attivo networks threat deception to comply with the ... · breach has already or will...

www.attivonetworks.comWhitepaper 1

WHITEPAPER

ATTIVO NETWORKS THREAT DECEPTION TO COMPLY WITH THE RESERVE BANK OF INDIA CYBERSECURITY FRAMEWORK


TABLE OF CONTENTS

Executive Summary 3

RBI Compliance Framework 4

The Attivo Networks Solution 7

Compliance Summary 8

RBI Guidelines 8

Annex 1 10

Annex 2 12

Annex 3 14

Basic Information 15

CSIR Form 15

Technical Summary 17

About Attivo Networks 19


EXECUTIVE SUMMARYThe Reserve Bank of India’s Cyber Security Framework calls for a range of techniques and policies to help banks in

India operate securely in an evolving threat landscape, including a call to implement honeypot threat deception and

counter-response capabilities.

This whitepaper explains how the Attivo Networks® ThreatDefend™ platform enables organizations to meet these

specific compliance issues specified in the RBI CS Framework, along with numerous other requirements. This paper

further explains how the Attivo Networks solution provides comprehensive detection and response to organizations

under threat.

RBI COMPLIANCE FRAMEWORKThe Reserve Bank of India updated their Cyber Security Framework1 in 2016 to reflect the changing threat landscape

financial institutions in India face. The goals outlined in the framework define baseline security controls, improve

resilience, and move banks to a proactive defense posture. The Framework is written from the perspective that a

breach has already or will occur—moving from solely focusing on preventative tools to detection, containment, and

response.

The Framework is ivided into four main sections: Overall guidelines for compliance followed by three Annexes. The

first annex covers the baseline cybersecurity and resilience requirements, the second relates to the setup and

configuration of a Cybersecurity Operations Center (C-SOC), while the third defines the requirements, and provides a

template, for reporting cybersecurity incidents.

In the sections below, we show where the Attivo Networks ThreatDefend platform helps an organization comply with

specific components of the Framework, while easily and efficiently improving their overall security posture.


THE ATTIVO NETWORKS SOLUTIONWith the ThreatDefend™ platform, Attivo Networks® uses deception to add additional layers of defense to an

organization’s existing defense in depth strategy. Defense in depth is especially important in the financial services

industry and highlighted in the RBI Compliance Framework. The ThreatDefend platform includes several components

to build a strong foundation for a security platform that exceeds the requirements laid out in the RBI Compliance

Framework.

The BOTsink server is the base of the ThreatDefend platform, providing the user interface (UI), virtual machines

providing decoys, and threat response. The BOTsink server exceeds the RBI framework’s requirement for threat

deception. This server also provides the platform that hosts other parts of the system, such as the ThreatOps system

that allows fully automated attack response integrated with an organization’s existing security tools. This capability

more than fills the Framework’s requirement for a threat response capability. In addition, the BoTsink server hosts the

ThreatPath application, which provides a human-oriented visualization of the paths an attacker could leverage once

inside the network.

The Attivo Networks Threat Defend platform also includes the ThreatStrike system, which places decoys on endpoints

across the protected environment to deceive an attacker with decoy credentials, shares, and documents, that will

lead them to the decoys on a BOTsink server. Additionally, the lightweight ThreatDirect virtual machine lets an

organization project decoys into remote locations without requiring additional BOTsink servers.

As a whole, the Attivo Networks ThreatDefend platform meets a broad range of requirements outlined in the

Reserve Bank of India’s Cyber Security Framework. In the next sections, we will look at specific requirements in the

framework and how the ThreatDefend platform meets them.

COMPLIANCE SUMMARYAttivo Networks meets a broad range of requirements laid out in the RBI Cybersecurity Framework. The summary

here paraphrases, in broad strokes, the sections that the Attivo Networks ThreatDefend platform meets with a

comprehensive deception, detection, and reporting solution.


