Attivo Networks has extended its suite of deception tools by adding the Informer to its ThreatDefend Platform. The Informer will deliver real-time forensics of an attack. This allows defenders to see what an attacker is doing and use that data to plan their own response and remediation.
Forensics of an attack in action is often hard to get. Importantly, the process of responding to an attack, often destroys forensic data. This prevents law enforcement and investigators from getting a deep insight into an attack and build a case to prosecute.
One of the key benefits that Attivo Networks is touting for the Informer, is the ability to reduce dwell time. Dwell time is the length of time an attacker sits inside a network before they are detected. Having the ability to understand how the attacker got in, what they are doing and where they have been will allow defenders to change their defensive posture and close vulnerabilities.
According to Tushar Kothari, CEO of Attivo Networks: “As attackers become more sophisticated, it’s critical to not only detect their presence but also gain valuable adversary intelligence to anticipate the attacker’s strategy. With the Informer solution from Attivo, defenders now have a more complete view of the attack, can predict where the attacker will move, and can adjust their defenses accordingly to mitigate the risk of a breach.”
What does the Informer provide?
The press release highlights five areas where the Informer will provide more information. These are:
- Delivering an accurate chronological session view of all attacker activity from specific IP addresses as well as host system and network characteristics.
- Capturing forensic information inclusive of volatile memory, registry, and file changes along with lateral movement and network activities. This provides a consolidated view of the source of an attack for the analyst to access, reducing containment, eradication, and recovery times. Additionally, necessary access to forensic artifacts are presented in a clear, concise indexable manner that responders and analysts will recognize and can take action on.
- Providing critical attack details such as memory forensics, endpoint activity, initial compromise intelligence, network packet captures, exploit code, targeted files and system logs that are all collated with a single view and can be easily accessed by all team members. The dashboard saves responders valuable time by displaying detection information in an actionable format and by organizing the attack data for faster intelligence analysis and a means to retrace attacker activities.
- Displaying all lateral movement paths that the attacker has access to, showing potential target systems and open attack paths an attacker would try to compromise and exploit.
- Triggering automated response through native integrations or predefined ThreatOps™ playbooks, accelerating incident response to increase efficiency and reduce effort.
Enterprise Times: What does this mean
Unsurprisingly, Attivo Networks is claiming that the Informer will deliver a demonstrable improvement in the ability to detect and respond to attacks. It certainly offers a set of capabilities that should improve life for defenders but by how much and how effectively, remains to be seen.
The ability to provide forensic insight is something that most security tools lack. That is because they are focused on helping customers remediate attacks. While this should always be the main focus, unless defenders know how an attack took place, where the attacker has been and what they have done, it is hard to know the impact of an attack.
Given the increased emphasis on privacy through compliance, the Informer announcement could be a clever play. Knowing you have had a breach and knowing exactly what has been stolen and over how long are two different things. The latter is essential to identify and remediate the problem. It seems that the Informer could well be that missing piece of the puzzle that many security teams lack.