Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

10/17/2017
10:30 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Attivo Goes On the Attack Against Hackers

Attivo gets $21 million in new funding to take the fight to hackers through advanced deception.

Hackers heading into an enterprise have another reason to be cautious: they could become the hunted, not the hunter. In a kind of cyber bait-and-switch, valuable data turns out to fake, and the trap is sprung. More and more enterprises are becoming interested in so-called deception technology, designed to turn the tables on attackers.

Attivo, a deception developer, just raised a venture capital C series of $21 million, led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. In May, it secured a series B round of $15m, representing $36 million raised in the last five months. Tushar Kothari, CEO of Attivo, attributes the pace to a mushrooming interest in fooling the thieves.

An image of an enterprise customer network is stored on Attivo's ThreatDefend platform, which then "projects" data decoys which nestle among genuine data nuggets. If an attacker touches the decoy, they sealed in a sandbox environment, which mimics the real environment. The hacker considers they have been successful and continue about their business. Meantime, this offers time for the enterprise to either disarm the attack, or indeed, observe behavior and learn about malware approaches. One outcome is that hackers become frustrated and they turn their attention to easier targets.

Attivo uses what it calls "high interaction deception" with authentic operating systems and image customization. Apparently, attackers cannot tell the difference between decoys and production assets. Decoy users act like real users, and data and systems look like real data and systems. Until there's an attempt to harvest information. This methodology deals another blow to perimeter security –- possibly one of the most direct blows it could receive –- by being unconcerned when bad actors breach the perimeter.*

It also raises the possibility of a strike back by the target organization, with the hacker unaware and placed on the defensive. "It all depends on what our customer wants," Attivo's Kothari told SecurityNow, "we have the ability for offensive or pre-emptive (retaliation)."

According to Rik Turner, principal analyst, infrastructure solutions at Ovum, the platform extends beyond network- and endpoint-based deception technology out into vulnerability assessment and response automation, and into threat hunting.

Can the platform be fooled, made to look the other way while hackers drive past the decoys? Maybe overwhelm the platform?

"This type of attack would not distract (the platform), since all attacks would be coming from one IP, which we would use to ID the attacker and alert the attack," Carolyn Crandall, CMO of Attivo, told Security Now. "Unlike an external DDoS attack, launching multiple attacks just allows us to identify the attack more quickly based on more data points."

Typical attacks which can be foiled include reconnaissance attacks, credential raids, man-in-the-middle attacks or active directory attacks. Kothari said the platform can be integrated with other security systems, avoiding a situation where one system treads on the toes of another.

In theory, this also reduces false positives. "If the mouse bites the cheese, we know he exists because the cheese is missing," said Kothari.

Although deception technology is still maturing, Kothari plans to keep moving the cheese, leaving companies one step ahead. The timeline of staying ahead, of course, is always subject to hackers learning patterns and eventually spotting deception.

"Every security technology goes through its lifecycle, hackers learn and deception technology is no exception," said Kothari. He projects three phases: firstly, during the first two to three years, the deception is totally unexpected and a surprise. Next, attackers begin to learn and differentiate between what's a decoy and what is not.

In five to ten years, target organizations will need to up their game and launch what Kothari terms "deception campaigns," where snares are placed at multiple layers. Data is attacked and eventually extracted, but ultimately the hacker can't differentiate between a valuable data haul or an empty swag bag.

Attivo claims Aflack as a public reference, and customers in a wide spread of verticals concentrated on financial, utility, law firms and the energy sector. It claims evaluation trials with about 350 companies.

* The stance of Attivo toward bad actors and their breaches of the perimeter has been clarified from the original sentence.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.