BOTS

INK

THRE

ATST

RIKE

THRE

ATOP

S

THRE

ATPA

TH

COMPLIANCE GUIDELINES

Index 1: Proactively meet emerging threats

Index 2 & 5: Implement adaptive incident response and recovery

Index 6: Perform continuous surveillance

Index 12: Implement incident management for detection, response, recovery and containment

Index 14: Report cybersecurity incidents

ANNEX 1: STRATEGIC LEVEL CYBERSECURITYIndex 3.2: Include monitoring for building management systems

Index 4.7: Include systems to detect and remedy unusual endpoint or network activity

Index 4.9: Enable escalation on abnormal or unusual activity

Index 8.2: Protect user access credentials

Index 8.5: Monitor administrative user access

Index 8.7: Monitor changes in login patterns

Index 13.1: Include defenses against the spread of malicious code

Index 13.2: Implement a range of AV/AM defenses

Index 15.1: Develop a data loss prevention strategy

Index 15.2: Protect data on endpoints and in motion

Index 15.3: Provide protection at vendor managed remote sites

Index 18.1: Conduct penetration tests on critical systems

Index 19.6c: Collect and share threat information through accepted means

Index 19.6f: Implement process to align incident response and forensics to minimize down time

Index 22.1: Have tools to support network forensics


BOTS

INK

THRE

ATST

RIKE

THRE

ATOP

S

THRE

ATPA

TH

ANNEX 2: C-SOC REQUIREMENTSIntroduction 1: Security of financial transactions is paramount

Introduction 3: Implement efficient and cost-effective tools and policies

Governance 1: Provide reports to management

Governance 2: Provide dashboards and oversight

CSOC point 1: Adapt to a changing threat landscape

CSOC point 3: Continuously correlate and report anomalies

CSOC point 4b: Be able to conduct forensics and packet analysis

CSOC point 4d: Include analytics and GeoLocation

CSOC point 4e: Include counter-response and honeypot services

Expectation 2: Provide real-time information on the bank’s security posture

Expectation 3: Effectively prepare for and manage cyber security risks

Expectation 4: Provide threat intelligence and proactive analyze threats

Expectation 5: be able to understand the nature of an attack

Expectation 6: Integrate logging, ticketing and case management workflows

SOC Responsibilities: Monitor for, respond to, and manage incidents, and conduct forensic analysis

External integration: Integrate external threat intelligence feeds

ANNEX 3: INCIDENT REPORTINGBasic Information: Multiple aspects

CSIR Form: Multiple aspects


The following sections go into much greater detail on each aspect outlined above, including more details on the

Framework and exactly how Attivo Networks ThreatDefend platform helps you meet those requirements.

RBI GUIDELINESThe Guidelines section addresses cyber security at a strategic level for organizations in India’s banking industry.

FRAMEWORK REFERENCE FRAMEWORK REQUIREMENT ATTIVO NETWORKS SOLUTION

Guideline: index 1 “The measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.”2

The Attivo Networks ThreatDefend Platform addresses the threats posed by increasingly sophisticated adversaries through the use of deception technology. Attivo ThreatDefend™ solutions empowers organizations with an advanced deception and response platform that delivers early detection, insight into attacker threat path vulnerabilities, in-depth analysis, forensic reporting, and automations that can dramatically improve an organization’s incident response time.

Banks can customize the deception decoys to appear indistinguishable from real production assets to effectively deceive an attacker, while providing high fidelity alerts on intruder activity.

The Attivo Networks solution is also capable of learning and continuously changing the deception profile to detect attackers while maintaining the element of surprise.

Guideline: index 2 & 5 “It is essential to enhance the resilience of the banking system by putting in place an adaptive incident response, management, and recovery framework.”3

The Attivo Networks ThreatDefend Deception Suite automates attack analysis, forensic reporting, and accelerates mean-time-to-remediation with native integrations to a range of systems that automate response actions, including blocking, isolation, threat hunting, as well as the ability to create IT service tickets for faster remediation. Through ThreatOps playbooks, an organization can make response handling more consistent and repeatable.


Guideline: index 6 “It is essential the center ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.”4

The Attivo Networks solution provides continuous visibility across an organization’s infrastructure to detect in-network threats that other security controls miss.

It does not rely on signatures, pattern matching, or the latest software patches to accurately detect reconnaissance, Man-in-the-Middle (MitM), credential theft, or an attacker’s lateral movement.

Additionally, the attack analysis engine can automatically add threat intelligence from known attack databases, such as Webroot and Virus Total, saving security teams the time and energy often lost in researching attacks.

