Attivo BOTsink Physical Appliance

To integrate with Attivo BOTsink Physical Appliance perform the following (see below for detailed instructions):

  1. Generate a API Key
  2. Configure Attivo BOTsink
  3. Download the Frontline-BOTsink connector virtual image
  4. Deploy the Frontline-BOTsink connector on your network
  5. Configure the Integration
  6. Example Usage

Requirements

  • Attivo BOTsink version 4.1 or higher (physical version of the appliance)
  • Frontline-BOTsink connector Virtual Image
  • Ability to deploy Frontline-BOTsink connector
  • Fortra VM API Key

Generate a Fortra VM API Key

  1. Log in to Fortra VM.

  2. In the site heater, select your name and choose My profile.

  3. On the API Tokens tab, select Create new token.

  4. In the Add New Token dialog, type the token name and select OK.

  5. Below your token name, selecting Click to show key displays your API Key.

    6. IMPORTANT: An API Key is equivalent to a user’s password. Do not use a key with more than one product integration. If you believe a key is compromised, delete the token from Fortra VM immediately by selecting the trash can icon and resulting check-mark to confirm.

Configure Attivo BOTsink

Create a user with REST API access type

  1. Navigate to Administration> User Accounts > Configuration.
  2. Click Add.
  3. Fill out the User Details information. Ensure that Access Type is set to REST API and Save.

Download the Frontline-BOTsink connector

The Frontline-BOTsink connector OVA can be downloaded here:

FVM-BOTsink-Connector-PAS.ova

Deploy the Frontline-BOTsink connector on your network

  1. Connect the virtual image to your network, where it can reach your BOTsink instance. ssh to the Frontline-BOTsink connector virtual machine with the following default credentials.

    2. user: fvm-connector

    password: Vu!nr3duCe7325

    E.g.: ssh fvm-connector@<ip_address>

    Once you have gained access to the machine, it is recommended you change the default user’s password. Run the passwd command, and follow the instructions.

  2. Next, run the command sudo -i to gain root access.
    • Before launching the connector, set the CONNECTOR_IP environment variable with the deployed virtual image’s IP address.
    • To ensure an encrypted connection, add your SSL certs to the machine, and set the following environment variables:

      • export PATH_TO_CERT=”/path/to/your/certfile”
      export PATH_TO_KEY=“/path/to/your/keyfile”
      export CONNECTOR_IP="1.1.1.1:8000"

    3. TIP: You can generate your own self-signed cert and key with the following command:
    openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
  3. Return to the projects root directory: cd/home/attivo/
  4. Finally, run the start-up script via the following command: ./startup.sh

Configure the Integration

The web interface has a default user with the following credentials:

admin
Botsink123
  1. Change the default password. This project is built on Django, which comes with an Admin Interface.
  2. To access it, open up a browser (that can reach the Connector machine) and type the following url, replacing the <ip_address> with your Connector’s IP:

    3. https://<ip_addres>:8000/admin/

    • Log in with the default credentials.
    • To change the password, click CHANGE PASSWORD in the top right.

    • Follow the instructions given on the screen.
    • If you would like to add other users, navigate to Home and click the + Add symbol next to Users.

    • Once you have finished creating your user(s) navigate to the main site via the following URL:

      • https://127.0.0.1:8000/attivo/

    • After logging into the Frontline-BOTsink connector’s web interface, navigate to Settings > Configure Settings.

  3. Here, you can configure the following settings:
    • Connector Update Rate: The rate at which this integration connector will check for decoys to deploy, and vulnerable assets to tag.
    • BOTsink IP Address: IP address of your BOTsink management machine.
    • BOTsink Username: Username of the BOTsink user to be used for the integration. The user must have REST API access.
    • BOTsink User Password: Password for the above user.
    • API Key: Your Frontline API Key.
    • Threat Window: Number of days in which vulnerable assets tagged in Fortra VM will have their tag removed.
  4. Once you have filled out your settings, press Submit. You will be taken to a page to review your settings.
  5. Navigate to Home to return to the dashboard. You will see that you now have the option to run the integration.
  6. Press Run Integration to start the integration based on your newly configured settings.

  7. To stop running the integration, simply press Stop Integration.

  8. As the integration runs, it will generate “Integration Events”. You can view these on the home page to monitor the integration’s status.

Example

  1. In Fortra VM, select an asset that you would like to protect with a BOTsink decoy.
  2. Tag the asset with Attivo_protect.

    The next time the Integration Connector updates, it will deploy a decoy. You should see a Monitoring Rule in BOTsink:

Every time the integration connector updates, it checks events in BOTsink to see if any subnets on your network may be vulnerable to attack. If one (or more) are found, assets on that subnet will be tagged in Fortra VM with the following tag: Attivo_Threat.

You can filter your assets by tag to see which of your assets may be at risk to attack: