Large Retailer uses Deception for Active Acquisition Strategy

A large retail organization with an active acquisition strategy. The organization prioritizes establishing visibility into acquired networks to understand potential vulnerabilities. They are concerned about the security maturity of affiliate networks and the risk of hidden or time-triggered malware that could move laterally and breach their corporate network, leading to data exfiltration. The organization aims to ensure that the security controls of their broader affiliate organizations align with their enterprise standards to protect company and customer data.

The acquired organization had basic security but little visibility into any threats that have made their way inside the network. Because of the lack of visibility, the infosec teams lacked confidence that these networks weren’t already compromised in some way. A compromised affiliate network posed a risk to not only that subsidiary, but to the broader enterprise as well. Any in-network malware could potentially spread to the larger organization, and create significant risk to customer confidence, revenue, and their brand reputation. The team needed a reliable way to know if the network was compromised, as well as visibility into the acquired organization’s overall health and risk associated with its end-points. Beyond gaining this initial visibility, they needed a reliable way to detect any new threats inside the network that could occur in the future.

The large retail organization deployed the ThreatMatrix Deception and Response Platform across the acquired company’s data centers and end user networks. The ThreatMatrix Platform provided them with visibility into lateral movements and reconnaissance actions conducted by malware and malicious actors. The ThreatMatrix BOTsink engagement servers were customized to match the production environment, creating decoys that reflected the same configurations as their counterpart production critical assets. These decoys presented an attacker with an attractive target that could engage, trap, and safely observe the tactics, techniques, and procedures being leveraged against them. In addition to the ThreatMatrix Platform, the organization has implemented the Attivo ThreatStrike End-point Suite. This solution creates customized deceptive credentials that are deployed to thousands of end points, to identify compromises that rely on credential theft. These agentless, deceptive credentials entice and divert an attacker into engaging with the Attivo engagement servers, thereby revealing themselves, and allowing Attivo to analyze the threat. With deception deployed, the organization gained visibility into threats within the subsidiary’s network. In one specific instance, they identified suspected Ransomware that was active in the environment and the ThreatMatrix Platform gave them the detailed attack forensics to remediate the identified threat. Lastly, the organization utilizes the ThreatMatrix Platform’s capabilities for secondary phishing and malware analysis. The Phishing and Malware Analysis Platform automatically executes suspicious files and URLs, providing detailed analysis to the incident response team, ensuring that they have the evidence to determine if the sample can safely be executed, or if it is malicious in nature.

• The team efficiently gained knowledge and visibility of the acquired network while adding a much-needed capability for early threat detection to identify any future attacks.
• By deploying the Attivo solution, the team accelerated their ability to establish visibility into their network, and helped them gain additional insight into the security gaps that exist.
• They now have real time, highly reliable detection of threats inside the network, and have gained an ability to understand the nature and mechanisms of an attack.
• They can detect external threat actors, malicious insiders, and advanced malware and APTs.
• In addition, they have enabled end users, with the click of a button, to submit suspicious emails for automated analysis.