Attivo Networks ThreatDefend Platform

Additional Info

CompanyAttivo Networks
Company size (employees)100 to 499
Type of solutionSoftware


With human attackers using advanced methods, many of their techniques bypass traditional security controls. Once inside the network, attackers frequently escalate privileges and move laterally to perform reconnaissance. The deployment of ransomware is the end goal of many cyber-attacks, but an attacker would have to go through numerous steps – including lateral movement and privilege escalation – to get to the final stage. Consequently, the ability to detect and prevent the early stages of an attack is just as important as detecting the ransomware itself.

The Attivo Networks ThreatDefend platform gives visibility and detection of ransomware activities before it can spread. Organizations gain comprehensive detection early in the attack cycle, from the reconnaissance phase to lateral movements, to the exploitation itself during the attack, empowering the defender and eliminating the attacker’s advantage.

The ThreatDefend Platform anti-ransomware security solution delivers a unique set of broad capabilities:

1. Attack surface reduction through visibility to exposed credentials and attack paths
2. Insights into overprovisioned human and non-human entitlements in multi-cloud environments
3. Prevents attackers from misusing credentials by binding credentials to credential stores
4. Continuously assesses 200+ AD exposures with health scores and remediation guidance
5. Domain controller protection covers Mac, Linux, IoT/OT, and unmanaged devices
6. Prevents access to critical data by hiding and denying access to local files, folders, removable storage, network or cloud shares, application credentials, and AD objects
7. Machine learning identifies and tracks suspicious behaviors
8. Forensic reporting generates alerts with context data
9. Continuous change backups for endpoint applications and data using Microsoft tools and prevents ransomware from deleting backup files created using Windows Volume Shadow Copy Service
10. Engages ransomware with high interaction deception. Feeding it unlimited decoy data to stall the attack and preventing it from completing encryption lends defenders time to investigate, respond, and remediate

How we are different

• Other vendors provide a single level of depth to their ransomware abatement solutions. Attivo is unique and effective in providing defense in depth to prevent and deter ransomware. Native integrations also make response easy with automated isolation, blocking, and threat hunting.

• The ThreatDefend Platform works with existing security controls to address the ransomware problem. Current EPP/EDR solutions detect many of the ransomware variants in use today. However, should attackers evade these and other traditional security controls, the ThreatDefend platform provides detection capabilities for discovery, lateral movement, privilege escalation, and data gathering activities that one sees in human-controlled ransomware attacks. The Attivo solution offers this coverage across different organization layers at the network, endpoint, data, applications, and AD, providing early and accurate detection while preventing the attack from accessing sensitive or critical data, credentials, and other objects.

• The forensic evidence the solution provides delivers detailed event data, displays visual attack replays, and collects for analysis and threat intelligence development to raise the security posture and defend against subsequent attacks. The platform’s unique DataCloak capability hides and denies access to local files, folders, removable devices, and mapped network or cloud shares, preventing attackers from enumerating, accessing, encrypting, or even exfiltrating them from the organization. Simultaneously, the platform maps fake file shares that lead to decoy servers for the ransomware to discover and encrypt. As the malware attempts to encrypt the data it finds, the platform rate-limits the connection and feeds the ransomware with endless streams of data to encrypt. This delay stalls the attack, giving the security teams time to isolate infected systems and stop further damage quickly.