MazeRunner COMMUNITY EDITION USER GUIDE

Transcription

1 MazeRunner COMMUNITY EDITION USER GUIDE March 28, 2017

2 Supported environments (all must have nested virtualization enabled follow the links below to learn more) Requirements VMware Player (7 or higher) VMware Workstation (11 or higher) ESXi server (5.1 or higher) KVM hypervisor Not supported: VirtualBox, Microsoft Hyper-V, Xen Minimum requirements for installation: 500GB minimum storage 4GB of RAM (add 2GB for each additional nested decoy) 2 x 2 GHz (add another CPU core for each additional nested decoy) VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM hypervisor, with nested virtualization enabled Additional requirements Nested virtualization Promiscuous mode For deployment automation: o Read-only domain user for importing endpoints from Active Directory o Local admin user on endpoints OR orchestration tool able to run EXE, MSI or shell scripts For Responder: Read-only credentials for Splunk, ArcSight or an API-based integration Quick start 1. First choose which hypervisor you will use to run your MazeRunner virtual machine. Cymmetria suggests using a VMware Player hypervisor, as this is the most straightforward option and involves the least number of steps (it is also free). Other hypervisors are supported as well. 2. Enable nested virtualization on your hypervisor. Please refer to Installation and setup on page 8 for more information. 3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to MazeRunner network configuration on page Use MazeRunner's deception story wizard to create a deception campaign. Using MazeRunner on page 34 will walk you through all aspects of product usage. 5. On the Endpoints screen, you can import endpoints to MazeRunner from Active Directory or CIDR blocks, and then deploy breadcrumbs to them. See Importing endpoints on page 50 and Deploying breadcrumbs on page 58 for details on how to do this. 6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the Dashboard and the Investigation screen for alerts on attackers accessing your decoys. 7. If you encounter any difficulties while working through this guide, please refer to FAQ / Troubleshooting (on page 103) for help. Cymmetria MazeRunner 2017 Community Edition

3 CONTENTS Introduction What is MazeRunner?... 6 Legal notices... 6 How is the Community Edition different from the Enterprise Edition?... 7 Installation and setup... 8 Virtual appliance (VMware Player)... 8 Virtual appliance (VMware Workstation) Virtual appliance (VMware ESXi) Enabling nested virtualization using vcenter Enabling nested virtualization using VMware Workstation (version 11 and up) Enabling nested virtualization using SSH Powering on your virtual machine Virtual appliance (KVM) Using MazeRunner First use Creating a deception campaign Supported operating systems Types of decoys Types of services Types of breadcrumbs Creating a deception campaign (using the deception story wizard) Creating a basic deception campaign manually Importing endpoints Importing endpoints from Active Directory Importing endpoints from CIDR blocks Post-import Deploying breadcrumbs Deploying breadcrumbs from the Endpoints screen Deploying breadcrumbs from the Campaign screen Scheduling a campaign refresh Integrating with a syslog / SIEM Advanced usage MazeRunner network configuration Static IP Cymmetria MazeRunner 2017 Community Edition

4 VLAN support Non-promiscuous mode SSL certificate SOC Responder ActiveSOC Enterprise Edition only ActiveSOC and Responder activity feed Changing alerting policy Integrating with ThreatConnect Product reference Product interface Task manager Notification center Deception story wizard System menu Configure Diagnostics Manage users Manage API keys Change password Access log Send logs to Cymmetria System update Endpoints screen Filter options Bulk actions Dashboard Investigation screen FAQ / Troubleshooting Decoys not working Problem resolving endpoint name Nested virtualization support Deploying breadcrumbs automatically to Linux machines Creating users Service is inactive/unable to deploy breadcrumbs Cymmetria MazeRunner 2017 Community Edition

5 Running Internet-facing decoys Creating a web application service Creating a Git service Problems during OVA import Problems deploying an OVA decoy on ESXi Automatic deployment to endpoints failed Error: Could not resolve hostname Error: Incorrect credentials Error: SMB TCP ports (139, 445) are unreachable Error: Deployment timeout Error: Deployment failed Error: Invalid configuration for deployment Error: No active deployment group found Error: No breadcrumbs supported on the endpoint's operating system were found in the deployment group Cymmetria MazeRunner 2017 Community Edition

