Professional Documents
Culture Documents
Attivo BOTsink®
Attivo Networks™
47697 Westinghouse Dr, Fremont, CA 94539
http://www.attivonetworks.com
Copyright
The specifications and information regarding the products in this manual are subject to change without notice. All statements, information,
and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. Users
must take full responsibility for their application of any products.
Any internet protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display
output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is
unintentional and coincidental.
Trademarks
BOTsink is a registered trademark of Attivo Networks, Inc. and/or its affiliates in the U.S.A.
Attivo Networks and the Attivo Networks logo are trademarks of Attivo Networks.
IRES is a trademark of Attivo Networks.
A listing of Attivo network's trademarks can be found at www.attivonetworks.com/go/trademarks.
Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Attivo Networks and any other company.
About this guide
This document provides high-level information on how to deploy BOTsinks on your production networks.
Various possible scenarios are explained with the use of illustrations.
Note:
• The scenarios in this guide do not feature the Attivo Central Manager.
• The scenarios might apply to the physical BOTsink appliance or vBOTsink-VMware. However, for ease of
explanation, the scenarios predominantly feature the BOTsink physical appliances.
For detailed information on how to install BOTsinks, see the following documents:
For information on how to deploy a virtual BOTsink appliance in Amazon Virtual Private Clouds, see the
vBOTsink-AWS User Guide.
For information on how to deploy BOTsink GE, see the corresponding Attivo BOTsink GE Deployment Guide.
For information on how to configure and use the BOTsink features, see the Attivo BOTsink User Guide.
For information on how to configure and use the Attivo Central Manager, see the Attivo Central Manager
User Guide.
Contents
Copyright ............................................................................................................................. 1
License and Warranty Conditions .............................................................................................. 1
Trademarks .......................................................................................................................... 1
Contents ............................................................................................................................... 3
Attivo Networks introduces a new paradigm in security that complements and augments your existing
security infrastructure. BOTsink systems from Attivo Networks provide a new network security technology
with real-time advanced malware detection that targets APTs and BOTs and enables you to eliminate cyber
threats.
BOTsink systems help achieve network security by engaging threats and malware from infected clients and
servers in your network. Our technology detects, engages, and analyses BOT and APT attacks. This results in
total confidence that your organization is malware-free.
A BOTsink system consists of BOTsink and its embedded software. Physical and virtual BOTsink appliances
are available.
BOTsink appliances
BOTsink-3200 1 U appliance. Support for up to 32 VLAN subnets.
Can be assigned up to 186 IP addresses for
monitoring purposes.
BOTsink-5100 1 U appliance. Support for up to 100 VLAN subnets.
Can be assigned up to 372 IP addresses for
monitoring purposes.
BOTsink 5100W 1 U appliance. Support for up to 100 VLAN subnets.
Can be assigned up to 372 IP addresses for
monitoring purposes.
You can assign more than 372 IP addresses for monitoring in case of BOTsink 5100 and BOTsink 5100W.
Contact Attivo Tech Support for related information.
BOTsink 3200 replaces BOTsink 2500; BOTsink 5100 replaces BOTsink 5000. However, if you use BOTsink
2500 or BOTsink 5000, you can still upgrade the firmware to the latest version.
About the BOTsink system
BOTsink system features
Terminologies
This document uses the following terms.
• Management VM – The management virtual machine runs on Linux, and is responsible for collecting,
analyzing, and correlating attack data as well as managing the decoy VMs. The management VM also
hosts the web application, which is referred as the Attivo BOTsink Manager (Manager).
• Decoy VMs – These virtual machines are the server and client hosts to detect breaches in your network.
The decoy VMs pose as targets for BOTs and APTs. The decoy VMs engage compromised endpoints when
they attempt lateral movement on your network. This enables you to identify and track the actions of
these malicious endpoints as well as to prevent data exfiltration.
The following table lists the operating systems pre-installed on the default decoy VMs on physical BOTsink
appliances:
BOTsink 3200 (One instance) BOTsink 5100 (Two BOTsink 5100W (Two
instances) instances)
CentOS 7 (64-bit) CentOS 7 (64-bit) Windows Server 2008 R2 (32-
bit) - One instance
Ubuntu 12.4 (64-bit) Ubuntu 12.4 (64-bit) Windows Server 2008 R2 (64-
bit) - One instance
Ubuntu 13.10 (64-bit) Ubuntu 13.10 (64-bit) Windows 7 (32-bit)
Windows 2008 (32-bit) Windows 2008 (32-bit) Windows 7 (64-bit)
Windows 7 (32-bit) Windows 7 (32-bit) Windows 8.1 (32-bit)
Windows 7 (64-bit) Windows 7 (64-bit) Windows 8.1 (64-bit)
You can import customized VMs and then replace a default decoy VM with a custom decoy VM.
