actually consuming them. If a real-world system comes online and wants an IP address occupied by an Attivo deception system then it will give that up and grab another IP that is free in the subnet. They also continue to dynamically change the deception environment to prevent an attacker from fingerprinting the deception. The variety of images that can be projected are also not standard. Although there are some stock images that come with the product individual organizations can setup and deploy their own images. This, potentially, makes each environment a little different from the next (if they take the time to deploy it right). This also gives you the flexibility to make some very interesting systems for your deception environment, as long as you can create an image for it, you can deploy it through Attivo.

The system also has some built-in logic to limit false positives. It will not alert on casual contact, but is looking for actual engagement with the deception systems before triggering alarms. This helps to keep noise down for the SOC (Security Operations Center). As we mentioned earlier in the article, once an attacker engages with a system in the deception network alerts go off and the systems begins to track them. This tracking includes going back to the entry point into the system. You can see the path they took as they moved around the network. This information can be combined into reports (including one for the C-Suite) along with a time-lapse of how the attack unfolded.  

Another really cool item that Attivo brought up was a form of Ransomware defense. As the system building files lists for the deception servers they found that they were able to feed Ransomware a continuous stream of files so fast that it was not able to move on to more critical systems.  This, much like the incident response was not an intended feature, but one that many companies are sure to want to utilize.

Last modified on Monday, 31 July 2017 18:30

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.