Rep

Attivo BOTsink®

Deployment Scenarios Guide

Revision A

Attivo Networks™
47697 Westinghouse Dr, Fremont, CA 94539
http://www.attivonetworks.com
Copyright
The specifications and information regarding the products in this manual are subject to change without notice. All statements, information,
and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. Users
must take full responsibility for their application of any products.
Any internet protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display
output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is
unintentional and coincidental.

License and Warranty Conditions

The software license and limited warranty for the accompanying product are set forth in the information packet that shipped with the
product and are incorporated herein by this reference. If you are unable to locate the software license or limited warranty, contact your
Attivo Networks representative for a copy.
The following information is applicable to physical and virtual BOTsink and Attivo Central Manager appliances. The equipment is tested and
complements the network security.
Modifying the equipment without Attivo Network's written authorization may result in the equipment no longer complying with FCC
requirements. In that event, your right to use the equipment may be limited by FCC regulations.
Modifications to this product not authorized by Attivo Networks, Inc. could void the FCC approval and negate your authority to operate
the product.
Notwithstanding any other warranty herein, all document files and software of these suppliers are provided “as is” with all faults. Attivo
Networks and the above-named suppliers disclaim all warranties, expressed or implied, including, without limitation, those of
merchantability, fitness for a particular purpose and no infringement or arising from a course of dealing, usage, or trade practice.
In no event shall Attivo Networks or its suppliers be liable for any indirect, special, consequential, or incidental damages, including, without
limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Attivo Networks or its suppliers
have been advised of the possibility of such damages.

Trademarks
BOTsink is a registered trademark of Attivo Networks, Inc. and/or its affiliates in the U.S.A.
Attivo Networks and the Attivo Networks logo are trademarks of Attivo Networks.
IRES is a trademark of Attivo Networks.
A listing of Attivo network's trademarks can be found at www.attivonetworks.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Attivo Networks and any other company.
About this guide

This document provides high-level information on how to deploy BOTsinks on your production networks.
Various possible scenarios are explained with the use of illustrations.

Note:

• The scenarios in this guide do not feature the Attivo Central Manager.

• The scenarios might apply to the physical BOTsink appliance or vBOTsink-VMware. However, for ease of
explanation, the scenarios predominantly feature the BOTsink physical appliances.

For detailed information on how to install BOTsinks, see the following documents:

• Attivo BOTsink 3200 Quick Start Guide

• Attivo BOTsink 5100 Quick Start Guide

• Attivo BOTsink Installation Guide for VMware

For information on how to deploy a virtual BOTsink appliance in Amazon Virtual Private Clouds, see the
vBOTsink-AWS User Guide.

For information on how to deploy BOTsink GE, see the corresponding Attivo BOTsink GE Deployment Guide.

For information on how to configure and use the BOTsink features, see the Attivo BOTsink User Guide.

For information on how to configure and use the Attivo Central Manager, see the Attivo Central Manager
User Guide.
Contents

Copyright ............................................................................................................................. 1
License and Warranty Conditions .............................................................................................. 1
Trademarks .......................................................................................................................... 1

About this guide.................................................................................................................... 2

Contents ............................................................................................................................... 3

About the BOTsink system .................................................................................................... 4

BOTsink product family ........................................................................................................... 4
BOTsink system features ......................................................................................................... 4
Terminologies ........................................................................................................................ 5
BOTsink system advantages .................................................................................................... 7

Networking BOTsink appliances ............................................................................................ 8

Network requirements for BOTsink appliances ............................................................................ 8
Cabling information for BOTsink physical appliances .................................................................... 8

Deployment options for BOTsink appliances ....................................................................... 10

Scenario 1: Deploying BOTsink in VLAN-based subnets .............................................................. 10
Scenario 2: Deploying in multiple non-VLAN subnets ................................................................. 11
Scenario 3: Deploying BOTsink appliance in a datacenter ........................................................... 11
Scenario 4: Deployment options for networks with many small L3 subnets ................................... 13
Option 1: Protecting your high-value networked resources .............................................................. 13
Option 2: Deploying engagement VMs in each small-sized subnet (VLAN-based) ............................... 14
Option 3: Deploying engagement VMs in small non-VLAN subnets ............................................... 15
1 About the BOTsink system

Attivo Networks introduces a new paradigm in security that complements and augments your existing
security infrastructure. BOTsink systems from Attivo Networks provide a new network security technology
with real-time advanced malware detection that targets APTs and BOTs and enables you to eliminate cyber
threats.