6 INTRODUCTION WHAT IS MAZERUNNER? MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will first collect information on their next targets. At that time, they will find breadcrumbs deployed by MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that they have successfully gained access to a target machine. Having gained a false sense of security, attackers reveal their attack tools and methods, which defenders are then able to document and analyze. Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat information that allows for the creation of attack signatures. For a more detailed overview of MazeRunner, please read our product whitepaper, which can be downloaded for free from our website. LEGAL NOTICES Thank you for your interest in the free MazeRunner Community Edition! If you are installing MazeRunner Community Edition for your own private use in a non-commercial and non-production environment, you are not limited in the amount of "decoys" and "endpoints" you may deploy. If you are installing MazeRunner Community Edition on behalf of an organization, you may use the product solely for internal testing and evaluation of the software and its performance in a nonproduction environment. The software is not limited to any number of "decoys" and "endpoints" for the first 30 days, but its use is limited to 1 "decoy" and 10 "endpoints" following this 30 day period. Please consult the full text of the license for additional details, as the full terms of the license govern. For more information or to give feedback, contact support@cymmetria.com or visit our website. Cymmetria MazeRunner 2017 Community Edition

7 HOW IS THE COMMUNITY EDITION DIFFERENT FROM THE ENTERPRISE EDITION? Cymmetria supports the cybersecurity community it calls home and believes strongly in giving back to that community. This is why we decided to release a free Community Edition of our enterprise software platform. The MazeRunner Community Edition is publicly available for private initiatives and research endeavors at no cost or commitment to purchase. The platform is fully customizable and integrates seamlessly with existing IT and security tools, allowing users to implement deception elements across the network. It is flexible and does not burden existing organizational systems. Community Enterprise Linux decoys Windows decoys User-provided decoy image Linux breadcrumbs Windows breadcrumbs Deception stories using business cases Commercial use First 30 days only* Large-scale deployment support API Remote deployment to endpoints through MazeRunner Deception campaign auto-regeneration Alerting through syslog and STIX/TAXII integration Domain integration Alerting of attempts to use deceptive credentials obtained using Responder.py ActiveSOC Get MazeRunner Download machine Contact us *See Legal notices. Cymmetria MazeRunner 2017 Community Edition

8 INSTALLATION AND SETUP This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It includes information on MazeRunner's platform and deployment. VIRTUAL APPLIANCE (VMWARE PLAYER) To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open with", and then select "VMware Player"). You will need to provide a name and local storage path for the new virtual machine, and then click "Import": 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 2017 Community Edition

9 c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Play virtual machine": 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 2017 Community Edition

10 Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 65 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. VIRTUAL APPLIANCE (VMWARE WORKSTATION) To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to provide a name and local storage path for the new virtual machine, and then click "Import": Cymmetria MazeRunner 2017 Community Edition

11 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 2017 Community Edition

12 c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Power on this virtual machine": 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 2017 Community Edition

13 Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 65 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. VIRTUAL APPLIANCE (VMWARE ESXI) To begin, open your vsphere Client and connect to your ESXi server by entering your username and password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA file supplied. Move through the stages of deploying the OVF Template: 1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner"). 2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template. 3. Select a destination for storing the virtual machine files. 4. Use the default values that appear in the Disk Format section. 5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and finish the virtual machine creation: Cymmetria MazeRunner 2017 Community Edition

14 After your virtual machine has finished being deployed (this will take some time), select your virtual machine from the side bar on the left-hand side of the screen, then navigate to Home > Inventory > Hosts and Clusters: Now you will need to configure the network. Decoys can connect to the MazeRunner network in two ways: using promiscuous mode or without using promiscuous mode. Cymmetria recommends running MazeRunner in promiscuous mode, as it greatly simplifies decoy usage and system setup. It is possible to use MazeRunner in non-promiscuous mode, but it will take more time and effort, and more issues may arise during campaign creation. Cymmetria MazeRunner 2017 Community Edition

