Dr. Peter Stephenson
It’s been a bit over a year since I published my review of Attivo BOTSink and today the company’s product suite does not look at all the same. Of course, one would expect that from a company selected as one of ten Black Unicorns by “Cyber Defense Magazine”, but the differences, while perhaps surprising in some ways, are intuitively logical if one examines the problem Attivo is solving.
A year ago my focus was on the BOTSink product. BOTSink is a deception network and, as I said back then, I see deception as the chief interdiction tool for today’s networks. However, I also said, “The core area of growth that I see is leveraging AI to automate the deception, response and forensics capabilities even more than they are today”.
Well, I was at least partially right. Rather than sticking to that vertical approach alone, however, Attivo has expanded horizontally as well. It now is a growing security defense ecosystem and, that makes it nearly unique in the field.
Back in the day we talked about an organization needing a coherent “security stack”. That implied a sort of integrated set of tools, each tool having an isolated purpose. The IDS detected intrusions, the DLP prevented data leaks and so on. One product usually didn’t have direct integration with others so some method of data sharing was necessary. Enter the “security blob”.
The security blob, unlike the security stack, was far more integrated and the individual pieces talked to each other fairly well. In fact, some companies – such as Mcafee – integrated everything under a single console moving closer to a single security infrastructure. But the products still were separate entities and effective though they were, they simply could not compete with the adversary when the adversary is attacking at wire speeds at different locations – often from inside – in a large enterprise.
Also, most product suites evolved from a single product – perhaps an anti-malware tool or a SIEM. This evolution often was through acquisition rather than in-house innovation. For the most part, that is where we are today… except with Attivo.
Background
When I wrote my review a year ago I concentrated on BOTSink but since then there have been some notable additions to the ecosystem. The biggest change is not really a change, per se, but, rather, an evolution. The evolution focuses strongly on identity security. From the Attivo perspective, though, that needs a bit of clarification.
When we think of identity we usually think of users. However, it is more realistic to revert to the definitions that have been part of the security vocabulary since the beginning: subjects and objects. To quote O’Reilly’s CISSP Study Guide (4th edition) we find that “The subject of the access is the user or process that makes a request to access a resource” and that “The object of an access is the resource a user or process wants to access”. So for a process to ask for data from another process, the asking process is the subject and the process being queried is the object. The object will have some collection of authentication requirements in order to allow access.
As part of the access process, the object will have an identity. In a very simple example the object will have an ID and a password required for a subject to gain access. Unfortunately, if we look at the enterprise as a whole – including one or more cloud instances – we find that these identities are usually not well-protected. Worse, in most cases we don’t know whether they are or not.
Attivo’s place in the ecosystem is to identify and protect all identities across the enterprise. To do this, it treats identity itself as an object. It’s process is called identity security. This is not a new term but how Attivo achieves it is very advanced and the ecosystem uses both identity visibility and identity detection and response capabilities. One of the highest payback pieces of this is assessment and protection of Active Directory. The AD assessment piece alone does about 200 checks and is capable of over 70 detections. It will also provide live attack detection for mass changes or new security settings that would indicate that an attack may be occurring.
Where Are We Now?
Let’s take a really simple example. Suppose that you have a web site that requires login. You use Chrome and Chrome is set up to log you in automatically. Only Chrome should be able to do that. An intruder should not be able to log in as a proxy for Chrome claiming – to the object – that he or she is Chrome. Some process is necessary to protect those credentials and Attivo calls it “cloaking”. Cloaking, a modern form of deception hides credentials and binds them to the executable.
As before, deception plays a central role. In the Chrome example, when the attacker tries to access a cloaked identity, the effort is redirected to a decoy and the attacker believes that he or she has been successful. Meanwhile, Attivo quietly is gathering forensic evidence about the attacker to use later if necessary.
A big issue with enterprises that include cloud deployments is, put simply, permissions management. For this Attivo has added CIEM (Cloud Infrastructure Entitlement Management). Taking the cloud into consideration – along with the rest of the enterprise – Attivo now has a comprehensive end-to-end identity security ecosystem. That system covers endpoint protection, AD protection and cloud protection. These elements permit Attivo to manage the entire security process.
