AST Digital Magazine June 2017 Digital-June | Page 25

Volume 13
ability assessment of the network based on ex-
posed and orphaned credentials and other vul-
nerabilities that create on-ramps for an attacker.
Additionally, topographical maps of the network
provide visibility to assets as they are come on
and off of the network.
Maps can also show attack time-lapsed replay so
that organizations can understand and analyze
the lateral movement of an attack.
The second area is indicators and
warning.
In this day and age, where we are heavily reliant
ICS, real-time situational awareness is critical.
Additionally, an increasing amount of proactive
government practitioners and organizations are
connecting sensor-based data and operational
infrastructure to enable real-time intelligence.
These both come with their own sets of security
risks.
ICS often operates on older unpatchable systems
where there is a lack of security standards, com-
mon passwords are often used and the concept
of a true ”air gap” is fading rapidly in a connected
world.
Ultimately, attackers can and will bypass perim-
eter security and get inside the network.
The BOTsink deception servers are de-
signed to provide early warning to attack-
ers in-the-network by setting traps that
appear as production assets.
These decoys run the same protocols as ICS and
IOT devices for authenticity and are designed to
deceive and misdirect the attack into engaging
and revealing their presence.
Attivo Deception for Threat Detection
June 2017 Edition
Response is the third area.
As the attacker engages with the deception en-
vironment, the BOTsink multi-correlation engine
analyzes the attack and creates the forensic re-
porting for the incident.
This attack information will then create evidence-
based alerts and be viewable in a threat intelli-
gence dashboard, in which double click actions
can be taken through 3rd party integrations to
block and quarantine attackers.
Companies and agencies can then create repeat-
able playbooks based on information that they
would like shared with their firewalls, endpoint,
NAC, and SIEM solutions, so that their security
policies can automatically be applied.
In ICS environments, where human lives and
safety can be quickly at risk, it is not enough to
simply think like an attacker and know how they
get in.
One must think like a responder and have deep
expertise in detecting and defending against
these attackers.
Attivo engineers have applied their extensive ex-
pertise in intrusion detection and protection and
have designed the ThreatMatrix- BOTsink solu-
tion for optimal efficiency for ICS network threat
detection and accelerated incident response.
Using Attivo deception, the game has changed,
attackers must now be right 100% of the time or
be caught, and now when they are, organizations
are equipped to quickly and efficiently respond to
them.
Comprehensive Deception and Decoy
Make the Entire Network a Trap to Confuse and
Misdirect Attackers into Revealing Themselves
• Decoys appear identical to production assets,
luring attackers into revealing themselves.
• Decoy configurations run real Linux, Mac, and
Windows OS and are customizable to match
the “golden image” of the production environ-
25