BOTsink systems help achieve network security by engaging threats and malware from infected clients and
servers in your network. Our technology detects, engages, and analyses BOT and APT attacks. This results in
total confidence that your organization is malware-free.

A BOTsink system consists of BOTsink and its embedded software. Physical and virtual BOTsink appliances
are available.

BOTsink product family

The complete family of BOTsink products are as shown in the table below:

BOTsink appliances
BOTsink-3200 1 U appliance. Support for up to 32 VLAN subnets.
Can be assigned up to 186 IP addresses for
monitoring purposes.
BOTsink-5100 1 U appliance. Support for up to 100 VLAN subnets.
Can be assigned up to 372 IP addresses for
monitoring purposes.
BOTsink 5100W 1 U appliance. Support for up to 100 VLAN subnets.
Can be assigned up to 372 IP addresses for
monitoring purposes.

Virtual BOTsink appliance

vBOTsink-VMware Virtual BOTsink appliance for VMware. Support for
up to 256 subnets.
vBOTsink-AWS Virtual BOTsink appliance for Amazon VPC.
BOTsink General Edition (BOTsink GE) Virtual BOTsink appliance that you can install on
any of the supported on-premises or cloud
platforms. Currently supported virtual environments
are VMware (on-premise) and Microsoft Azure
(cloud).

Attivo Central Manager appliance

Virtual Attivo Central Manager VMware-based virtual appliance to centrally
manage multiple physical and virtual BOTsinks.
Attivo Central Manager 1 U appliance to centrally manage multiple physical
and virtual BOTsinks.

You can assign more than 372 IP addresses for monitoring in case of BOTsink 5100 and BOTsink 5100W.
Contact Attivo Tech Support for related information.

BOTsink 3200 replaces BOTsink 2500; BOTsink 5100 replaces BOTsink 5000. However, if you use BOTsink
2500 or BOTsink 5000, you can still upgrade the firmware to the latest version.
About the BOTsink system
BOTsink system features

BOTsink system features

• Management appliance to centrally manage multiple appliances.
• Plug-and-forget BOT and APT detection solution.
• Pre-configured to host multiple VMs and servers.
• Availability of physical and virtual BOTsink appliances.
• Support for customized Windows and Linux VMs to make the deception as realistic as possible.
• Support for multiple IPs and VLANs.
• Detect and display the phases of an APT – from the initial reconnaissance to stealing credentials and
data exfiltration.
• Inspection of traffic coming to BOTsinks for intrusions (IDS).
• Inclusion of production endpoints to deceive attackers.
• Integration with SIEM products such as Splunk.
• Snort rules to detect stolen credentials.
• Configuring customized data on the decoy servers.
• Analysis of broadcast and multicast traffic.
• Customizable whitelist to exclude known endpoints from analysis or engagement.
• Support for various operating systems, network services, and applications to engage BOTs and APTs.
• Detection of dropped payload.
• Collection of events and data for forensic analysis.
• Dashboard to visualize attack information.
• Provision to view and query for attack information.
• Generate reports to communicate attack information.
• Dynamic analysis of files and URLs for malware analysis (sandbox).
• Submit files, file hash, and URLs to VirusTotal to detect known and near zero-day malware.

Terminologies
This document uses the following terms.

• BOTsink appliance refers to the physical BOTsink appliances such as BOTsink-5100.

• BOTsink is a collective reference for all types of BOTsink appliances.

• Management VM – The management virtual machine runs on Linux, and is responsible for collecting,
analyzing, and correlating attack data as well as managing the decoy VMs. The management VM also
hosts the web application, which is referred as the Attivo BOTsink Manager (Manager).

• Decoy VMs – These virtual machines are the server and client hosts to detect breaches in your network.
The decoy VMs pose as targets for BOTs and APTs. The decoy VMs engage compromised endpoints when
they attempt lateral movement on your network. This enables you to identify and track the actions of
these malicious endpoints as well as to prevent data exfiltration.

