The Attivo ThreatStrike Endpoint solution, part of the modular ThreatDefend Platform, provides early and accurate detection of targeted attacks on endpoints and servers. Customizable and non-intrusive, this agentless deception technology places bait and breadcrumbs that lead to an engagement server, where an alert is raised, attacks are analyzed, and actions to quarantine the infected system are activated. To reach sensitive network data, attackers will compromise computers to steal passwords and hashes that can then be used to move laterally within the network and escalate privileges to advance their attack. The ThreatStrike solution is an agentless technology that dynamically plants deception credentials, lures, and deception network drives for ransomware detection.
Automated Attack Analysis and Forensic Reporting
The Attivo ThreatStrike suite provides real-time attack analysis and alerts on the use of planted deceptions. Once an attacker takes the bait and tries to use the deceptive credentials, they are led to the Attivo BOTsink Solution, which identifies the infected endpoint, analyzes the attack, and provides 3rd party integrations to share information and automate response actions with prevention devices. Additionally, SIEM applications can be queried to check and raise alerts based on the failed login use of deception credentials, providing accurate alerts for notifications that would typically be buried and lost in logs of data. The BOTsink analysis engine also goes one step further than typical sandboxes by capturing and analyzing memory forensics as part of the attack analysis. All too often, this data is lost, and along with it, the attacker’s tracks. This unique benefit will often provide the much-needed insight to truly understand and quickly respond to an attack.
Ransomware works by infecting and encrypting attached network shares on a device. The Attivo ThreatStrike endpoint lures, however, combat this process by having SMB shares mapped to the BOTsink decoy engagement VMs. Therefore, when ransomware infects a device that has ThreatStrike SMB lures installed, the ransomware encrypts the mapped decoy network shares in place of the production shares. In testing trials of this technology, it was noted that the Attivo high-interaction deception can slow down the encryption attack cycle by a factor of 25 times, keeping the ransomware busy encrypting a continuous feed of deception files. Analysis of Petya/NotPetya and WannaCry attacks by Attivo Labs demonstrate the effectiveness of deception technology in detecting and stopping ransomware attacks.