Sentinel and Deception

Some complained about the Attivo acquisition being too expensive saying Sentinel only talked about Identity which was a fairly new product for Attivo and ignored Deception, which had been their mainstay.

Here’s a an excerpt from a press release from today:


…announced its results from the inaugural MITRE Engenuity ATT&CK® Deception Evaluation. As the first and only XDR vendor to participate, SentinelOne has the most comprehensive MITRE ATT&CK® analytic coverage, helping enterprises reduce risk across device, cloud, and identity attack surfaces. SentinelOne was recognized for its ability to defend against sophisticated identity-based attacks and insider threats.

The inaugural MITRE ATT&CK Deception Evaluation tested vendors’ ability to protect against the APT29 threat group. SentinelOne’s Singularity XDR platform - and specifically its Hologram deception solution - was recognized for its ability to:
Provide Real-Time Protection Against Active Directory Compromise. Every time adversaries tried to gain access to Active Directory (AD), SentinelOne protected against theft with evasion techniques and decoy credentials.

Secure Critical Assets. SentinelOne uses data cloaking to mislead adversaries, keeping file and account information across identity, data, endpoint, cloud and IoT secure to prevent data theft and destruction.

Stop Lateral Movement and Privilege Escalation. SentinelOne blocked the use of Golden Ticket and Silver Ticket attack techniques, stopping adversaries from gaining access to endpoints on the network.

Optimize Insight into Adversary Behavior. Taking a step beyond detection and response, SentinelOne provided detailed insight across adversary behavior, including ingestible, actionable TTP information and high-confidence, substantiated attack forensics.

“As attackers continue to evade security controls, enterprises need modern XDR solutions that protect against threats at every stage of the attack lifecycle,” said Raj Rajamani, Chief Product Officer, SentinelOne. “SentinelOne is the first XDR provider to natively include identity and deception. Our results in the inaugural MITRE ATT&CK Deception Evaluation confirm SentinelOne’s commitment to push the boundaries of autonomous technology as we help enterprises protect against identity-based attacks.”


Stop Lateral Movement and Privilege Escalation.

Lateral movement is the 2nd phase of a cyber attack on an endpoint. Endpoints regularly get infected even with the best XDR because the attacks are always changing, frequently social engineered. Once a small foothold is established on the endpoint, the real work begins for the malware. It must discover its neighbors and quietly attempt to laterally move to a more valuable resource, the AD being the pot of gold. AD is where all the credentials live so essentially the keys to the house.

There are many techniques to get access to a neighbor such as an old time favorite called pass the hash method. Lateral movement detection is VERY difficult to detect because methods are used that appear as normal traffic operations. Thus no alarms are triggered. Or detection methods can become overly sensitized and prone to false positives on normal traffic. False positives get the security folks to start ignoring alarms. Not a good thing. Lateral movement is rocket science.

IMO Sentinel One’s advances in detecting lateral movement is a discriminating selling point to customers.