15 Using MazeRunner with promiscuous mode Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to the left: To make the nested virtual machines accessible from the network, enable promiscuous mode for the Virtual Machine Port Group, where your virtual machine is connected (in our example, Maze ). To do this, go to Properties, select your virtual machine's port group, and then click Edit : Go to the Security tab and make sure both Promiscuous Mode and Forged Transmits are enabled ("Accept"). Click "OK": Cymmetria MazeRunner 2017 Community Edition

16 Why do we need promiscuous mode and forged transmits? In order for the nested virtual machines to receive data packets, we need to enable these functions. If you do not enable promiscuous mode and forged transmits, you will only be able to use OVA decoys, which are not nested. Using MazeRunner without promiscuous mode Make sure your virtual machine is turned off, then right-click on your virtual machine and select "Edit Settings ": Cymmetria MazeRunner 2017 Community Edition

17 Each decoy needs its own interface. For each decoy you would like to set up on MazeRunner, follow these steps: 1. On the Hardware tab, click "Add ": 2. Choose "Ethernet Adapter" as the device type you would like to add to your virtual machine, then click "Next": Cymmetria MazeRunner 2017 Community Edition

18 3. Choose your network connection from the drop-down list, then click "Next": 4. Review the options you selected and click "Finish" to add the hardware: Cymmetria MazeRunner 2017 Community Edition

19 5. You will now see the hardware you added on the Hardware tab. Click "OK" to finish: NOTE: You will also need to enable non-promiscuous mode within MazeRunner; see Non-promiscuous mode on page 67 for more information. Now you can configure VLAN support, if you wish to do so. Later, you will also need to configure VLAN support within MazeRunner; see VLAN support on page 66 for more information. To configure VLAN support, you need to make sure that your port group is configured to accept VLAN tagging. Follow these steps: 1. In your vsphere control panel, access the Properties menu of the switch to which MazeRunner is connected by navigating to Configuration > Networking > Properties : Cymmetria MazeRunner 2017 Community Edition

20 2. Under the Ports tab, select the appropriate switch name and click "Edit ": 3. Under the General tab, select "All (4095)" as the VLAN ID: Cymmetria MazeRunner 2017 Community Edition

21 4. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under the Status area in Configuration > Networking > Properties > Network Adapters: Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There are three common methods used to enable nested virtualization in ESXi products: 1. using vcenter 2. using VMware Workstation 3. using SSH To find out which of these three methods you will need to use, you must look at which VMware hypervisor you are running. To do this, open vsphere Client and go to Help > About VMware vsphere: Cymmetria MazeRunner 2017 Community Edition

22 If you see the following pop-up window, it means you are using vcenter: If you see the following pop-up window, it means you are using ESXi: If you are using vcenter, see the instructions provided in the section entitled Enabling nested virtualization using vcenter, below. If you are using ESXi, you have two options for enabling nested virtualization: via VMware Workstation or SSH (see the relevant sections on page 25 and 26 of this guide). ENABLING NESTED VIRTUALIZATION USING VCENTER The following steps will guide you through enabling nested virtualization using vcenter. 1. Open vsphere Web Client in your web browser by navigating to the IP address of your vcenter server (using HTTPS), and log in with the same credentials you used to log in to your vsphere client: Cymmetria MazeRunner 2017 Community Edition

23 2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home menu: 3. Right-click on your virtual machine and select "Edit Settings ": Cymmetria MazeRunner 2017 Community Edition

24 4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters checkboxes, and click "OK": Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide. Cymmetria MazeRunner 2017 Community Edition

25 ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP) The following steps will guide you through enabling nested virtualization using VMware Workstation (version 11 and up). 1. Open VMware Workstation and navigate to File > Connect to Server : 2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine. Make sure the virtual machine is turned off, and then right-click on it and select "Settings " (you may have to double-click on your virtual machine name before right-clicking): 3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 2017 Community Edition

