Your typical attack will involve exploiting a user system or vulnerable web server. One this is done the attacker is inside the network and has a limited time to move off of that system to gain a bigger foothold. This is when they are most likely to be found and stopped. They look at existing connections on that system to find their next jump, Email, File and print servers, etc. These connections already exist and the currently compromised system will have some level of access on them. Once there they can grab the cached credentials of users with better privileges and target more profitable things.
This is where the usual honey pot would come in. You drop a few simulated SQL, File, or other servers that are designed to lure the attacker into connecting with them and he security team pounces. As we mentioned these simulated systems are often very easy to identify for the advanced attacker and are avoided. Cymmetria has a new approach to the use of honey pots that changes the game more than a little.
We had the chance to sit down and talk with Dean Sysman, CTO and Co-Founder of Cymmetria during DEF CON about this new method. After a brief discussion about why normal deception techniques fail, we got into the meat of things with their new product MazeRunner. Where MazeRunner differs from the traditional honey pot I that there is no simulation. Instead real systems are put in place that are carefully monitored for connections and activity. The attacker will not be able to tell these from real systems and is likely to connect to them during their reconnaissance phase and be exposed.
Remember that when an attacker enters a network they know nothing about it. They have to find the next system to jump to by looking at what connections they currently have. With MazeRunner in place they can be lured into a network of virtualized systems created just for them by the use of bread crumbs, so that only their connections and traffic are present. MazeRunner will let you see their attempts to dig in deeper and widen their penetration of the network. It exposed their tools and techniques to allow for future prevention and identification.
So, just how does this work? Well once you have MazeRunner deployed you use it to create real servers that actually perform the functions you assign to them. For example; you can create a file server with shares that have real files on them (yes a real file server, with real shared file, not a simulation). You also create credentials and push them out to your endpoints. This is there for an attacker to steal using something like Mimikatz. You now have setup the bread crumbs to entice an attacker to hit your deception network. MazeRunner will catalog and can also alert on all connections to these systems. You can see very step the attacker takes including the installation of tools, creation of tunnels, extra accounts etc. It does all of this without impacting current business.
Dean also told us that Cymmetria has a community edition available so anyone can tinker with this to see how well it works. He said that they did this to get the word out about the technology and also because the sharing of information and technology like this helps to strengthen the community. He was not concerned with attackers getting this in their hands as simply having the software will not expose any systems creat4ed by it. Knowing that this is out there does shift the balance of power a bit though. Now that information about this is out there and readily available an attacker will move more cautiously during the initial reconnaissance phase as they will not be certain if they are on a real production system or one there to trap them. This leaves them vulnerable to detection and capture for a longer period of time, or puts them in the trap network where they will get caught.
MazeRunner, by design, is able to scale well to even large and distributed networks without too much effort on the part of the security team running it. In fact, it has already been used to successfully catch a targeted attack on a network. You can check out the write up on that here.
We plan to take a look at this in our test lab very soon to see what it looks like in play.