Note that replacement of decoy VMs is allowed only within the same type. For example, if you require a
decoy VM on Windows 2012, you must replace one of the default Windows decoy VMs.
Note: The license for all the default Windows decoy VMs are pre-activated. You must activate the custom
Windows decoy VMs.
Note regarding vBOTsink-VMware: The installation bundle provided by Attivo Networks™ includes the
images for the following:
CentOS 7 (64-bit)
Ubuntu 12.4 (64-bit)
Ubuntu 13.10 (64-bit)
Windows Server 2008 Standard SP2 (32-bit)
In addition to these default decoy VMs, you can create custom decoy VMs on a vBOTsink-VMware.
For information on the supported operating systems for custom decoy VMs, see Import Custom VMs.
• Analysis VMs – These VMs are used to dynamically analyze files submitted for malware analysis. You
convert a decoy VM into an analysis VM. You can revert an analysis VM to a decoy VM. An analysis VM is
exclusively for malware analysis. That is, it is not used for engagement as long as it is an analysis VM.
You can convert any decoy VM into an analysis VM.
• Sinkhole VM – All traffic originating from the decoy VMs are sent to a Linux-based sinkhole VM. This
prevents a compromised decoy VM from sending any malicious traffic to your production network.
Optionally, you can configure the sinkhole VM as an Internet proxy for the decoy VMs.
• Attivo BOTsink Manager is the web application hosted on the management VM of a BOTsink. The
Attivo BOTsink Manager (Manager) is the console to configure and manage the corresponding BOTsink.
• Attivo Central Manager – This is the appliance, which is used exclusively to manage multiple BOTsink
and vBOTsink appliances.
The Attivo Central Manager (Central Manager) appliance has a web application. You use this to configure
and manage the Central Manager appliance as well as BOTsinks.
The terms, Attivo Central Manager and Central Manager are used interchangeably to refer to the Central
Manager appliance as well as the Central Manager web application.
• Deception content – Deception content is the data on the decoy VMs, which attackers can access
through services such as SMB, FTP, and HTTP. Deception content can include logon credentials, web
pages, files in shared folders, and so on.
• Events – The Manager records all activities on the decoy VMs as events. The activity related to an event
could range from a highly malicious attack or a benign system activity. Based on the malicious nature of
these activities, the Manager categorizes events accordingly.
• Callback traffic – If a decoy VM is compromised, it might attempt to contact its C&C server. In the
context of BOTsink, traffic originating from a decoy VM to a server on the Internet is termed as callback
traffic.
• BOTsinks are highly scalable. You can use a single BOTsink to monitor hundreds of subnets.
• The decoy VMs and sinkhole VM of a BOTsink are factory-installed and do not require any IT resource to
install or manage them.
• BOTsink lures BOTs and APTs scanning for valuable corporate assets to target Attivo’s high-value self-
sustaining decoy servers.
• BOTsink detects BOTs and APTs infections that may already exist inside the network.
• Once engaged, BOTsink isolates BOT and APT activities, including sleeper and timed triggered agents,
before they damage network assets.
• BOTsink identifies infected systems and reports the time, type, and anatomy of the attack.
• BOTsinks generate alert details in the Open Indicator of Compromise (OpenIOC) and Structured Threat
Information eXpression (STIX) formats for sharing threat information with cyber threat analysts and
other security products.
• Identifies and validates 100% actionable alerts with intelligence to take immediate action.
• Increases detection velocity and minimizes chance of cross contamination and contagion.
Attivo BOTsink Systems are on-premise and cloud-based BOT and APT detection security tools that
complement existing security systems. The BOTsink Solution securely captures BOTs as they begin scanning
the network client, servers, and services and then tracks all their activity securely. It captures and records
all the communication and propagation activity for future forensics using the patented Multi-Dimensional
Correlation Engine (MDCE).
This chapter provides high-level networking and cabling information regarding BOTsink appliances.
• You must assign at least one static or dynamic IPv4 address to each engagement VM that you plan to
use.
• If you connect a trunk port to a monitoring port, you must enable VLAN in the BOTsink Manager.
• You can connect trunk or access ports to monitoring ports 3, 4, 5, and 6. You can also connect ports
configured for Link Aggregation Control Protocol (LACP) to the monitoring ports of BOTsink.
This section also explains at a high-level, how traffic flows within a BOTsink physical appliance. In this
example, the four monitoring interfaces of the BOTsink appliance are connected to 4 access ports.
