Quite a lot of people whom I’m following on Twitter were talking about the release of MazeRunner Community Edition, so I decided to check it out. I haven’t had the chance to play with MazeRunner yet – the open beta will only be available at the end of July. Information used to write this quick look was taken from Cymmetria’s websites, whitepapers, and other official sources.
This write-up is about introducing the concept of deception technologies, and MazeRunner’s elegant solution for composing a deception campaign or story. This write-up is not about the use of MazeRunner, nor its features or functionality.
Note: Before you get yourself into deception tools/technologies such as MazeRunner, I suggest you first get yourself familiar with Rob M. Lee’s Sliding Scale of Cyber Security.
Deception – Taking an Attacker-Oriented Approach
Deception technology is gaining popularity due to the increasing need for an effective ‘hyper-active’ solution to fight threat actors (Seriously, read the paper I recommended earlier: The Sliding Scale of Cyber Security).
While attacks themselves are ever-changing, the psychology and the structure of the modus operandi of the attackers (e.g. the cyber kill chain) remain largely the same. This is where deception comes in – taking an attacker-oriented, rather than an attack-focused approach.
The idea of a deception solution is to lead attacker through a pre-planned path to where the defenders want them to be – i.e. Catching the attackers the moment they enter the network, and exploiting their predictable attacker pattern (e.g. the cyber kill chain), leading them through a controlled path, to an environment where they can be hunted / studied.
The effectiveness of such campaigns are, thus, determined by how well such paths divert attackers from the real valuable assets and into the controlled environments.
MazeRunner – a Deception Solution
A deception technology is, therefore, a solution that aid defenders in creating such pre-planned/controlled paths. MazeRunner does this by positioning itself as a platform for creating deception campaigns / stories – influencing the behaviour of attackers by feeding them false information (breadcrumbs), and diverting them from the real valuable assets to controlled environments (decoys) where they can be hunted or studied (e.g. their technologies/tools, tactics, techniques and procedures).
The Breadcrumbs-Services-Decoys Trio
Deception campaigns/stories are built based on MazeRunner’s architectural pillars: Breadcrumbs, Services and Decoys.
Breadcrumbs. Passive elements of data (e.g. Cookies, RDP and SSH credentials, shared directory mappings, etc.) placed within the organisation’s networks to be found by attackers when they’re performing reconnaissance.
Services. These are ways for an attacker to interact with the decoys. Each decoy runs services (e.g. SMB, RDP, SSH, VPN services, etc.). Each breadcrumb leads to a specific service on a decoy. Each decoy may also be accessed by many breadcrumbs.
Decoys. Decoys are (virtual) machines. They look and act like production machines. Every time an attacker interacts with a decoy, MazeRunner generates an event which can be used for the hunting and studying of the attacker.
A deception campaign/story can easily be overthought. MazeRunner composing deception stories as a combination of breadcrumbs, services and decoys is an effective and elegant approach to deploying deception capabilities.
I’m Not Done Yet … Let’s Talk About Patchwork
A write-up of MazeRunner can’t go without mentioning Patchwork – a targeted attack that was caught by MazeRunner.
An attack was detected as part of a spear phishing campaign against a European government organisation in late May 2016. The target was an employee working on Chinese policy research and the attack vector was a PowerPoint presentation file, and the content of the presentation was on issues relating to Chinese activity in the South China Sea. It was later discovered that an estimated 2,500 targets were infected, and the attack goes way back to December 2015. This targeted campaign is dubbed Patchwork, named after how codes were written by the attacker. Targets of Patchwork were chosen worldwide with a focus on personnel working on military and political assignments, and specifically those working on issues relating to Southeast Asia and the South China Sea.
Patchwork activities were conducted in stages. The attacker assesses the validity of a target before performing more advanced attacks. MazeRunner – through the breadcrumbs-services-decoys trio – was used to deceive the attacker into revealing his/her technologies, tactics, techniques, procedures, and capabilities.
A detailed report on Patchwork is available via Cymmetria:
Do also check out Cymmetria’s Github repository, containing all the Indication of Compromise (IOCs) for the report. The IOCs are provided in CSV and STIX (Structured Threat Information Expression) formats: