Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

10/17/2017
10:30 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Attivo Goes On the Attack Against Hackers

Attivo gets $21 million in new funding to take the fight to hackers through advanced deception.

Hackers heading into an enterprise have another reason to be cautious: they could become the hunted, not the hunter. In a kind of cyber bait-and-switch, valuable data turns out to fake, and the trap is sprung. More and more enterprises are becoming interested in so-called deception technology, designed to turn the tables on attackers.

Attivo, a deception developer, just raised a venture capital C series of $21 million, led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. In May, it secured a series B round of $15m, representing $36 million raised in the last five months. Tushar Kothari, CEO of Attivo, attributes the pace to a mushrooming interest in fooling the thieves.

An image of an enterprise customer network is stored on Attivo's ThreatDefend platform, which then "projects" data decoys which nestle among genuine data nuggets. If an attacker touches the decoy, they sealed in a sandbox environment, which mimics the real environment. The hacker considers they have been successful and continue about their business. Meantime, this offers time for the enterprise to either disarm the attack, or indeed, observe behavior and learn about malware approaches. One outcome is that hackers become frustrated and they turn their attention to easier targets.

Attivo uses what it calls "high interaction deception" with authentic operating systems and image customization. Apparently, attackers cannot tell the difference between decoys and production assets. Decoy users act like real users, and data and systems look like real data and systems. Until there's an attempt to harvest information. This methodology deals another blow to perimeter security –- possibly one of the most direct blows it could receive –- by being unconcerned when bad actors breach the perimeter.*

It also raises the possibility of a strike back by the target organization, with the hacker unaware and placed on the defensive. "It all depends on what our customer wants," Attivo's Kothari told SecurityNow, "we have the ability for offensive or pre-emptive (retaliation)."

According to Rik Turner, principal analyst, infrastructure solutions at Ovum, the platform extends beyond network- and endpoint-based deception technology out into vulnerability assessment and response automation, and into threat hunting.

Can the platform be fooled, made to look the other way while hackers drive past the decoys? Maybe overwhelm the platform?

"This type of attack would not distract (the platform), since all attacks would be coming from one IP, which we would use to ID the attacker and alert the attack," Carolyn Crandall, CMO of Attivo, told Security Now. "Unlike an external DDoS attack, launching multiple attacks just allows us to identify the attack more quickly based on more data points."

Typical attacks which can be foiled include reconnaissance attacks, credential raids, man-in-the-middle attacks or active directory attacks. Kothari said the platform can be integrated with other security systems, avoiding a situation where one system treads on the toes of another.

In theory, this also reduces false positives. "If the mouse bites the cheese, we know he exists because the cheese is missing," said Kothari.

Although deception technology is still maturing, Kothari plans to keep moving the cheese, leaving companies one step ahead. The timeline of staying ahead, of course, is always subject to hackers learning patterns and eventually spotting deception.

"Every security technology goes through its lifecycle, hackers learn and deception technology is no exception," said Kothari. He projects three phases: firstly, during the first two to three years, the deception is totally unexpected and a surprise. Next, attackers begin to learn and differentiate between what's a decoy and what is not.

In five to ten years, target organizations will need to up their game and launch what Kothari terms "deception campaigns," where snares are placed at multiple layers. Data is attacked and eventually extracted, but ultimately the hacker can't differentiate between a valuable data haul or an empty swag bag.

Attivo claims Aflack as a public reference, and customers in a wide spread of verticals concentrated on financial, utility, law firms and the energy sector. It claims evaluation trials with about 350 companies.

* The stance of Attivo toward bad actors and their breaches of the perimeter has been clarified from the original sentence.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.