26 Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide. ENABLING NESTED VIRTUALIZATION USING SSH The following steps will guide you through enabling nested virtualization using SSH. 1. In your vsphere client, under the Configuration tab, choose "Security Profile" from the Software box on the bottom left of the screen, and then click "Properties": 2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options Start OK: Cymmetria MazeRunner 2017 Community Edition

27 3. Follow the same steps to enable the SSH service: 4. Once finished, click "OK". Cymmetria MazeRunner 2017 Community Edition

28 5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials. To do this: a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console: b. In the SSH console, enter your username and password. Your shell should look like this: 6. Navigate to the MazeRunner virtual machine directory, located in /vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example: 7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit the.vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags to the end of the file: Cymmetria MazeRunner 2017 Community Edition

29 vhv.enable = "TRUE" vpmc.enable = "TRUE Nested virtualization is now enabled. Please continue to the Powering on your virtual machine section of this guide. POWERING ON YOUR VIRTUAL MACHINE Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open vsphere Client and navigate to Home > Inventory > VMs and Templates: Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine": Cymmetria MazeRunner 2017 Community Edition

30 Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its assigned IP address displayed on the console: Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 65 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 2017 Community Edition

31 VIRTUAL APPLIANCE (KVM) To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2 format), and proceed according to the following instructions: 1. Enable promiscuous mode Check if promiscuous mode is enabled on the network interface to which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled, you can skip to step 3 of this section now): a. Run the command 'netstat -i'. b. If the network interface to which you are going to connect the virtual machine bridge has 'P' in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to step 3 of this section now: Figure A. netstat -i command output with promiscuous mode off/on. 2. If promiscuous mode is off, you will need to enable it according to the following instructions (depending on which OS you are using). To enable promiscuous mode: a. On Red Hat/CentOs: i. Open /etc/sysconfig/network-scripts/ifcfg-x (replace X with the name of the network interface to which MazeRunner's virtual machine bridge will be connected). ii. Add the line 'PROMISC=yes' to the end of the file. b. On Ubuntu/Debian: i. Open the "interfaces" file located in /etc/network. ii. Add the following lines under the configuration for the network interface to which MazeRunner's virtual machine bridge will be connected: up ifconfig $IFACE up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down Cymmetria MazeRunner 2017 Community Edition

32 3. Import the MazeRunner image (DSK file) using the following command (run as root): virt-install -n <name> -r <amount_of_ram> --os-type=linux --os-variant= ubuntu disk MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc -- noautoconsole --import --cpu=host For example: virt-install -n MazeRunner -r os-type=linux --os-variant=ubuntu disk MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import -- cpu=host *NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was "ubuntutrusty". You can check the available variants on your system using the command 'osinfoquery os'. Parameters Detailed: -n [an internal name for your virtual machine] -r [the amount of RAM, in MB, for your virtual machine] --os-type [the type of OS Linux or Windows] --os-variant [the distribution or version for a full list, run command 'man virtinstall'] --disk [specifies media to use as storage for the guest, with various options] -w [the network configuration] --vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or virt-manager to see the desktop] --noautoconsole [configures the installer to NOT automatically try to open virtviewer to view the console in order to complete the installation this is helpful if you are working on a remote system through SSH] 4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do this in our example): a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual machine in step 3: b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 2017 Community Edition

33 c. Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled MazeRunner network configuration on page 65 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 2017 Community Edition

34 USING MAZERUNNER Congratulations! You have completed the installation and setup of MazeRunner Community Edition. You are now ready to start using the MazeRunner platform. Use the information in the following sections to get acquainted with, and start using, MazeRunner. FIRST USE Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for example, You will be taken to MazeRunner's signup screen: Proceed according to the following instructions in order to complete initial signup: 1. Enter your address and the activation key you received from Cymmetria (if you have not received an activation key, contact support@cymmetria.com): Cymmetria MazeRunner 2017 Community Edition

35 2. Choose an admin password, and a password for usern (usern is a network configuration user that is used for accessing the Cymmetria management server; please assign usern a password that is different from your admin password): 3. System time zone is automatically set to UTC; you may change this by selecting a different time zone from the drop-down list. You can also set the HTTP proxy server and NTP server: 4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will need to agree to the terms of both in order to continue: Cymmetria MazeRunner 2017 Community Edition

