Joseph Salazar is the Technical Deception Officer for Attivo Networks.
Cyber attackers have repeatedly proven that they can gain access to the networks of even the most security-savvy organizations. Whether the attacker finds their way in through the use of stolen credentials, zero-day exploitation, a ransomware attack or starting as an insider, they will establish a foothold and move laterally throughout the network until they complete their mission.
Once attackers bypass existing security prevention mechanisms, they can remain undetected and easily move around the network. To quickly detect and shut down these attacks, a new approach is needed.
New approaches focus on the threats that are inside the network and do not use typical measures, such as looking for known signatures, or matching attack patterns, to detect attackers. This new method uses deception to trick attackers into revealing themselves. New approaches to incident response can capture valuable attack forensics that can be used to promptly block attackers from continuing or completing their mission.
What is Attivo Networks?
Attivo Networks® provides real-time detection and analysis of inside-the-network threats. The Attivo ThreatDefend Deception and Response Platform deceives attackers into revealing themselves so that stolen credentials, ransomware, and targeted attacks within user networks, data centers, clouds, SCADA, and IoT environments can be detected. Comprehensive attack analyses and actionable alerts empower accelerated incident response.
Here’s How the Attivo Networks and Carbon Black Integration Works
Attivo Networks integrates with Cb Response (EDR) to provide advanced, real-time, in-network threat detection, and to improve automated incident responses that block and quarantine infected endpoints.
Using this joint solution, customers can review alerts and choose to make manual updates, or alternatively, to create policies that automatically block endpoints based on suspicious activity. Customers can reduce the time and resources required to detect threats, analyze attacks, and to remediate infected endpoints, ultimately reducing the organization’s risk of breaches and data loss.
Attivo + Cb Response (EDR) Use Case
In the case of a financial institution, Carbon Black and Attivo Networks collaborated to defend against potential insider threats. The organization deployed Attivo deception and configured Cb Response to respond quickly should an insider engage with a decoy. As part of their deployment, decoys were projected into their data centers as fake database and file servers.
A few weeks later, an alert was sent to the SOC from a decoy server reporting a login completed using administrative credentials. The deception solution identified the attacking IP, the method of access, and all the activities on the decoy. The Incident Response (IR) team quickly isolated the attacking IP using Cb Response. The Carbon Black investigation revealed a remote access trojan had infected the database administrator’s laptop and stolen his credentials.
Because of the quick detection and isolation, the IR team had the opportunity to quickly prevent a breach and, as part of their investigation into the breach, used the information provided by the alert to identify other systems the attacker had accessed.
How Can I Use This in My Organization?
Carbon Black customers can sign up for a demo of the Attivo Networks ThreatDefend™ platform today.