Attivo BOTsink Deployment Scenarios Guide 5

About the BOTsink system
Terminologies

The following table lists the operating systems pre-installed on the default decoy VMs on physical BOTsink
appliances:

BOTsink 3200 (One instance)
CentOS 7 (64-bit)
Ubuntu 12.4 (64-bit)
Ubuntu 13.10 (64-bit)
Windows 2008 (32-bit)
Windows 7 (32-bit)
Windows 7 (64-bit)
BOTsink 5100 (Two
instances)
CentOS 7 (64-bit)
Ubuntu 12.4 (64-bit)
Ubuntu 13.10 (64-bit)
Windows 2008 (32-bit)
Windows 7 (32-bit)
Windows 7 (64-bit)
BOTsink 5100W (Two
instances)
Windows Server 2008 R2 (32-
bit) - One instance
Windows Server 2008 R2 (64-
bit) - One instance
Windows 7 (32-bit)
Windows 7 (64-bit)
Windows 8.1 (32-bit)
Windows 8.1 (64-bit)

You can import customized VMs and then replace a default decoy VM with a custom decoy VM.

Note that replacement of decoy VMs is allowed only within the same type. For example, if you require a
decoy VM on Windows 2012, you must replace one of the default Windows decoy VMs.

Note: The license for all the default Windows decoy VMs are pre-activated. You must activate the custom
Windows decoy VMs.

Note regarding vBOTsink-VMware: The installation bundle provided by Attivo Networks™ includes the
images for the following:

CentOS 7 (64-bit)
Ubuntu 12.4 (64-bit)
Ubuntu 13.10 (64-bit)
Windows Server 2008 Standard SP2 (32-bit)
In addition to these default decoy VMs, you can create custom decoy VMs on a vBOTsink-VMware.

For information on the supported operating systems for custom decoy VMs, see Import Custom VMs.

• Analysis VMs – These VMs are used to dynamically analyze files submitted for malware analysis. You
convert a decoy VM into an analysis VM. You can revert an analysis VM to a decoy VM. An analysis VM is
exclusively for malware analysis. That is, it is not used for engagement as long as it is an analysis VM.
You can convert any decoy VM into an analysis VM.

• Sinkhole VM – All traffic originating from the decoy VMs are sent to a Linux-based sinkhole VM. This
prevents a compromised decoy VM from sending any malicious traffic to your production network.
Optionally, you can configure the sinkhole VM as an Internet proxy for the decoy VMs.

• Attivo BOTsink Manager is the web application hosted on the management VM of a BOTsink. The
Attivo BOTsink Manager (Manager) is the console to configure and manage the corresponding BOTsink.

• Attivo Central Manager – This is the appliance, which is used exclusively to manage multiple BOTsink
and vBOTsink appliances.

The Attivo Central Manager (Central Manager) appliance has a web application. You use this to configure
and manage the Central Manager appliance as well as BOTsinks.

The terms, Attivo Central Manager and Central Manager are used interchangeably to refer to the Central
Manager appliance as well as the Central Manager web application.

Attivo BOTsink Deployment Scenarios Guide 6

About the BOTsink system
BOTsink system advantages

• Deception content – Deception content is the data on the decoy VMs, which attackers can access
through services such as SMB, FTP, and HTTP. Deception content can include logon credentials, web
pages, files in shared folders, and so on.

• Events – The Manager records all activities on the decoy VMs as events. The activity related to an event
could range from a highly malicious attack or a benign system activity. Based on the malicious nature of
these activities, the Manager categorizes events accordingly.

• Callback traffic – If a decoy VM is compromised, it might attempt to contact its C&C server. In the
context of BOTsink, traffic originating from a decoy VM to a server on the Internet is termed as callback
traffic.

BOTsink system advantages

• You can create a decoy VM using one of your own images. For example, you can create a decoy VM
installed with the same applications and tools as that of your production endpoints. The purpose is that
the decoy VM appears just like a production endpoint to a probable attacker. Also, the attacks reported
by BOTsink for that decoy VM are relevant to your network as well.

• BOTsinks are highly scalable. You can use a single BOTsink to monitor hundreds of subnets.

• The decoy VMs and sinkhole VM of a BOTsink are factory-installed and do not require any IT resource to
install or manage them.

• BOTsink lures BOTs and APTs scanning for valuable corporate assets to target Attivo’s high-value self-
sustaining decoy servers.

• BOTsink detects BOTs and APTs infections that may already exist inside the network.

• Once engaged, BOTsink isolates BOT and APT activities, including sleeper and timed triggered agents,
before they damage network assets.

• BOTsink identifies infected systems and reports the time, type, and anatomy of the attack.

• BOTsinks generate alert details in the Open Indicator of Compromise (OpenIOC) and Structured Threat
Information eXpression (STIX) formats for sharing threat information with cyber threat analysts and
other security products.

• Identifies and validates 100% actionable alerts with intelligence to take immediate action.