36 5. Click "Continue" to proceed to the second screen. Here, choose from one of the three configuration options available, then click "Continue": NOTE: If you choose "Enable decoy VLAN support", you will need to select a VLAN trunk interface and then click "Add VLAN". A pop-up window will appear and you will need to create a VLAN entry. See step 4 of VLAN Support in the MazeRunner Network Configuration section of this guide for further instructions on how to do this: Cymmetria MazeRunner 2017 Community Edition

37 6. On the next screen you will see MazeRunner diagnostics running. If the diagnostic tests finish successfully, you will see a green check mark next to each test. You can then click the "Launch MazeRunner" button to finish setup and launch MazeRunner: a. If a test was unsuccessful, you will see a red X and an error message with further instructions on how to proceed. After resolving the issue (if you choose to do so), click the "Run MazeRunner diagnostics" button to re-run the tests: Cymmetria MazeRunner 2017 Community Edition

38 NOTE: You can choose to ignore failed tests and launch MazeRunner by clicking the "Launch MazeRunner anyway" button: b. If at any time you would like to go back to the previous screen to change your configuration choice, simply click the "Review configuration" button at the bottom right of the screen (you will then need to run diagnostics again in order to complete the setup). Once finished, you will be redirected to MazeRunner's main screen: Please read the notice that appears on your screen, and consult the full terms of the license. You will need to click "Agree" to continue: Cymmetria MazeRunner 2017 Community Edition

39 You are now ready to start creating deception campaigns. NOTE: For all future uses of MazeRunner, you will simply need to log in to your account using your username and password: CREATING A DECEPTION CAMPAIGN A deception campaign consists of three elements: 1. Decoys Decoys are virtual machines (servers or other devices) running Windows 1 or Linux systems. They look and act like production machines. When a decoy is accessed, there is no doubt that this is the work of an attacker. Decoys are most easily reached by following a breadcrumb found on an endpoint. 2. Services Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each breadcrumb leads to a specific service on a decoy machine. 3. Breadcrumbs These are passive elements of data (e.g., browser cookies, SSH credentials, network shares, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible with a user s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story. By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a more elaborate deception network. MazeRunner allows you to create a deception campaign manually or use Cymmetria's deception story wizard to help create your campaign. See the relevant sections below for detailed instructions on both of these options. 1 Windows decoys are only available in MazeRunner Enterprise Edition. Cymmetria MazeRunner 2017 Community Edition

40 SUPPORTED OPERATING SYSTEMS MazeRunner Community Edition decoys and breadcrumbs currently support the following operating systems: Decoys Linux (Ubuntu 14.04) Breadcrumbs Windows: Windows XP SP3 up to and including Windows 10 Linux: o o Ubuntu and above CentOS, Redhat, and Debian Enterprise Edition note: In addition to the above-listed operating systems, MazeRunner Enterprise Edition decoys support Windows (7, Server 2008, Server 2012). TYPES OF DECOYS You can choose from the following two virtual machine types when manually creating a decoy in MazeRunner: Nested (KVM) Cymmetria recommends using nested virtualization for your decoys (when possible), as it makes decoy management easier and more centralized. If you choose to use nested decoys, no additional actions are required to create or manage a decoy simply select Nested from the VM type drop-down list when creating a new decoy. NOTE: If you change MazeRunner s IP address, you will need to recreate the decoy. See this FAQ for instructions on how to do so. For information on how to create a decoy, see Creating a basic deception campaign manually on page 46. Standalone (OVA) If you decide to create a standalone decoy (instead of a decoy that uses nested virtualization), you will need to download the decoy's OVA file. Do this by clicking Download in the Actions column on the Decoys sub screen of the Campaign screen. Cymmetria MazeRunner 2017 Community Edition

