Cymmetria’s MazeRunner

What Is Cyber Deception?

Cyber deception leverages the fact that attackers always follow a predictable attack pattern: reconnaissance, lateral movement, and exploitation. When attackers use tools like Responder.py (for Pass-the-Hash attacks) while targeting sensitive business processes and assets (e.g., SWIFT), deception technology creates a controlled path for them to follow. Attackers are diverted from organizational assets and into controlled environments, giving defenders the upper hand in detection, investigation, and mitigation.

How MazeRunner Works

MazeRunner gives organizations a solution for creating effective deception stories. Deception stories, which are comprised of breadcrumbs and decoys, lead attackers to believe that they have successfully gained access to a target machine. Breadcrumbs are data elements (such as credentials) that lead attackers to decoys. Decoys are machines that run live services; when they are attacked, MazeRunner raises an alert and gathers forensic data.

Cymmetria Features

• Git - Source-code management for Linux decoys
• MySQL- Database service for Linux decoys
• Network Monitor - Monitors for unrecognized machines in the network
• OpenVPN - Virtual private network (VPN) service for Linux decoys
• RDP - Remote Desktop service for Windows decoys
• Responder - This service can, in addition to connecting to the network breadcrumb, monitor for attackers performing NBNS spoofing and Responder usage directly from the decoy. The username, domain, and password will be fed to the attacker from the decoy. Activating MazeRunner’s Pass-the-Hash Monitor (ActiveSOC > Pass-the-Hash Monitor) allows raising alerts when stolen credentials are used in the network
• SMB - Creates a shared folder on the decoy. For Windows and Linux decoys
• SSH - Remote shell service for Linux decoys
• Web application - Allows running a custom, user-controlled website, or a built-in HTTP server with a pre-set web application such as MediaWiki, SugarCRM, or phpMyAdmin. For Linux decoys