Guideline: index 9 “It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed.”5

The Attivo Networks solution provides accurate visibility of not only external threats, but also employee policy violations. The solution identifies unauthorized reconnaissance, gives visibility of devices coming on or off the network and reveals attempts to steal credentials.

The solution also includes the ThreatPath™ attack visualization tool, which provides a visual map of the pathways an attacker could use to traverse the environment. This includes orphaned and misused credentials and misconfigured systems. Decreasing this exposure reduces both the attack surface and an attacker’s ability to use credentials to escalate privileges.

Attivo Networks helps organizations identify their identity-based vulnerabilities. In addition to application deception, an organization can add data and database deceptions for counter-intelligence and detecting attackers early in their intrusion.

Guideline: index 12 “A Cyber Crisis Management Plan (CCMP) must address (i) Detection (ii) Response (iii) Recovery and (iv) Containment”6

The Attivo Networks solution uniquely provides visibility throughout the attack lifecycle, detects in-network threat activity that has bypassed traditional security controls, and accelerates incident response with automated attack analysis and incident handling. In addition to detection, Attivo deception can be used to lay traps to confirm that a threat has been eradicated and to derail an attacker if they return.


Guideline: index 12 “Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.”

The ThreatDefend platform provides a range of defenses that let an organization detect and quickly respond to a broad range of attack methods and vectors, including targeted attacks, credential-based attacks, man-in-the-middle attacks, ransomware, crypto-ware, and other malware.

The solution is highly scalable and covers all attack surfaces including cloud, data centers, user networks, router and telecommunications infrastructure, IOT, ICS, POS, and application specific areas like SWIFT.

The ThreadDefend platform is not intended to replace prevention technology, but instead add “eyes in the network” visibility to augment conventional perimeter defenses. Native integrations add defense in depth and rapid response with early detection, automated analysis and incident response.

Guideline: index 14 “Banks need to report all unusual cybersecurity incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures.”7

The Attivo Networks solution includes the tools needed to accurately track and report an intrusion that has bypassed perimeter defenses, including the full range of the attacker’s Tactics, Techniques, and Procedures (TTP), and other forensic information needed to respond to and remediate threats.

TTP information is easily exported in a range of industry standard formats (STIX, IOC, CSV, PCAP) for external analysis or sharing with other organizations in the security community.

The system also provides detailed reporting in PDF and HTML formats that can be used to help exemplify best practices on production systems.


ANNEX 1The first annex defines a baseline for cybersecurity and resilience in India’s financial institutions.


Annex 1 index: 3.2 “Put in place mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.”8

The Attivo Networks ThreatDefend solution provides a range of decoys for IoT, ICS-SCADA devices, and system control servers utilizing a range of widely used communication protocols. The Attivo Networks solution can project decoys for XMPP, COAP, MQTT, RTSP, and DICOM based PACS servers.

By engaging with decoys rather than production assets, devices or their control servers, an intrusion is quickly detected, and their attack can be remediated quickly and efficiently.

The solution also provides the ability to create decoys for telecommunications, network infrastructure, and video surveillance systems. Additionally, an organization can also set up Active Directory deception to derail attempts to compromise AD credential stores.

Annex 1 index: 4.7 & 4.9 “Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.”

“Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities.”

The Attivo Networks BOTsink server, the core component of the ThreatDefend system, can project server, host, and network decoys across the entire organization, including into remote locations, cloud instances, and specialized environments such as IOT, ICS, POS, and other infrastructure. These systems use the real operating systems and services for optimal device attractiveness and believability.

Additionally, deceptive credentials can be placed on all endpoints as breadcrumbs to lead an attacker back to a deception server. This will then alert if these decoy credentials are used, while SIEM queries can also pick up attempts to use deception credentials.

Mapped shares will also serve to redirect an attacker away from other production assets and to the deception environment.

The BOTsink server offers a comprehensive dashboard which alerts security personnel immediately of any suspicious activity. Multi-dimension views of attacks, types, and activity are easily viewed within the dashboard. Incident response to block, isolate, or threat hunt can be fully automated through native integrations, semi-automated through the UI, or conducted through API integrations with other SOC tools.

Global or multi-site threat-intelligence can be gathered and managed through the Attivo Central Manager (ACM).


Annex 1 index: 8.2 “Carefully protect customer access credentials such as logon userid, authentication information and tokens, access profiles, etc. against leakage/attacks”9

The Attivo Networks solution places decoy credentials on endpoints throughout the enterprise, and any effort to use them on a decoy or authenticate them to a production system is instantly flagged.

In parallel, any attempt to log into a decoy device is automatically identified, revealing compromised credentials.

Credential authenticity can also be validated within Active Directory to ensure attractiveness and believability.

Annex 1 index: 8.5 & 8.7 “Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged / superuser / administrative access to critical systems”10

“Monitor any abnormal change in pattern of logon.”

The ThreatPath attack path visibility tool, part of the ThreatDefend solution, can monitor and log usage as well as exposure of privileged credentials.

The solution also offers Active Directory (AD) integration to activities or attacks targeting the AD credential store.

Annex 1 index: 13.1 & 13.2 “Build a robust defense against the installation, spread, and execution of malicious code at multiple points in the enterprise.”11

“Implement Anti-malware, Antivirus protection including behavioral detection systems for all categories of devices – (Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralized management and monitoring.”

The Attivo Networks ThreatDefend solution projects decoys in the cloud, datacenters, user networks, and remote installations that appear as production assets to an adversary. Whether the attacker attempts to ping, scan or download malware onto the decoy, the deception environment immediately alerts on any suspicious behavior.

With decoy shares, documents, and credentials as breadcrumbs, we lead an attacker back to an engagement server for early alerting of unauthorized access or attempts to use deception credentials.

Attivo Networks also offers capabilities to analyze potential malware as soon as it appears, whether it was dropped by a malicious email, website, or other vector.


Annex 1 index: 15.1, 15.2, 15.3 “Develop a comprehensive data loss/leakage prevention strategy to safeguard sensitive (including confidential) business and customer data/information.”12

“This shall include protecting data processed in end point devices, data in transmission, as well as data stored in servers and other digital stores, whether online or offline.”

“Similar arrangements need to be ensured at the vendor managed facilities as well.”

Attivo Networks deception technology includes decoy file shares and carefully crafted documents to divert attackers away from vital production assets.

Any decoy documents in motion, or that exfiltrate, are easily and quickly identified, including geolocation information when a decoy document is opened.

Attivo Networks ThreatDirect offering enables organizations to deploy decoys into remote environments, including managed environments with the proper permissions. This solution does not require a local device to deliver full threat deception and detection.

Annex 1 index: 18.1 “Periodically conduct vulnerability assessment and penetration testing exercises for all the critical systems, particularly those facing the internet.”13

Attivo Networks ThreatPath attack visualization capability gives a continuous view of potential lateral attack paths via endpoint credential vulnerabilities and shows how an attack spreads during its execution. Network visibility maps also provide time-lapsed visibility to devices as they enter or leave the network.

Deception can be a powerful tool for Blue Teams in that it can demonstrate network resiliency and track every adversary (Red team) move when engaged in the deception environment.

Annex 1 index: 19.6C “Establish and implement systems to collect and share threat information from local/national/international sources following legally accepted/defined means/process”14

The BOTsink server supports widely accepted reporting formats and native partner integrations that can be leveraged to feed attack information to other systems as well as consume threat related information. It seamlessly integrates with renowned third-party reporting tools in real time.

Annex 1 index: 19.6F & 22.1 “Implement a policy & framework for aligning Security Operation Centre, Incident Response and Digital forensics to reduce the business downtime/ to bounce back to normalcy.”15

“Have support / arrangement for network forensics / forensic investigation”16

The forensics functionality in the Attivo Networks solution captures full forensics including time, type, and other attack information to identify infected systems and complete analysis to gain a better understanding of the attack’s anatomy and objectives. Attack analysis is automated and can be viewed in table or topographical map form, saving time and energy required to visualize and correlate an attack.


ANNEX 2The second annex provides guidance for configuring and operationalizing a Cybersecurity Operations Center (C-SOC),

including requirements for monitoring and response in the case of a cybersecurity event.


Annex 2 index: Introduction - 1 “Banking services are delivered nonstop, round the clock and the customers access these services using internet and Mobile Connectivity. Security of the financial transactions is of paramount importance.”17

The Attivo Networks ThreatDefend platform includes decoys for SWIFT terminals, the system banks worldwide use to process transactions.

