”ACTIVE DECEPTION” - LURING CYBERCRIMINALS TO REVEAL THEMSELVES
“Active Deception” – Luring Cybercriminals to Reveal Themselves
Summary
High-profile security breaches are becoming the norm. Despite the layered security strategies that organizations deploy,
attackers are finding their way into the network. In a recent CBS 60 Minutes segment, Dave DeWalt, FireEye CEO stated
“literally 97% of all companies are getting breached.”
Initial Breach
Reconaissance & Extend Data Exfiltration
In the past 12 months, there have been:
Foothold
• Over 700 US companies breached (TRUSTe)
• One mega data breach a month, impacting at
least 25 million data records. (SafeNet)
• 68% global organizations affected by mobile
security breaches (BT)
• 53% of global securities exchanges have
experienced a cyber-attack (IOSCO Survey)
66%
of breaches remain
undetected for months
87%
of breaches are discovered
by external parties
Post-Infection Detection is Critical
Because attacks are in the network, a comprehensive security strategy must include post infection detection capabilities. .
Breach detection systems that focus on post infection detection complement firewalls, secure Web gateways and other
solutions by looking for attackers already in the network; they cover lateral movement and privilege escalation versus traffic
to and from a specific endpoint or Internet ingress/egress point.
Adding post infection detection is a necessary component to any security strategy, helping uncover attackers whose
breaches can go unnoticed for seven to eight months. And, most companies learn from third parties, typically their
customers, payment system partners and law enforcement officials they have been breached, which is well after the fact.
Infrastructure Security Gaps Are Exploited by Cybercriminals
Targeted botnets (BOT) and advanced persistent threats (APT) are successful because cybercriminals bypass traditional
security measures, using new pathways to enter the network undetected. Traditional perimeter and end-point security
solutions are blind to attacks that originate from:
• Web services—given the vastness and ever-changing nature of the world wide web, it is virtually impossible to
know of all the malicious web links and sites being used as command and control servers, enabling zero day
exploits
• Stolen credentials—with an increasingly geographically dispersed and varied user population, it is hard to ensure
the integrity of the credentials for each and every employee, contractor and 3rd party vendor that accesses the
network.
• Endpoint and personal (BYOD) devices—are ideal targets for zero-day exploits which are difficult to detect and
provide an entry point to the attackers into the network
These pathways are difficult, if not impossible, to keep closed and are becoming key drivers in today’s business productivity
and growth. Once attackers gain access to the network, they typically have all the time they need to troll and harvest
valuable intellectual property and exfiltrate the data (on average 229 days or more). BOTSinkTM Solutions Deliver Vital Post-Infection Detection
A comprehensive security posture needs to include post infection detection to complement today’s security infrastructure.
Many enterprise organizations look to deploy a layered security strategy designed to maximize attack coverage and
mitigate risks to intellectual property and corporate assets. Given the complexity of today’s threat landscape, it is vital to
have defense mechanisms that can protect against the many different attack vectors used to infiltrate and exploit an
organization. This includes attacks by BOTs and APTs that begin with reconnaissance or scanning to identify potential targets
as well as intelligent BOTs or APTs that initiate their attacks from hijacked end points and target specific identified resources.
© 2015 Attivo Networks. All rights reserved.
www.attivonetworks.com
”ACTIVE DECEPTION” - LURING CYBERCRIMINALS TO REVEAL THEMSELVES
Attivo Networks BOTsink Solution brings a new layer of security complementing existing infrastructure by accelerating breach
discovery and providing a new line of defense designed to make it difficult for attackers to reach or compromise valuable
assets. Attivo’s BOTsink Solution is an elegant way to trap the BOTs and APTs that bypass perimeter and endpoint security.
Laying a trap is the best way to catch the bad guys—it is very efficient and cost effective. “Active Deception” is the best
technique to deal with attacks that manage to get through traditional security infrastructures.
Catching the Bad Guys in Action
Below are three types of attacks that would have been detected and mitigated had an Attivo Networks BOTsink Solution
been deployed.
Attivo Product Summary
Target
Audience
Cloud
Firewall, IDS/IPS
Sandbox
Problem
BOTsink
End Point Security
(ON DEVICE)
Deployment
Options
BOTsink 2500
BOTsink 5000
Virtual BOTsink for VMware
BOTsink IRES for Targeted Attacks
Small to Medium
Enterprise
Medium to Large
Enterprise
Medium to Large Enterprises
Any Size Enterprise using BOTsink
Solutions
Up to 16 VLANs
Up to 100 VLANs
Public or Private Clouds
Endpoints
Attack Scenario
Attivo BOTsink Solution
• Attackers used web servers to mount remote
code injection attacks that penetrated the
company’s data centers
• BOTsink Virtual Appliance deployed in the
data center
WEB SERVICES EXPLOITS
• Attacks take advantage of
WordPress, Drupal, Joomla,
etc.
• Once in, they moved freely around the data
center until they find and steal the data
• Engages attacker during their discovery and
lateral infection phase (as they probed and
scanned the network looking for high value
targets).
• Prevents attack’s propagation, identifies
breach source and generates a signature for
IT to stop attack before data could be stolen
STOLEN CREDENTIALS
• Zero-day attack
• One of the hardest attacks to stop
• Endpoint security solutions
has no signature or attack
pattern to look for
• Malware injected into a “trusted” system
owned by an employee, contractor or 3rd
party vendor
• Will not be able to stop attack
from mining the endpoint for
the valuable information
• Attackers mine the device for IP addresses of
servers to attack
• Use legitimate login credentials to get onto
targeted servers
• BOTsink Solution plus Information Relay
Entrapment System (IRES) is an ideal
combination against stolen credential
attacks
• BOTsink Solution will discover attack at the
earliest stage, denying attacker time to
mount a successful data exfiltration attack
• Mounting attack to steal data or access
other, more interesting servers.
ENDPOINT AND PERSONAL (BYOD) DEVICES
• Zero-day attacks
• Zero-day attack
• Unknown and undetectable by solutions that
rely on known attack signatures and patterns
to identify an attack.
• Adobe flash zero-day exploit
• Skelton malware
• Java zero-day exploit
© 2015 Attivo Networks. All rights reserved. BOTsink and Attivo Networks are registered trademarks of Attivo Networks, Inc.
• BOTsink and IRES Solutions catches a BOT or
APT that uses scanning and reconnaissance
tactics will be caught
• BOTsink Solution catches the infection early in
its lifecycle to prevent its propagation
• Captures full forensic information to help
minimize remediation efforts
www.attivonetworks.com