This is deception technology. It is, really, a high interaction honeypot on steroids. The system consists of two pieces: the BOTsink - a deception platform and IRES (Information Relay and Entrapment System) deception lures. Simply, the attacker performs certain functions that the system recognises as dodgy behaviour and directs the attacker to deception lures. The lures can be just about any operating system or application. They are heavily instrumented and when that behaviour is recognised the attacker is driven to the BOTsink for detection and action.
The BOTsink is an appliance - it can be physical, virtual or cloud-based - and the deception lures are specifically configured virtual machines. Setting up the BOTsink is straightforward and we saw no difficulty getting it up and monitoring quickly. The range of deception lures is impressive, including lots of flavours of Linux, just about all recent versions of Windows, and SCADA platforms as well.
The tool watches for certain things - such as scans, lateral movement, attempts at disallowed configurations, etc. When it sees that activity it engages with the attacker. By that, Attivo means that it takes some action, such as closing a port. The tool then determines the command and control structure, masquerades and collects data intended by the intruder for the C&C server.
At a glance
Product BOTsink Deception Server
Company Attivo Networks
What it does Deception technology platform.
What we liked Simple without being simplistic. Covers a lot of territory, allows creative configuration and can be up and running in a very short time. Solid deception technology application.
BOTsink also performs, with the help of VirusTotal, detailed malware analysis. All of this information is available on the dashboard. The process showing on the dashboard is based on Attivo's special version of the kill chain. We found that clear and concise with more than enough "at a glance" data to allow an analyst to assess the state of the network very quickly.
Drilldown from the dashboard is excellent and the amount of forensic data available is significant. One of the bonuses that BOTsink provides is the automatic generation of IOC and STIX files. These two types of files - indicators of compromise and structured threat information expressions - are an excellent way to gather and analyse attacks, not to mention their effectiveness in communicating attack information to devices such as SIEMs when the device is able to consume the files, something that is becoming increasingly common.
This is a very complex tool. It does a lot, it does it in significant detail and it provides lots of output. For all of that, it is not a tremendously complicated tool to deploy or use. With a little practice you can get some pretty cool configurations, well-tuned to your environment. Hackers are very proud of the "fact" that they can discover and escape from any honeypot. We would bet that is not the case here. There is a nice mix of the real and the lure devices that will tax the most skilled intruder or complex malware.
While this is not the silver bullet that, by itself, will protect you, it is a solid start and will make a substantial impact on the effectiveness of your security stack. In addition to IOCs and STIX files, it can generate a CSV for any vulnerability that the attacker exploits and - this is one of our favourites - can generate a PCAP of the attack activity for forensic examination in depth. That means that it can communicate with any device that can consume one of these file types - typically STIX - providing solid alerting and blocking, plus it can provide extensive forensic data.
Since the product connects to a trunk port, it needs no tap or span. Documentation is good and support is available under a support contract which includes software updates, installation and professional services. BOTsink is best deployed in support of other prevention tools. Its ability to output files that these tools can consume makes it an excellent partner in securing your enterprise, providing the actionable intelligence that you need in a manner that your other security tools can use.
We liked this tool and we were impressed by its comprehensive capabilities. Not all enterprises contain such devices as SCADA, but today many do. There are not a lot of tools of any kind available to add SCADA protection to the security stack. That we found impressive. It was just an indication that this is a well thought-out implementation by a company that has been around since 2011.
If you are looking at deception devices, don't leave this one off your list. And, if you have a network with a target printed on it, you really need tools such as BOTsink to stay ahead of the bad guys.