To an attacker, these decoys appear identical to production assets and can be deployed across the environment without affecting live assets or incurring any down time.

Annex 2 index: Introduction - 3 “Constant and Continuous monitoring of the environment using appropriate and cost-effective technology tools, clearly defined policies and procedures based on best practices and monitored by technically competent and capable manpower”18

The Attivo Networks solution provides an early and cost-effective solution for detecting in-network threats and for real-time incident reporting. There are no false positives as all alerts are engagement based and substantiated, making for faster and more accurate incident response.

C-SOC teams receive detailed, highly accurate information that allows them to quickly and efficiently react to an incident. This includes native integrations with existing tools and security systems that automate blocking, isolation, threat hunting, and accelerate incident response.

Annex 2 index: Governance Aspects – 1 & 2

“Top Management/Board Briefing on Threat Intelligence”

“Dashboards and oversight”19

The BOTsink threat intelligence dashboard features the ability to customize the information displayed, drill-down, and take action on specific threat details.

The ThreatDefend platform provides a range of detailed reports that are configurable and easily tailored for a specific audience, whether that is an executive briefing or forensic analysis. Role based dashboards simplify viewing and only show details applicable to that user’s role.

The Attack Visualization capability lets an analyst “roll back the clock” and see how the attack unfolded over time, giving them a much better understanding of how the attack was executed.

Additional integrations facilitate the transfer of viewing within other SOC tools, including a Splunk App.


Annex 2 index: CSOC Point #1 “Conventional or Traditional Security systems have always focused on preventive approaches over the years and are reactive in nature. They are in a position to address the concerns regarding known attacks. It is to be noted that the threat landscape has changed significantly in the recent past and therefore the approach and methodology required to be put in place has to necessarily take into account proactive approaches rather than reactive approaches and have to also address possible unknown attacks.”20

The Attivo Networks solution takes a proactive approach to security, employing deception to reveal intruders that have bypassed perimeter defenses. Deception provides early detection of adversary reconnaissance, credential theft, and lateral movement. It does not need “time to learn” and is effective throughout all phases of an attack.

High-interaction deception technology is designed to trap automated and highly skilled, elusive attackers who may be using previously unknown exploits.

Deception is also unique in that it also carries the ability to slow an attacker as they get caught up in the deception environment. It will also change the asymmetry of the attack by forcing the attacker to be precise or have their presence revealed.

These technologies match to RBI’s recommendation to take a proactive approach that remains effective against adversaries whose attacks are evolving over time.

Annex 2 index: CSOC Point #3 “The systems that are implemented currently to monitor the security operation takes into account collection of the logs from each one of the point products deployed, storing and processing of the logs, correlation through appropriate SIEM tools, continuous monitoring of SIEM screens and finding the anomalies, if any and raising the alarms.”21

The Attivo Networks ThreatDefend platform supports out-of-the-box integration with all popular SIEM devices: QRadar, ArcSight, LogRhythm, Splunk, McAfee and RSA Netwitness.

Using syslog, the BOTsink server can integrate with non-standard and home-grown solutions. Any system that can accept syslog can receive real-time information from the Attivo Networks platform.

Annex 2 index: CSOC Point #4(b)

“Incident investigation, forensics and deep packet analysis need to be in place”22

Attivo Networks Live Memory Forensics captures full forensics including time, type of attack, and other information to identify infected systems. This gives a complete analysis to gain a better understanding of the attack’s anatomy and the intruder’s objectives. Packet captures and Indicators of Compromise (IOC) are also available for all attacks.

Annex 2 index: CSOC Point #4(d)

“Analytics with good dashboard, showing the Geo-location of the IP’s”23

The Attivo Networks BOTsink server has a state-of-the-art user interface, Attack Visualization, and drill-down capabilities, making it easy for operators to quickly understand an attack.

Alerts are geolocated promptly to save crucial time for admin personnel.


Annex 2 index: CSOC Point #4(e)

“Counter response and Honeypot services”24

The Attivo Networks solution goes beyond conventional honeypots, providing a fully customizable range of decoys that can dynamically adapt to their environment. Decoys cover the full range of systems, services, credentials, and documents, to provide the most authentic deception possible.

