Attivo Networks has introduced new capabilities within its ThreatDefend Detection Platform that aim to anticipate methods an attacker will use to break out from an infected endpoint and ambush their every move.
According to the company, this approach to detection specifically focuses on reducing the time an attacker can remain undetected and the amount of effort required for an organisation to restore environments to normal operations. This new Endpoint Detection Net offering will also serve as a powerful protection force-multiplier for businesses using Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) solutions by closing detection gaps and facilitating automated incident response.
“Endpoints are the new battleground, and well-orchestrated detection and response capabilities are an organisation’s greatest weapon against attackers,” said Ray Kafity, Vice President of META at Attivo Networks. “The new Endpoint Detection Net offering provides organisations of all sizes an efficient and effective way to derail an attacker’s lateral movement before they can establish a foothold or cause material harm.”
The Attivo Endpoint Detection Net product is tackling endpoint security challenges head-on by making every endpoint a decoy designed to disrupt an attacker’s ability to break out and further infiltrate the network. It does this without requiring agents on the endpoint or causing disruption to regular network operations. The company used historical attack data and the MITRE Att@ck framework as a way to understand the various methods attackers use to spread laterally from an endpoint and then created a comprehensive solution designed to stop them.
The Endpoint Detection Net solution elevates security control by accurately raising alerts and taking proactive measures to derail attackers. These capabilities include early attack detection based on:
- Unauthorised Active Directory queries from an endpoint. Attackers seeking information on privileged domain accounts, systems, and other high-value objects will now receive fake Active Directory results, which make an attacker’s automated tools untrustworthy and further advancement futile as their efforts get redirected into a decoy environment.
- Theft of local credentials. Deceptive credential lures deploy on the endpoint, and attempted use by an attacker will breadcrumb attacks away from production assets and into a decoy environment.
- Attempts to compromise file servers by moving to mapped shares. Attacks will get thwarted by decoy file shares and systems. Attackers will also be actively engaged within the decoys, providing defenders time to isolate the systems and prevent further infection of malware or ransomware.
- Network reconnaissance to find production assets and available services. These activities will become challenging as decoys obfuscate the attack surface with systems that appear identical to production assets but are instead virtual landmines for an attacker.
- Man-in-the-Middle attacks where attackers try to steal credentials in transit. These attacks are traditionally difficult to identify; however, this solution delivers an innovative and quick means to detect and alert on them.
- Identifying the available attack paths that an attacker would take to move about the network. Organisations now gain visibility to at-risk credentials and avenues of lateral movement, as well as the insights needed to remove them before attackers can leverage any exposed or orphaned credentials.