41 After downloading the decoy's OVA file, upload it to your chosen hypervisor. Once the file has been uploaded to your hypervisor, make sure that you configure the virtual machine to have network access to MazeRunner. NOTE: If you change MazeRunner s IP address, you will need to manually recreate the decoy. To do this, you will need to delete the decoy and create a new one. For information on how to create a decoy, see Creating a basic deception campaign manually on page 46. TYPES OF SERVICES The following is a list of services and the breadcrumb types they support: Git Description: Source-code management Supported breadcrumb type(s): Git credentials Web application Description: HTTP server with a pre-set web application such as MediaWiki, SugarCRM or phpmyadmin, or a custom, user-controlled website Supported breadcrumb type(s): Cookie (only when phpmyadmin is enabled) OpenVPN Description: VPN service Supported breadcrumb type(s): OpenVPN SSH Description: Remote shell service Supported breadcrumb type(s): SSH with private key, SSH with password MySQL Description: Database service Supported breadcrumb type(s): MySQL Cymmetria MazeRunner 2017 Community Edition

42 SMB Description: File-sharing service Supported breadcrumb type(s): Responder - Pass the Hash, Credentials, Network share Enterprise Edition note: In addition to the above-listed services, MazeRunner Enterprise Edition includes an RDP service (a remote desktop service for Windows decoys that supports RDP and Credentials breadcrumbs) and a Network monitor service (supports two types of alerting mechanisms: one for unrecognized machines; one for detecting ARP poisoning around the decoy). TYPES OF BREADCRUMBS The following is a list of breadcrumbs and the endpoints on which they are supported: Breadcrumb type: Git credentials Supported on: Windows and Linux endpoints Breadcrumb type: Responder - Pass the Hash Supported on: Windows endpoints Breadcrumb type: Cookie Supported on: Windows endpoints Breadcrumb type: OpenVPN Supported on: Windows endpoints Breadcrumb type: SSH with private key Supported on: Linux endpoints Breadcrumb type: SSH with password Supported on: Windows endpoints Breadcrumb type: MySQL Supported on: Linux endpoints Cymmetria MazeRunner 2017 Community Edition

43 Breadcrumb type: Credentials Supported on: Windows endpoints Breadcrumb type: Network share Supported on: Windows and Linux endpoints Enterprise Edition note: In addition to the above-listed breadcrumb types, MazeRunner Enterprise Edition includes an RDP breadcrumb that is supported on Windows endpoints. CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD) Using MazeRunner's deception story wizard, you can build a deception campaign with the help of templates that have been prepared by Cymmetria's security team. Alternatively, you also have the choice to build your own customized deception stories without the help of the wizard. See Creating a deception campaign manually for more information. On first use of MazeRunner, the wizard will open automatically as your home screen. During all subsequent uses of MazeRunner, you can navigate to the wizard by clicking the wand icon located on MazeRunner's top right navigation bar: In the wizard, you will see a variety of prepared deception stories (for example, "Linux backup server", "Internal website", and "VPN server"). Each story includes a short description to help you decide which one you would like to use. Enterprise Edition note: Only Linux-based stories are available in the Community Edition. Notice that there are three Windows-based stories that are grayed out; these are available in MazeRunner's Enterprise Edition. Each template already has default values defined for you (you may change some of these values if you wish, but do not have to). NOTE: If you do not wish to change any of the default values provided, you can simply click the "Next" button through all of the below story creation stages until the story is created (except where otherwise noted). Use the Back button at the bottom of the screen within each stage of the wizard to go back and make changes to previous selections. You can also click the Cancel button on the top right-hand side of the screen Cymmetria MazeRunner 2017 Community Edition

44 at any time; this will delete any deception elements defined in previous stages and take you to the Campaign screen. To use the wizard, follow these steps: 1. Choose a deception story, then click "Next": 2. Customize the details of your decoy, such as name, hostname, DNS address 2, and VM type. NOTE: You cannot change the OS type. You can also choose to manually configure network settings, including static IP, gateway, DNS server, and subnet mask. When you are ready, click "Next": 3. Now you can customize your story's services and breadcrumbs. A set of services will appear by default, as defined by the template, on the left side of the screen. Each service, when selected, will show its details, including the breadcrumbs attached to it. You cannot add or remove services from the template; however, you can edit some service fields. You can also edit breadcrumb fields if you wish (you must edit the breadcrumb fields if you are using a "Responder" or "VPN server" story). When you are ready, click "Next": 2 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If you choose to fill out this field, be sure to create a matching DNS entry in your name server. Cymmetria MazeRunner 2017 Community Edition

