Ray Kafity, Vice President – Middle East Turkey and Africa (META), Attivo Networks, explains to Security MEA how the ThreatDefend Detection platform works to ward off any malicious attack.
In this age of plug and play offices, how does the ThreatDefend Detection Platform work and how does it differentiate between a genuine request and a malicious request?
Attivo Networks ThreatDefend detection platform is an in-network detection platform for malicious actors inside the network. The platform works reliably across existing and emerging attack surfaces and is extremely effective against all attack vectors.
The idea of the ThreatDefend Detection platform from Attivo Networks is based on a highly advanced and new emerging technology called deception technology. This technology enables the platform to plant decoy assets, fictitious servers, and endpoints in the network that the attacker is trying to infiltrate. Attivo Networks installs the decoy assets in unpublished IP addresses within the network. These addresses are not disclosed within and outside the organization. That said, if an attacker tries to scan these decoy assets that have been planted into the unpublished IP address, the system automatically flags the activity as a malicious attempt. This is how we differentiate between a genuine and a malicious request.
By how much will the new solution reduce the dwell time?
Attivo Networks ThreatDefend Detection platform reduces dwell time from days, months and years to real-time.
At what point after detecting an intrusion does the ThreatDefend Detection platform raise alerts and involve the agents at the endpoints as this detection platform also facilitates automated incident response?
Once an attacker enters inside the network and scans any decoy assets or touches any deception assets, we redirect that attacker to our ThreatDefend appliance platform which is already installed inside the network. Once the attacker is inside the appliance, he/she will not know if he has been redirected from the physical network to the deceptive network which was planted. The attacker keeps moving in the decoy environment allowing us to record all movements. We then gather all the information into a file and immediately raise an alert with all the prevention and security control systems which are pre-installed.
Attivo Networks has seamless integration with up to 40 different security companies and the alert is shared immediately with as many security and control points as possible.
Can you elaborate on the historical attack data and the MITRE Att@ck framework techniques that are being employed to ward off the threat actors?
The MITRE Att@ck framework consists of three parts: Initial foothold of compromised endpoints,
Internal network propagation and Action on objectives (critical asset access).
Attivo Networks ThreatDefend Detection platform core competence is in the second part (internal network propagation) and helps prevent: Network discovery, Privilege escalation, Execution, Credential access and Lateral movement
How would you differentiate Attivo Networks against the competitors?
Attivo Networks does more integration with EDR and EPP vendors than any other deception platform in the market today.
Our ThreatDefend Detection platform expands all the away up to the application and network layer. This means we can deploy network site, data type, endpoint type, and application type decoys. It is a complete platform that allows Attivo Networks to plant deception assets and different layers of the enterprise.
The COVID-19 pandemic has accelerated the adoption of many emerging technologies such as remote learning, remote working which has created a lot of disruptions to the traditional security systems that was in place. How agile is your platform to address these new challenges?
Before the pandemic, only 4 percent of the global workforce was logging in remotely. Post Covid-19, more than 90 percent of the employees were required to work from home. Organizations are now being forced to give access to sensitive databases and assets to ensure that employees can do their job smoothly. As an example, employees are now using VPNs to access their data. This scenario has presented a tremendous opportunity for hackers to breach the systems and enter the network.
Benefits of ThreatDefend Detection platform includes deployment of network decoys in the VPN, VLAN to increase visibility and detect reconnaissance scans and attacks; deploy deceptive VPN logins on endpoints for early identification of compromised endpoints; detect the presence of sensitive credentials and identify critical lateral movement routes and provide alerts and defend against malicious active directory queries