Attivo Networks’ ThreatDefend Deception and Response Platform arms the defender with no-nonsense threat detection and faster incident response that empowers organizations of all sizes and industries with visibility, high efficacy detection and intelligence-gathering to gain the upper hand against attackers.

The platform supplies high-interaction traps, baits and lures developed for today’s evolving attack surface and operating environments. Focusing on believability and attack surface coverage, the Attivo Camouflage Framework mirror-matches production assets using a variety of high-interaction decoys with real OS, applications and services. It leverages machine learning for automated network intelligence gathering and the preparation, deployment and ongoing management of deceptions.

ThreatDefend makes moot the debate over whether deception is best suited at the endpoint or in network by providing both to catch all threat vectors, including reconnaissance and credential theft. While ThreatDefend offers the rich feature functionality often associated with greater complexity, it was designed with ease-of-use and scalability in mind and goes beyond just providing deception alerts, giving organizations adversary intelligence and forensics to better understand attackers and leverage to automate the incident response process. Within RDP access, commands used are tracked on the decoy. Teams can create decoy documents, which, if opened, will trigger alerts.  

Attivo has integrated BOTSink for AWS into the product. Organizations can create cloud campaigns with decoys for cloud assets. ThreatDefend includes multitenancy capabilities and deception can be deployed in multiple tenants using only one appliance. We believe the creation of a small tenant from the same appliance to offer deception at a remote location without necessitating another appliance or anything special is an important feature.

After selecting one of two deception campaigns – endpoint and network – organizations can create decoys can be created in a VLAN with the click of a button. Network View gives visibility into multiple VLANs and the services available on a given host. Whitelisting keeps the decoys invisible to vulnerability scanners. Decoys can import company pages so they’re believable to attackers who get redirected and login with stolen, decoyed credentials. If a fake database is accessed, all query commands that were run will be visible.  

ThreatDefend impressively redirects specific traffic to decoys with inbound and outbound traffic to non-existing ports redirected to BOTsink decoys. When activity is deemed suspicious, it can be quarantined on endpoints. ThreatDirect’s value lies with every PC on a network becoming part of the deception fabric, which significantly slows down attackers. The Intercept Program generates fake administrator credentials on PCs  to feed attackers while real administrator credentials remain hidden.

The tool also creates fake group policies that will run on the Domain Controller. If an attacker attempts to use credentials from Group Policy Objects, they can be caught. ThreatDefend supports role-based access.

This catch-all solution with third-party integrations, automated playbooks, endpoint forensics and extensive features deserves the consideration.

Starting price is $40,000. Maintenance support and professional, managed services are offered.

Tested by: Tom Weil