45 4. Now it is time to deploy your deception story. First, you can assign breadcrumbs to one or more deployment groups 3 (this can also be done later, from the Breadcrumbs sub screen of the Campaign screen). NOTE: Later on, we will use these same deployment groups when importing endpoints and deploying breadcrumbs to them. When you are ready, click "Done": 5. Here's an example of what your screen will look like once your campaign has been created successfully: If you have chosen to use a Responder story, you will be redirected to System Configuration > SOC instead: 3 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page 58 for more information). Cymmetria recommends the use of deployment groups in all of your deployments. Cymmetria MazeRunner 2017 Community Edition

46 Before continuing to step 6, see the Responder section on page 77 for information on how to set up the Responder feature. 6. You will need to activate each of your servers by using the On/Off buttons on the Decoys sub screen. 7. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs (sub screens). On the Breadcrumbs sub screen, notice the column "Deployment groups". If you did not assign your breadcrumbs to a deployment group during story creation in the wizard, you can do so now. See step 6 of Create a new breadcrumb on page 48 for detailed instructions on how to do so. That s it! Your deception campaign is up and running. Jump to Importing endpoints on page 50 or Deploying breadcrumbs on page 58 to continue learning about the MazeRunner platform. CREATING A BASIC DECEPTION CAMPAIGN MANUALLY The following is a step-by-step guide for manually creating the basic elements of a deception campaign. Alternatively, you can use MazeRunner's deception story wizard to build a deception campaign with the help of templates that have been prepared by Cymmetria's security team. See Creating a deception campaign (using the deception story wizard) on page 43 for more information. CREATE A NEW DECOY In this stage, you will create a decoy server. 1. Go to the Campaign screen (if you are in the deception story wizard, choose "Manual story" or click the Cancel button on the top right-hand side of the screen; this will take you to the Campaign screen). On the Decoys sub screen, click the Add decoy button. 2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name such as "HR_Server", a hostname such as "hrsrvr01", and choose Nested as the VM type. If you Cymmetria MazeRunner 2017 Community Edition

47 would like to configure a static IP, check the box labeled "Manually configure network settings" and fill out the Static IP field. Notice that you have the option to add a DNS address Click "Create" in order to create the decoy. 4. Power on the server using the On/Off button, which is located between the Status and IP columns. 5. That's it! Here is an example of what your screen will look like once the server has finished booting: Enterprise Edition note: Notice that Windows decoys are grayed out in the Operating system drop-down list. Windows decoys are only available in MazeRunner Enterprise Edition. CREATE A NEW SERVICE In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this example, let's assume that you want to create a deception story for your HR department. 1. Go to the Campaign screen (if you are in the deception story wizard, choose "Manual story" or click the Cancel button on the top right-hand side of the screen; this will take you to the Campaign screen). On the Services sub screen, click the Add service button. 2. Enter an appropriate name (e.g., "Personnel_Files") and select the desired service type (e.g., SMB service). 3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared folder and a ZIP file for the content). Click "Create". 4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that we created in the previous section). Do this by clicking on the Connect to decoy button and selecting "HR_Server" from the drop-down list: 4 By default, breadcrumbs point to a decoy's IP address. You can set breadcrumbs to point to a DNS address instead. If you choose to fill out this field, be sure to create a matching DNS entry in your name server. Cymmetria MazeRunner 2017 Community Edition

