Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

End of Bibblio RCM includes -->
10/17/2017
10:30 AM
Simon Marshall
Simon Marshall
Simon Marshall

Attivo Goes On the Attack Against Hackers

Attivo gets $21 million in new funding to take the fight to hackers through advanced deception.

Hackers heading into an enterprise have another reason to be cautious: they could become the hunted, not the hunter. In a kind of cyber bait-and-switch, valuable data turns out to fake, and the trap is sprung. More and more enterprises are becoming interested in so-called deception technology, designed to turn the tables on attackers.

Attivo, a deception developer, just raised a venture capital C series of $21 million, led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. In May, it secured a series B round of $15m, representing $36 million raised in the last five months. Tushar Kothari, CEO of Attivo, attributes the pace to a mushrooming interest in fooling the thieves.

An image of an enterprise customer network is stored on Attivo's ThreatDefend platform, which then "projects" data decoys which nestle among genuine data nuggets. If an attacker touches the decoy, they sealed in a sandbox environment, which mimics the real environment. The hacker considers they have been successful and continue about their business. Meantime, this offers time for the enterprise to either disarm the attack, or indeed, observe behavior and learn about malware approaches. One outcome is that hackers become frustrated and they turn their attention to easier targets.

Attivo uses what it calls "high interaction deception" with authentic operating systems and image customization. Apparently, attackers cannot tell the difference between decoys and production assets. Decoy users act like real users, and data and systems look like real data and systems. Until there's an attempt to harvest information. This methodology deals another blow to perimeter security –- possibly one of the most direct blows it could receive –- by being unconcerned when bad actors breach the perimeter.*

It also raises the possibility of a strike back by the target organization, with the hacker unaware and placed on the defensive. "It all depends on what our customer wants," Attivo's Kothari told SecurityNow, "we have the ability for offensive or pre-emptive (retaliation)."

According to Rik Turner, principal analyst, infrastructure solutions at Ovum, the platform extends beyond network- and endpoint-based deception technology out into vulnerability assessment and response automation, and into threat hunting.

Can the platform be fooled, made to look the other way while hackers drive past the decoys? Maybe overwhelm the platform?

"This type of attack would not distract (the platform), since all attacks would be coming from one IP, which we would use to ID the attacker and alert the attack," Carolyn Crandall, CMO of Attivo, told Security Now. "Unlike an external DDoS attack, launching multiple attacks just allows us to identify the attack more quickly based on more data points."

Typical attacks which can be foiled include reconnaissance attacks, credential raids, man-in-the-middle attacks or active directory attacks. Kothari said the platform can be integrated with other security systems, avoiding a situation where one system treads on the toes of another.

In theory, this also reduces false positives. "If the mouse bites the cheese, we know he exists because the cheese is missing," said Kothari.

Although deception technology is still maturing, Kothari plans to keep moving the cheese, leaving companies one step ahead. The timeline of staying ahead, of course, is always subject to hackers learning patterns and eventually spotting deception.

"Every security technology goes through its lifecycle, hackers learn and deception technology is no exception," said Kothari. He projects three phases: firstly, during the first two to three years, the deception is totally unexpected and a surprise. Next, attackers begin to learn and differentiate between what's a decoy and what is not.

In five to ten years, target organizations will need to up their game and launch what Kothari terms "deception campaigns," where snares are placed at multiple layers. Data is attacked and eventually extracted, but ultimately the hacker can't differentiate between a valuable data haul or an empty swag bag.

Attivo claims Aflack as a public reference, and customers in a wide spread of verticals concentrated on financial, utility, law firms and the energy sector. It claims evaluation trials with about 350 companies.

* The stance of Attivo toward bad actors and their breaches of the perimeter has been clarified from the original sentence.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-34918
PUBLISHED: 2022-07-04
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an u...
CVE-2022-34829
PUBLISHED: 2022-07-04
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
CVE-2022-31600
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and informat...
CVE-2022-31601
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmbiosPei, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, compromised integrity, and information disclosure.
CVE-2022-31602
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with elevated privileges and a preconditioned heap can exploit an out-of-bounds write vulnerability, which may lead to code execution, denial of service, data integrity impact, and information disclosure.