Attivo ThreatMatrix in AST Homeland Security Awards (Multi-Video)

Attivo Networks, Recognized as the Leader in Deception-Based Threat Detection
Attivo Networks changes the game on the modern-day human attacker. Deception technology provides a threat defense of traps and lures designed to deceive attackers into revealing themselves. Engagement-based attack analysis, forensics, and 3rd party integrations accelerate incident response.

Attivo Networks is an award winning provider of
deception for in-network threat detection, attack forensic analysis, and continuous threat response.

Stop attackers in their tracks with the real-time detection of threats that have bypassed prevention security systems.

The Attivo Networks ThreatMatrix Deception and Response Platform changes the balance of power with sophisticated deception technology that deceives an attacker into revealing themselves.

Detailed attack analysis and forensics accelerate incident response and provide protection against future cyber attacks.

(A brief introduction to deception technology and the Attivo Networks ThreatMatrix Deception and Response Platform. Courtesy of Attivo Networks and YouTube)

Critical infrastructure protection currently follows the NIST Cyber Security Framework and Presidential Policy Directive PPD-21.

These outline the steps needed for analysis, assessment, indicators, warning, and response.

Attivo Networks assessed these frameworks and designed its ThreatMatrix Deception and Response platform to empower organizations with continuous threat management as defined in these models.

Deception-Based Threat Detection

The first area is analysis and assessment.

The Attivo solution provides attack path vulnerability assessment of the network based on exposed and orphaned credentials and other vulnerabilities that create on-ramps for an attacker.

Additionally, topographical maps of the network provide visibility to assets as they are come on and off of the network.

Maps can also show attack time-lapsed replay so that organizations can understand and analyze the lateral movement of an attack.

The second area is indicators and warning.

In this day and age, where we are heavily reliant ICS, real-time situational awareness is critical.

Additionally, an increasing amount of proactive government practitioners and organizations are connecting sensor-based data and operational infrastructure to enable real-time intelligence.

These both come with their own sets of security risks.

ICS often operates on older unpatchable systems where there is a lack of security standards, common passwords are often used and the concept of a true ”air gap” is fading rapidly in a connected world.

Ultimately, attackers can and will bypass perimeter security and get inside the network.

The BOTsink deception servers are designed to provide early warning to attackers in-the-network by setting traps that appear as production assets.

These decoys run the same protocols as ICS and IOT devices for authenticity and are designed to deceive and misdirect the attack into engaging and revealing their presence.

Attivo Deception for Threat Detection
Attivo Deception for Threat Detection

Response is the third area.

As the attacker engages with the deception environment, the BOTsink multi-correlation engine analyzes the attack and creates the forensic reporting for the incident.

This attack information will then create evidence-based alerts and be viewable in a threat intelligence dashboard, in which double click actions can be taken through 3rd party integrations to block and quarantine attackers.

Companies and agencies can then create repeatable playbooks based on information that they would like shared with their firewalls, endpoint, NAC, and SIEM solutions, so that their security policies can automatically be applied.

In ICS environments, where human lives and safety can be quickly at risk, it is not enough to simply think like an attacker and know how they get in.

One must think like a responder and have deep expertise in detecting and defending against these attackers.

attivo networks logoAttivo engineers have applied their extensive expertise in intrusion detection and protection and have designed the ThreatMatrix- BOTsink solution for optimal efficiency for ICS network threat detection and accelerated incident response.

Using Attivo deception, the game has changed, attackers must now be right 100% of the time or be caught, and now when they are, organizations are equipped to quickly and efficiently respond to them.

Comprehensive Deception and Decoy

Make the Entire Network a Trap to Confuse and Misdirect Attackers into Revealing Themselves

  • Decoys appear identical to production assets, luring attackers into revealing themselves.
  • Decoy configurations run real Linux, Mac, and Windows OS and are customizable to match the “golden image” of the production environment.
  • Deception lures (bait) redirect attackers trying to infect endpoints, servers/VMs to engagement servers for detection.
  • Bait includes deception credentials, ransomware bait, and other deception lures.

(Learn More about Attivo Networks and deception technology from AFCEA West 2017. Courtesy of Attivo Networks and YouTube)

Attivo Networks ThreatMatrix Platform Achieves Common Criteria EAL2+ Certification

The ThreatMatrix Platform, which is comprised of Attivo BOTsink engagement servers, decoys, and deceptions, a Multi-Correlation Detection Engine (MCDE), the ThreatStrike end-point deception suite, and the Attivo Central Manager (ACM), has earned Common Criteria Evaluation Assurance Level 2+ (EAL2+) certification, according to Norwegian CCRA member SERTIT.