Decoys that accurately reflect the production environment, projecting believable decoy targets and operated without requiring extensive maintenance, are a hallmark of Attivo’s system. Machine-learning automates the preparation, deployment, and ongoing operations of Attivo deception decoys, lures, and bait.

DecoyDocs give an organization the ability to create and place deception documents for an attacker to steal. Decoy documents provide counterintelligence on what an attacker is targeting and geo-location to help understand their motives.

Along with deception, the ThreatDefend platform enables integrated and automated response to an attack, multiplying the effectiveness of C-SOC personnel.

Annex 2 index: Expectations #2 “Ability to Provide real-time / near-real time information on and insight into the security posture of the bank”25

The Attivo Networks solution uses decoys, deception, lures and breadcrumbs, to provide real-time alerting upon attacker engagement. Alerts are accurate and actionable, only triggering upon an attacker’s interaction with a decoy or the use of deception credentials. Each alert is substantiated with threat intelligence gathered from the interaction.

Even the lightest touch, will be detected, which can be instrumental in detecting early policy violations.

Network visibility tools can also be useful to security teams needing to understand what devices are coming on and off the network. This can identify unauthorized systems and misconfigurations.

The ThreatPath functionality can reveal misconfigurations and inappropriate user permissions that could adversely affect the organization’s security, thus closing security gaps and improving their defensive posture.


Annex 2 index: Expectations #3 “Ability to Effectively and Efficiently manage security operations by preparing for and responding to cyber risks / threats, facilitate continuity and recovery”26

The Attivo Networks ThreatDefend platform provides a comprehensive platform for continuous threat management and response.

Early detection is achieved with decoys, credentials, applications, and data threat deceptions applied at the endpoint. These deceptions detect credential theft, reconnaissance, and lateral movement early in an attacker’s efforts to find their target: a company’s crown jewels or other targeted assets.

Organizations can use ThreatPath to reduce the attack surface by identifying exposed credentials and attack paths, while network visibility and replay tools help visualize and understand the adversary’s movement and tactics.

Automated attack analysis is achieved with a built-in sandbox that easily creates forensic reports. Native integrations automate incident response blocking, quarantine, and threat hunting. The ThreatOps functionality empowers repeatable playbooks based upon detections, existing infrastructure and policies.

Responses can be fully automated to streamline the C-SOC’s workflow for maximum efficiency and minimum time to remediation.

Annex 2 index: Expectations #4 “Ability to assess threat intelligence and the proactively identify / visualize impact of threats on the bank.”27

The BOTsink engagement server provides full sandboxing to gather threat and adversary intelligence. Attacks are studied to gather full TTPs, IOCs and forensics on an attack. Known attack information is pulled from Virus Total and Webroot, saving time and energy understanding the attack.

The attack information and time-lapsed replay visualization maps are viewable within the UI. Additionally, the ThreatPath software gives a topological view of potential threats, showing logical paths an attacker could leverage to reach internal assets, potential vulnerabilities, and common credentials.

Annex 2 index: Expectations #5 “Ability to know who did what, when, how and preservation of evidence”28

The Attivo Networks BOTsink server captures every aspect of an attack, tracking files, registry, network, and memory changes, and capturing packets during an event. This data is viewable within the UI, is available in a wide variety of reporting formats and can be automatically shared through native integrations with other security controls.


Annex 2 index: Expectations #6 “Integration of various log types and logging options into SIEM, ticketing / workflow / case management, etc.”29

The Attivo Networks ThreatDefend platform supports out-of-the-box integration with all popular SIEM devices: QRadar, ArcSight, LogRhythm, Splunk, McAfee and RSA Netwitness.

Using syslog, the ThreatDefend platform can integrate with non-standard and home-grown solutions. Any system that can accept syslog can receive real-time information from the Attivo Networks solution.

Native integrations also include ticketing systems to streamline analyst workflows and remediation.

Annex 2 index: Key Responsibilities of SOC

“Monitor, analyze and escalate security incidents”30

“Develop Response - protect, detect, respond, recover”

“Conduct Incident Management and Forensic Analysis”

The ThreatDefend platform provides the threat intelligence, attack analysis, and automations required for a C-SOC to streamline its processes and meet its responsibilities.