An attacker sill starts by compromising a local account. From that compromise he/she will perform reconnaissance and attack the AD and other configuration data. This allows a compromise of a privileged account leading to the compromise of the AD. Clouds are next and now the attacker has everything needed to own the system and exfiltrate data. Attivo addresses each of these steps directly.
Today a large majority of successful compromises began with phishing. Attivo addresses that by reducing the attack surface. Using its AI, Attivo discovers lateral paths to critical assets, tests AD for vulnerabilities and manages cloud identity and privileges. Attivo always makes the assumption that the attacker has entered the system successfully (zero trust security) and addresses lateral movement, privilege escalation and discovery among other attack functions. The organization has the option to misdirect the attacker away from production assets to a dead-end IP, or to decoys hosted on the BOTSink for forensic analysis. Note, however, that the BOTsink is not required to deploy the Identity Security solutions.
An interesting concept – typical in zero trust systems – is that one assumes that “victim zero” has been compromised. The exercise, then, is to prevent further damage.
While Attivo has routinely protected identity assets, the gains made over the past year have placed it at the forefront of a successful zero trust security strategy. As one might guess, zero trust is easy to talk about but not particularly easy to do. Evidence the various approaches by large security system vendors. Unfortunately, these approaches tend to be fragments with various pieces put together to achieve the goal. These pieces focus on individual aspects of zero trust implementation.
Attivo, on the other hand has implemented a fully integrated ecosystem made up not of individual products pieced together, but of a single well-integrated whole solution to the problem. By well-integrated I mean – in this case – a single system with its functionality integrated into a coherent whole. Certainly, some of these capabilities are available in stand-alone tools, but why would anyone want to do that? If you have an enterprise problem, it demands an enterprise solution.
Looking at MITRE’s ATT&CK matrix, we can see that Attivo’s core strength fits neatly between the core strength of endpoint detection and response (EDR) and data leakage protection (DLP). Attivo covers credential access, discovery, lateral movement and collection, all key aspects of developing a comprehensive zero trust system. In addition, of course, Attivo covers certain aspects of EDR and DLP core strengths such as creating accounts and account manipulation (persistence – functions in EDR), Account escalation (privilege escalation in EDR), group policy modification (defense evasion in EDR) and automated exfiltration (exfiltration in DLP).
I have focused this analysis on those things that, on a broad scale, I find particularly exciting. However, the list of additional functionality added in the past year is extensive and includes, among other things:
- AD protection
- Identity detection and response
- Cloud Infrastructure Entitlement Management
- AD query visibility
- Host fingerprinting
- Target reconnaissance
- AD assessment
- Cloud entitlements
- AD redirection
- Endpoint deflection
- Data cloaking
- AD live attacks
- Credential cloaking
- Various remediation options
The user interface is, as ever, superb. There is a huge amount of information here but it is manageable. UIs under a single pane of glass – as this one is – tend to get overly complicated. However, the drill-downs in this case provide obvious answers to questions resulting from examining the level up. If you have used BOTSink you’ll find this like an old friend but with quite a bit more meat. Attivo also offers a Central Manager as an enterprise-wide management console. There is also an Identity Central Manager for those that want to deploy the identity security functions but not engage with decoys. If you’re new to Attivo, don’t worry. This is so close to intuitive that you’ll have no trouble. There are lots of aids to deployment such as step-by-step guides and you can start loose and tighten up as you see results and define you objectives.
Opinion
It remains to be seen where this system is headed, but the Attivo objective has been to stay ahead of the adversary. Ever since BOTSink first appeared they have had varying degrees of success at that, always staying ahead of the game – sometimes way ahead – and never a failure. The bad guys are always with us and they absolutely are getting “badder”. We used to read about money going missing after a hack but today lives are being lost as well. I thought then – a year ago – that this is the company and system to watch and I think that still and certainly more so than a year ago.
My recommendation is that you give this one a solid try because as my old granddad used to say, “It ain’t over yet.” Doubly true when we see the havoc being wrecked by the cyber adversary. If you want to wrap your enterprise in a first-rate security blanket, this is your chance.
The Attivo ecosystem is highly recommended.
P. R. Stephenson, PhD, CISSP (lifetime)