Networking BOTsink appliances
Cabling information for BOTsink physical appliances
• The management interface is connected to your production network to configure and manage the
BOTsink appliance. You use the BOTsink Manager and BOTsink CLI commands to manage the BOTsink
appliance.
• All the 4 monitoring interfaces, the proxy interface, and the management interface are 10/100/1000
Ethernet ports.
• Windows 2008, Cent OS, Ubuntu version 12, Ubuntu version 13, Windows 7 32-bit and Windows 7 64-bit
are the engagement VMs.
• By assigning the network configurations to the engagement VMs, you can place the engagement VMs in
the configured subnets. You use the monitoring rules in the BOTsink Manager to assign network
configuration to the engagement VMs.
• The engagement VMs engage the attacking endpoints on your network and at the same time send the
attack details to the BOTsink management VM.
• Traffic originating from the engagement VMs are mostly destined to C&C servers. The VMs are connected
such that this traffic can only go to the sinkhole VM.
• To fully analyze the botnet and find out the C&C server details, you might have to provide Internet
access to the bot (engagement VM). You can enable and configure the sinkhole proxy feature in the
BOTsink Manager. Then, the sinkhole VM functions as a proxy server. To avoid this botnet traffic from
going through your production network, recommend you to connect a DSL modem to the proxy interface
on the BOTsink appliance.
BOTsink physical and virtual appliances can be deployed in internal networks (Layer 2 and Layer 3),
datacenters, and on the cloud.
Consider the following scenarios to understand some of the popular deployment options for BOTsink.
For ease of explanation, the illustrations in this document feature only a few subnets and only sections of
larger networks.
A trunk port on the distribution switch (indicated by a black circle) is configured such that the packets from
the 3 monitored subnets are tagged with the respective VLANs. For example, traffic from the 10.10.100.x
subnet are tagged with VLAN 100 as they exit out of the distribution switch. So, if an endpoint on this subnet
does a scan of other endpoints on the same network, the engagement VM with IP address 10.10.100.10 is
also targeted and thus the attack is detected. This deployment enables you to deploy an engagement VM in
each monitored subnet.
Deployment options for BOTsink appliances
Scenario 2: Deploying in multiple non-VLAN subnets
Four different subnets are connected to the 4 monitoring interfaces of the BOTsink physical appliance. The
Windows 2008 and Cent OS engagement VMs are configured (in the BOTsink Manager) such that they are
connected to all the 4 monitored subnets.
Since Windows 7 engagement VM is not relevant in the datacenter and DMZ subnets, this VM is configured
only for the Finance and Engineering subnets.
For software-defined data centers (SDDC), you can use the BOTsink physical or virtual appliances for the
BOTsink solution. The following diagram shows an SDDC consisting of 3 ESXi hosts and a distributed vSwitch
connecting the VMs on these ESXi hosts.
When you deploy the BOTsink virtual appliance, you can deploy the BOTsink engagement VMs among the
production VMs and across the subnets in the ESXi hosts.
One of the option is to deploy the engagement VMs where it matters most - among high-value networked
assets and other critical network resources. For example, you can deploy the engagement VMs in the same
subnet as your networked manufacturing equipment. So, an engagement VM detects any compromised
endpoints targeting your high-value networked devices.
This option enables you to deploy an engagement VM in each small-sized subnet. In this method, you must
deploy a dedicated aggregation switch for BOTsink. You connect one of the monitoring ports (for example,
port 3) of the BOTsink physical appliance to a trunk port (all VLANs) on the aggregation switch. A trunk port
from each L3 switch is connected to a trunk port on the aggregation switch. Therefore, the packets reaching
the aggregation switch are tagged with the respective VLANs. Based on this VLAN tagging, BOTsink sends
these packets to the corresponding engagement VM.
Configure a trunk port (allowing VLANs 100, 101, 102) on the aggregation switch (black circle). For example,
connect the monitoring port 3 of a BOTsink physical appliance to this trunk port. Consider monitoring port 3
is configured for VLANs 100, 101 and 102.
This deployment method enables you to place an engagement VM in each subnet. In this example, any
attack on the 10.10.100.x, 10.10.101.x, and 10.10.102.x subnets can also affect the corresponding
engagement VMs hosted on the BOTsink appliance. Consider that an endpoint on the 10.10.101.x subnet is
performing a recon on other endpoints in the same subnet. This attack traffic reaches the additional switch
(yellow circle) and is tagged with VLAN 101 when it exits through the trunk port. When BOTsink receives
these tagged packets, it sends them to the engagement VM with IP address 10.10.101.10.