Common Criteria is an internationally recognized standard which defines a framework for evaluating the security of IT products.

US government organizations, international government entities from 27 different countries, and many global Fortune 500 corporations require Common Criteria certification to aid in the evaluation of IT products for their infrastructures and often require contractors to uphold the standard as well.

The certification requires developer testing, vulnerability analysis, product lifecycle management process assessment, and independent testing based on detailed Target of Evaluation (TOE) specifications.

The evaluation determined that the Attivo ThreatMatrix system configured to include BOTsink, ThreatStrike and Central Management solutions meets the security criteria defined in the Security Target, which specifies EAL2+

Tushar Kothari, CEO of Attivo Networks
Tushar Kothari, CEO of Attivo Networks

“We are extremely pleased that the Attivo deception platform has received this critical certification because it provides validation to both corporate and government agency prospects that the solution has stood up against extremely stringent testing,” says Tushar Kothari, CEO of Attivo Networks.

“Attivo is the only company in this category to receive this certification, right when the need for detection technology is greater than ever and attackers continue to relentlessly demonstrate their ability to breach traditional security systems.”

“We are pleased to have the opportunity to work with the emerging technologies offered by Attivo Networks to perform Common Criteria evaluation and FIPS 140-2 testing of the Attivo Networks’ products,” said Eugene Polulyakh, General Manager at Advanced Data Security accredited FIPS and Common Criteria testing laboratory located in San Jose, California.

“The FIPS 140-2 and Common Criteria testing and evaluation process includes analysis of the security architecture, vulnerability analysis, and penetration testing of the products, as well as analysis of the cryptographic algorithms implemented by the products to test for compliance with advanced cryptographic standards.

The Common Criteria certification of the Attivo Networks’ solution is a significant accomplishment that highlights Attivo Networks’ commitment to offer secure and reliable products.”

Attivo ThreatMatrix deception
Attivo ThreatMatrix deception


The ThreatMatrix deception solution is designed for efficiency and friction-less deployment.

  • The solution is not in-line, so it doesn’t require process changes or network redesign to install.
    • Organizations can be up and running deception in under an hour and can make their entire network a ubiquitous trap for cyber attackers.
  • Attivo deception is exceptionally comprehensive and authentic, running real operating systems and with full golden image customization to the production environment.
    • Dynamic deception techniques and sophisticated deception lures deceive an attacker into engaging regardless of whether the threat vector is a zero day, stolen credential, ransomware, MiTM or insider attack.
  • The platform seamlessly scales to support user networks, datacenters, cloud, ICS-SCADA, IOT environments and provides a centralized threat management console.
  • Detection is based on deception vs. database lookup or pattern matching, eliminating the need to cull through logs and deal with false-positive alerts.
    • Attivo alerts are engagement-based and substantiated with attack details, which simplify incident response and negate the need for additional resources to operate the solution and respond to an incident.
  • Attivo provides its own sandboxing technology that analyzes and provides forensic reporting of each attack.
    • Full TTP information, infected IP addresses, signatures and other attack detail required to isolate and block an attacker are immediately provided, dramatically accelerating incident response and automating response actions with firewalls, NACs, SIEMs per an organization’s preference.
    • Customers regularly cite the time savings of the ThreatMatrix analysis engine, which automates the analysis and reporting of advanced malware and suspicious phishing emails.
  • ThreatPath™ attack prevention reporting provides continuous visibility into a company’s vulnerabilities and weak links by highlighting attack path risks based on misconfigurations or credentials on non-designated computers, by showing the infected endpoints, and automating trouble ticket requests for systems needing remediation.
  • Deception is a game changer in both its high efficacy and in efficiency to operate and most impressively at a cost that doesn’t break the bank.

(DJ Goldsworthy, Senior Manager of Threat and Vulnerability Management at Aflac, Inc., shares how deception has helped Aflac, Inc. significantly improve their threat detection abilities while providing zero false positives. Courtesy of Attivo Networks and YouTube)

Attivo Networks® is the leader in deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber-attacks.

The Attivo ThreatMatrix™ Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments.

Attivo ThreatMatrix in 2017 ‘ASTORS’ Homeland Security Awards Program

The 2017 ‘ASTORS’ Homeland Security Awards Program, organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

As an ‘ASTORS’ competitor, the Attivo ThreatMatrix will be competing against the industries leading providers of innovative critical infrastructure protection solutions and intrusion detection.

ASTORS HSA 2017Good luck to Attivo ThreatMatrix on becoming a Winner of the 2017 American Security Today’s Homeland Security Awards Program!

To learn more about ThreatMatrix and Attivo Networks wide range of offerings, please visit the company’s website at