• Increases detection velocity and minimizes chance of cross contamination and contagion.

• Provides visibility of commonly attacked network services.

Attivo BOTsink Systems are on-premise and cloud-based BOT and APT detection security tools that
complement existing security systems. The BOTsink Solution securely captures BOTs as they begin scanning
the network client, servers, and services and then tracks all their activity securely. It captures and records
all the communication and propagation activity for future forensics using the patented Multi-Dimensional
Correlation Engine (MDCE).

Attivo BOTsink Deployment Scenarios Guide 7

2 Networking BOTsink appliances

This chapter provides high-level networking and cabling information regarding BOTsink appliances.

Network requirements for BOTsink appliances

• A static IPv4 address for the BOTsink management virtual machine (VM)

• You must assign at least one static or dynamic IPv4 address to each engagement VM that you plan to
use.

• If you connect a trunk port to a monitoring port, you must enable VLAN in the BOTsink Manager.

• You can connect trunk or access ports to monitoring ports 3, 4, 5, and 6. You can also connect ports
configured for Link Aggregation Control Protocol (LACP) to the monitoring ports of BOTsink.

Cabling information for BOTsink physical appliances

Using BOTsink-3200 as an example, this section provides an overview of the cabling information for BOTsink
physical appliances. Cabling information is similar for both BOTsink-5100 and BOTsink-3200.

This section also explains at a high-level, how traffic flows within a BOTsink physical appliance. In this
example, the four monitoring interfaces of the BOTsink appliance are connected to 4 access ports.
Networking BOTsink appliances
Cabling information for BOTsink physical appliances

• Subnet A is connected to monitoring interface 6, subnet B to interface 5, subnet C to interface 4, and

subnet D to interface 3.

• The management interface is connected to your production network to configure and manage the
BOTsink appliance. You use the BOTsink Manager and BOTsink CLI commands to manage the BOTsink
appliance.

• All the 4 monitoring interfaces, the proxy interface, and the management interface are 10/100/1000
Ethernet ports.

• Windows 2008, Cent OS, Ubuntu version 12, Ubuntu version 13, Windows 7 32-bit and Windows 7 64-bit
are the engagement VMs.

• By assigning the network configurations to the engagement VMs, you can place the engagement VMs in
the configured subnets. You use the monitoring rules in the BOTsink Manager to assign network
configuration to the engagement VMs.

• The engagement VMs engage the attacking endpoints on your network and at the same time send the
attack details to the BOTsink management VM.

• Traffic originating from the engagement VMs are mostly destined to C&C servers. The VMs are connected
such that this traffic can only go to the sinkhole VM.

• To fully analyze the botnet and find out the C&C server details, you might have to provide Internet
access to the bot (engagement VM). You can enable and configure the sinkhole proxy feature in the
BOTsink Manager. Then, the sinkhole VM functions as a proxy server. To avoid this botnet traffic from
going through your production network, recommend you to connect a DSL modem to the proxy interface
on the BOTsink appliance.

Attivo BOTsink Deployment Scenarios Guide 9

3 Deployment options for BOTsink appliances

BOTsink physical and virtual appliances can be deployed in internal networks (Layer 2 and Layer 3),
datacenters, and on the cloud.

Consider the following scenarios to understand some of the popular deployment options for BOTsink.

For ease of explanation, the illustrations in this document feature only a few subnets and only sections of
larger networks.

Scenario 1: Deploying BOTsink in VLAN-based subnets

Consider your network comprises of numerous VLAN-based subnets in which you plan to deploy BOTsink
engagement VMs. For the network illustrated below, a simple deployment option is to connect a trunk port
from the distribution switch to one of the monitoring interfaces of a physical BOTsink appliance.

A trunk port on the distribution switch (indicated by a black circle) is configured such that the packets from
the 3 monitored subnets are tagged with the respective VLANs. For example, traffic from the 10.10.100.x
subnet are tagged with VLAN 100 as they exit out of the distribution switch. So, if an endpoint on this subnet
does a scan of other endpoints on the same network, the engagement VM with IP address 10.10.100.10 is
also targeted and thus the attack is detected. This deployment enables you to deploy an engagement VM in
each monitored subnet.
Deployment options for BOTsink appliances
Scenario 2: Deploying in multiple non-VLAN subnets

Scenario 2: Deploying in multiple non-VLAN subnets

The following diagram illustrates how you can deploy engagement VMs in up to 4 non-VLAN subnets using a
BOTsink physical appliance.

Four different subnets are connected to the 4 monitoring interfaces of the BOTsink physical appliance. The
Windows 2008 and Cent OS engagement VMs are configured (in the BOTsink Manager) such that they are
connected to all the 4 monitored subnets.

Since Windows 7 engagement VM is not relevant in the datacenter and DMZ subnets, this VM is configured
only for the Finance and Engineering subnets.

Scenario 3: Deploying BOTsink appliance in a datacenter

The following diagram illustrates how you can deploy a BOTsink engagement VMs in a datacenter. As in
scenario 1, you connect the BOTsink appliance to a trunk port on the distribution switch. You can configure
multiple NICs on each engagement VM. In this example, each engagement VM is shown to be assigned with
two IP addresses.

Attivo BOTsink Deployment Scenarios Guide 11

Deployment options for BOTsink appliances
Scenario 3: Deploying BOTsink appliance in a datacenter

For software-defined data centers (SDDC), you can use the BOTsink physical or virtual appliances for the
BOTsink solution. The following diagram shows an SDDC consisting of 3 ESXi hosts and a distributed vSwitch
connecting the VMs on these ESXi hosts.

When you deploy the BOTsink virtual appliance, you can deploy the BOTsink engagement VMs among the
production VMs and across the subnets in the ESXi hosts.

Attivo BOTsink Deployment Scenarios Guide 12

Deployment options for BOTsink appliances
Scenario 4: Deployment options for networks with many small L3 subnets

Scenario 4: Deployment options for networks with many

small L3 subnets
This section explains the deployment options for networks consisting of numerous small-sized L3 subnets.

Option 1: Protecting your high-value networked resources

One of the option is to deploy the engagement VMs where it matters most - among high-value networked
assets and other critical network resources. For example, you can deploy the engagement VMs in the same
subnet as your networked manufacturing equipment. So, an engagement VM detects any compromised
endpoints targeting your high-value networked devices.

Attivo BOTsink Deployment Scenarios Guide 13

Deployment options for BOTsink appliances
Scenario 4: Deployment options for networks with many small L3 subnets

Option 2: Deploying engagement VMs in each small-sized subnet

(VLAN-based)

This option enables you to deploy an engagement VM in each small-sized subnet. In this method, you must
deploy a dedicated aggregation switch for BOTsink. You connect one of the monitoring ports (for example,
port 3) of the BOTsink physical appliance to a trunk port (all VLANs) on the aggregation switch. A trunk port
from each L3 switch is connected to a trunk port on the aggregation switch. Therefore, the packets reaching
the aggregation switch are tagged with the respective VLANs. Based on this VLAN tagging, BOTsink sends
these packets to the corresponding engagement VM.

Attivo BOTsink Deployment Scenarios Guide 14

Deployment options for BOTsink appliances
Option 3: Deploying engagement VMs in small non-VLAN subnets

Option 3: Deploying engagement VMs in small non-VLAN

subnets
Consider a network of many small subnets, which do not use VLANs. The following diagram illustrates how
you can deploy engagement VMs in such subnets. Similar to the previous option, even this involves a
dedicated aggregation switch to which you connect the BOTsink appliance. You connect a port from each L3
switch to an access port on the aggregation switch. These access ports on the aggregation switch are
configured for a VLAN. For example, the access port connected to the switch of 10.10.100.x subnet is
configured for VLAN 100. This access port is indicated by a red circle in the following diagram.

Configure a trunk port (allowing VLANs 100, 101, 102) on the aggregation switch (black circle). For example,
connect the monitoring port 3 of a BOTsink physical appliance to this trunk port. Consider monitoring port 3
is configured for VLANs 100, 101 and 102.

This deployment method enables you to place an engagement VM in each subnet. In this example, any
attack on the 10.10.100.x, 10.10.101.x, and 10.10.102.x subnets can also affect the corresponding
engagement VMs hosted on the BOTsink appliance. Consider that an endpoint on the 10.10.101.x subnet is
performing a recon on other endpoints in the same subnet. This attack traffic reaches the additional switch
(yellow circle) and is tagged with VLAN 101 when it exits through the trunk port. When BOTsink receives
these tagged packets, it sends them to the engagement VM with IP address 10.10.101.10.

Attivo BOTsink Deployment Scenarios Guide 15

Deployment options for BOTsink appliances
Option 3: Deploying engagement VMs in small non-VLAN subnets

Attivo BOTsink Deployment Scenarios Guide 16