The system consists of two pieces: the BOTsink – a deception platform and IRES (Information Relay and Entrapment System) deception lure. Simply, the attacker performs certain functions that the system recognises as dodgy behaviour and directs the attacker to deception lures. The lures can be just about any operating system or application. They are heavily instrumented and when that behaviour is recognised the attacker is driven to the BOTsink for detection and action.
The BOTsink is an appliance – it can be physical, virtual or cloud-based – and the deception lures are specifically configured virtual machines. Setting up the BOTsink is straightforward and we saw no difficulty getting it up and monitoring quickly. The range of deception lures is impressive, including lots of flavors of Linux, just about all recent versions of Windows, and SCADA platforms as well.
The tool watches for certain things – such as scans, lateral movement, attempts at disallowed configurations, etc. When it sees that activity it engages with the attacker. By that, Attivo means that it takes some action, such as closing a port. The tool then determines the command and control structure, masquerades and collects data intended by the intruder for the C&C server.
BOTsink also performs, with the help of VirusTotal, detailed malware analysis. All of this information is available on the dashboard. The process showing on the dashboard is based on Attivo’s special version of the kill chain.