Attivo Networks announced on Feb. 12 that it is expanding its ThreatDefend cyber-security deception platform with its new “The Informer” forensic collection technology.
Deception is a class of cyber-security technology that aims to trick attackers with fake services as an approach to help limit risk and expose potential adversaries. With its ThreatDefend Platform, Attivo provides deception-based detection for the entire network. The new Informer forensics capability goes beyond just deception, collecting data on potential attackers that have fallen for the deception, in an attempt to help organizations better defend and respond to attacks.
“The Informer is a net new investigation and analysis tool that is a component of the ThreatDefend Platform,” Carolyn Crandall, Chief Deception Officer at Attivo, told eWEEK. “Data from detection alerts and known threat intelligence providers are aggregated into a single dashboard making the responders job exponentially more efficient with the goal of driving response time from hours down to minutes.”
Attivo has been steadily expanding its ThreatDefend platform with additional deceptions as well as coverage areas. In September 2018, Attivo announced support for container and serverless deployments, enabling organization to extend deception to different types of cloud-native environments.
The Informer
With the ThreatDefend platform, attackers are deceived by different forms of lures, that appear as seemingly legitimate services on a network. The new Informer capability now captures all the forensic data from a deception encounter and makes it usable for an organization’s IT security staff. Crandall explained that all forensic data is correlated to the source attacker IP address and made available for viewing in a central dashboard and for download.
“Things like endpoint memory and registry changes are often lost and unavailable for forensic analysis,” Crandall said. “As part of the Informer offering, information like this and other attack data is captured, automatically correlated, and then summarized into a single dashboard.”
Data from the Informer can be exported into multiple different types of formats that can then be consumed by other technologies that an organization might be using for incident response and threat hunting. Crandall said that the forensics and event data can be extracted as PCAPs, Mandiant IOC, CSV, or STIX formats.
ThreatOps Playbooks
Another key attribute of the ThreatDefend platform is a feature known as ThreatOps playbooks, which enable incident response capabilities. Crandall said that ThreatOps and native integration actions including blocking and quarantine have been available for viewing in various places within the Attivo platform for the past several years.
“Informer ups the game on this by creating a solution that puts the relevant playbooks and actions in single dashboard that is designed for responder efficiency,” she said. “There are also new integrations that have been added in this release including the addition of Reversing Labs to existing threat intelligence feeds from Virus Total, Webroot, ThreatConnect, and McAfee DXL to name a few.”
Looking forward, Crandall said that Attivo will continue to build tools and resources to further arm the defender against advanced adversaries. Among the features that Attivo is developing is advanced deception technology in support of cloud and specialized environments. She added that Attivo is also working on deeper integration with EDR platforms, more visibility tools for assessing attacks, attack surfaces and risk, and further native integrations for accelerating incident response.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.