Attivo Networks, the leader in deception solutions for cybersecurity defense, introduced enhancements to its ThreatDefend deception and response platform, which is designed to deceive and reveal attackers that have bypassed perimeter security. The latest version of the ThreatDefend platform augments its current Threat and Adversary Intelligence gathering by adding Counterintelligence that identifies the types of data the attacker is attempting to steal and, through geolocation services, where the documents are being accessed. This information provides powerful insight that can be used to better understand the adversary and strengthen a company’s overall defenses.
The ThreatDefend Platform’s new DecoyDocs feature provides the ability to plant deception files that allow the organization to conduct data loss tracking (DLT) on documents that have been exfiltrated. By embedding a tracking call-back function into a document, the solution provides information about what was stolen and where an attacker opened the file, whether inside or outside of the network. The DecoyDocs call-back provides the externally-facing IP address and geolocation of every system that opens the deception file, the name of the stolen file and which deception network the data was extracted from.
“While advanced Threat and Adversary Intelligence helps security teams determine how bad actors are attacking, our customers still face a wide range of challenges in understanding the intent, motivation, and attribution of attackers,” said Tushar Kothari, CEO of Attivo Networks. “The new Counterintelligence functionality within the ThreatDefend platform directly addresses this knowledge gap by empowering organizations to gather intel on targets and intent. This knowledge can then be applied to offense-based security measures and ultimately call checkmate on their attacker.”
Many organizations are familiar with Threat Intelligence, collecting and analyzing information that helps develop indicators of compromise (IOCs) to identify commonalities of an attack. At a more strategic level is Adversary Intelligence, which identifies the Tactics, Techniques and Procedures (TTPs) of an attacker and is used to better understand an attacker’s capabilities. The Attivo ThreatDefend Platform provides organizations with both Threat and Adversary Intelligence, which captures all attack activity during engagement with a decoy asset. DecoyDocs takes this one step further, tracking deceptive documents when they are stolen and opened, providing complete and comprehensive collective counterintelligence capabilities through insight into what type of data attackers are targeting and their motivation for doing so.
DecoyDocs are fast and easy to add to a deception environment. Desired files are loaded into Attivo Networks BOTsink engagement servers, where they are tagged for tracking and a notification system is set up. DecoyDocs are then placed in attractive locations for attackers and are intentionally allowed to be exfiltrated. DecoyDocs can also provide automated deployment of decoy Powershell, Linux scripts, files and documents for additional in-network security trip wires. Security teams will instantly benefit from the knowledge gained from DecoyDoc alerts and can immediately apply these to offense-driven countermeasures.