Attivo Networks also offers professional services directly, or through its curated partners, to help an organization achieve their goals.

Annex 2 index: External Integration

“Threat intelligence feeds from various sources may be provided by the product vendors”31

“Security information feeds from other Banks in particular and the financial ecosystem in general will be quite useful.”

The Attivo Networks solution integrates with respected Threat Intelligence vendors such as VirusTotal, Webroot, and ThreatConnect out-of-the-box. It also includes capability to exchange Attacker TTP information through industry standard formats, facilitating data exchange with 3rd parties and 3rd party applications.


ANNEX 3The Reserve Bank of India expects financial institutions to report on cyber incidents in no more than 6 hours after

discovering the incident, and mandates the information, and format, expected in the report. The RBI reporting

template32 covers a range of information and the Attivo Networks ThreatDefend solution provides details on the

following aspects:

BASIC INFORMATION

• Date – Time of incident detection

• Details of Incident – Cyber Security Incident

• The chronological order of events.

• Root cause analysis

CSIR FORM

• What severity is this incident being classified as?

• Date & Time of the incident

• Types of Threat and Incident

• When and How was the incident observed?

• Ports involved in the incident.

• Compromised Operating System and its details.

• Does the affected critical system have potential impact on another critical system of the bank?

• What is the source/cause of the incident?


TECHNICAL SUMMARYThe Reserve Bank of India’s Cyber Security Framework lays out a range of procedural and technical requirements

intended to assure financial institutions in India remain secure in the face of a dynamic threat landscape.

The Framework includes specific requirements to provide deception honeypot and active response capabilities, which

Attivo Networks easily exceeds with the ThreatDefend platform. The platform also meets a range of RBI’s framework

requirements beyond the obvious by leveraging deception to alter the apparent threat surface, planting additional

application and data deceptions so the attacker is unsure if what they are seeing is real, ultimately making their job

much more difficult.

The BOTsink servers provide a range of deception decoy technologies, while ThreatDirect provides exceptional

scalability, projecting deception into remote sites, data centers, and cloud environments. The BOTsink server’s

dashboard gives detailed information on attacks and only generates substantiated, engagement-based alerts. Using

the ThreatPath tool, C-SOC personnel gain a predictive defense and can easily visualize and reduce their attack

surface, by seeing how an attacker might work through their environment, including pathways and vulnerabilities,

while the built in attack analysis engine then automates the correlation of attack information and incident response

actions (block, isolate, threat hunt) to a range of natively integrated 3rd party vendors (firewall, SIEM, endpoint, NAC).

Overall, Attivo Networks ThreatDefend platform empowers organizations to meet specific requirements of the RBI CS

Framework and provide defense in depth for their environment against an evolving threat landscape.

© 2018 Attivo Networks. All rights reserved. Attivo Networks, ThreatDefend, and ThreatPath are registered trademarks of Attivo Networks, Inc. 082118

www.attivonetworks.com Follow us on Twitter @attivonetworks

ABOUT ATTIVO NETWORKSAttivo Networks® provides real-time detection and analysis of inside-the-network threats. The Attivo Networks

ThreatDefend Deception and Response Platform detects stolen credentials, ransomware, and targeted attacks within

user networks, data centers, clouds, and specialized ICS-SCADA, IoT, POS, infrastructure, and telecommunication

environments by deceiving an attacker into revealing themselves. Comprehensive attack analysis, actionable alerts,

and native integrations empower accelerated incident response.

For more information, visit our website at www.attivonetworks.com

[1] https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT41893F697BC1D57443BB76AFC7AB56272EB.PDF [2] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: page 1 [3] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: pages 1 and 2 [4] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: page 2 [5] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: page 3 [6] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: page 4 [7] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: page 4 [8] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 1 [9] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 5 [10] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 5 [11] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 7 [12] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 8 [13] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 8 [14] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 10 [15] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 10 [16] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 1, page 11 [17] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 1 [18] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 1 [19] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 1 [20] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 2 [21] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 2 [22] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 2 [23] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 2 [24] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 2 [25] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [26] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [27] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [28] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [29] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [30] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 3 [31] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 2, page 6 [32] RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16: Annex 3, page 1

attivo networks threat deception to comply with the ... · breach has already or will...

Documents