Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

10/17/2017
10:30 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Attivo Goes On the Attack Against Hackers

Attivo gets $21 million in new funding to take the fight to hackers through advanced deception.

Hackers heading into an enterprise have another reason to be cautious: they could become the hunted, not the hunter. In a kind of cyber bait-and-switch, valuable data turns out to fake, and the trap is sprung. More and more enterprises are becoming interested in so-called deception technology, designed to turn the tables on attackers.

Attivo, a deception developer, just raised a venture capital C series of $21 million, led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. In May, it secured a series B round of $15m, representing $36 million raised in the last five months. Tushar Kothari, CEO of Attivo, attributes the pace to a mushrooming interest in fooling the thieves.

An image of an enterprise customer network is stored on Attivo's ThreatDefend platform, which then "projects" data decoys which nestle among genuine data nuggets. If an attacker touches the decoy, they sealed in a sandbox environment, which mimics the real environment. The hacker considers they have been successful and continue about their business. Meantime, this offers time for the enterprise to either disarm the attack, or indeed, observe behavior and learn about malware approaches. One outcome is that hackers become frustrated and they turn their attention to easier targets.

Attivo uses what it calls "high interaction deception" with authentic operating systems and image customization. Apparently, attackers cannot tell the difference between decoys and production assets. Decoy users act like real users, and data and systems look like real data and systems. Until there's an attempt to harvest information. This methodology deals another blow to perimeter security –- possibly one of the most direct blows it could receive –- by being unconcerned when bad actors breach the perimeter.*

It also raises the possibility of a strike back by the target organization, with the hacker unaware and placed on the defensive. "It all depends on what our customer wants," Attivo's Kothari told SecurityNow, "we have the ability for offensive or pre-emptive (retaliation)."

According to Rik Turner, principal analyst, infrastructure solutions at Ovum, the platform extends beyond network- and endpoint-based deception technology out into vulnerability assessment and response automation, and into threat hunting.

Can the platform be fooled, made to look the other way while hackers drive past the decoys? Maybe overwhelm the platform?

"This type of attack would not distract (the platform), since all attacks would be coming from one IP, which we would use to ID the attacker and alert the attack," Carolyn Crandall, CMO of Attivo, told Security Now. "Unlike an external DDoS attack, launching multiple attacks just allows us to identify the attack more quickly based on more data points."

Typical attacks which can be foiled include reconnaissance attacks, credential raids, man-in-the-middle attacks or active directory attacks. Kothari said the platform can be integrated with other security systems, avoiding a situation where one system treads on the toes of another.

In theory, this also reduces false positives. "If the mouse bites the cheese, we know he exists because the cheese is missing," said Kothari.

Although deception technology is still maturing, Kothari plans to keep moving the cheese, leaving companies one step ahead. The timeline of staying ahead, of course, is always subject to hackers learning patterns and eventually spotting deception.

"Every security technology goes through its lifecycle, hackers learn and deception technology is no exception," said Kothari. He projects three phases: firstly, during the first two to three years, the deception is totally unexpected and a surprise. Next, attackers begin to learn and differentiate between what's a decoy and what is not.

In five to ten years, target organizations will need to up their game and launch what Kothari terms "deception campaigns," where snares are placed at multiple layers. Data is attacked and eventually extracted, but ultimately the hacker can't differentiate between a valuable data haul or an empty swag bag.

Attivo claims Aflack as a public reference, and customers in a wide spread of verticals concentrated on financial, utility, law firms and the energy sector. It claims evaluation trials with about 350 companies.

* The stance of Attivo toward bad actors and their breaches of the perimeter has been clarified from the original sentence.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3903
PUBLISHED: 2021-10-27
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-41191
PUBLISHED: 2021-10-27
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website....
CVE-2021-1115
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable co...
CVE-2021-1116
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.
CVE-2021-1117
PUBLISHED: 2021-10-27
Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an attacker through specific configuration and with local unprivileged system access may cause improper input validation, which may lead to denial of service.