48 5. That's it! Here is an example of what your screen will look like once the connection has finished configuring (you can monitor its status on the Decoys sub screen): CREATE A NEW BREADCRUMB In this stage you will create the bait and connect it to the previously created decoy and service. 1. Go to the Campaign screen (if you are in the deception story wizard, choose "Manual story" or click the Cancel button on the top right-hand side of the screen; this will take you to the Campaign screen). On the Breadcrumbs sub screen, click "Add breadcrumb". 2. Select an appropriate name, and then select the breadcrumb type 5 (make sure it matches the service you have defined). For example, you could select a network share breadcrumb and name it "Personnel_Files_BC". You can also assign the breadcrumb to a deployment group here, but for now we will leave this blank; we will talk about deployment groups in step 6, below. 3. After filling in all of the fields (according to the breadcrumb type you chose), click "Create". NOTE: Some types of breadcrumbs will require you to create a user (you will need to enter a username and password). Alternatively, you can choose "Randomize username and password from breadcrumb pool"; MazeRunner has a list of common usernames and passwords that it uses to supply these. 4. Connect this breadcrumb to a service by clicking the Connect to service button and selecting a service from the drop-down list: 5 Note that the Responder breadcrumb relates to the Responder feature (a feature used with your SOC interface). For more information on this type of breadcrumb and this feature, see the section entitled SOC on page 72. Cymmetria MazeRunner 2017 Community Edition

49 5. Once the connection has finished configuring (you can monitor its status on the Decoys sub screen), the breadcrumb will show as "Active": 6. Notice the Add deployment group button next to the Add breadcrumb button. 6 NOTE: Deployment groups will be used later when importing endpoints and deploying breadcrumbs to them; see Importing endpoints on page 50 and Deploying breadcrumbs on page 58 for more information. To create a new deployment group: a. Click the Add deployment group button, enter a name for your deployment group (e.g., "IT" or "all users"), and click "Create": b. Now you can add breadcrumbs to this group. To do so, type "IT" in the Deployment groups column on the right-hand side of the screen, and select the new group from the drop-down list that appears. You can see that your breadcrumb now belongs to the IT deployment group: 6 Deployment groups are used to group several breadcrumbs together for ease of management and deployment. For example, you can decide to group together a few breadcrumbs that will be deployed to all endpoints used by a specific department in your organization. This will allow you to easily deploy these grouped breadcrumbs to this department's endpoints using one of MazeRunner's manual or automatic deployment methods (see Deploying breadcrumbs on page 58 for more information). Cymmetria recommends the use of deployment groups in all of your deployments. Cymmetria MazeRunner 2017 Community Edition

50 NOTE: You can assign a single breadcrumb to multiple deployment groups. 7. Now you are ready to deploy your breadcrumb or deployment group. To save time and resources, you can automate breadcrumb deployment (Cymmetria recommends this option). You can also deploy breadcrumbs manually from the Breadcrumbs sub screen. See Deploying breadcrumbs on page 58 for information on breadcrumb deployment options. That s it! Your deception campaign is up and running. Jump to Importing endpoints to continue learning about the MazeRunner platform. IMPORTING ENDPOINTS To enable automatic breadcrumb deployment (discussed in the next section), which will simplify campaign creation, MazeRunner allows you to import endpoints from Active Directory or from CIDR blocks. Note that these two methods are not mutually exclusive: if you import from Active Directory and then import from a CIDR block, MazeRunner will check to see if each endpoint already exists in the system; if so, the block will not be imported a second time. IMPORTING ENDPOINTS FROM ACTIVE DIRECTORY In order to import endpoints from Active Directory, you will need to add an Active Directory domain. Navigate to the Endpoints screen and click "Import endpoints", and then the link to "System Menu > Configure > Active Directory": Cymmetria MazeRunner 2017 Community Edition

51 This will take you to the Active Directory sub screen in System Configuration. NOTE: This screen can also be reached by navigating to System Menu > Configure > Active Directory from the System Menu: To specify the Active Directory server from which you would like to import endpoints, follow these steps: 1. Click the Add domain button and enter the domain details (domain name, domain controller address, port, username, password, and base DN). 2. Test your connection by clicking "Test connection". If the test connection is successful, click "Add" to continue: NOTE: Some Active Directories do not allow connection without SSL. If you receive an error when trying to connect, check the "Use SSL" checkbox to use secure LDAP on port 636: Cymmetria MazeRunner 2017 Community Edition

52 Now you need to import the Active Directory. To do this, follow these steps from the Active Directory sub screen: 1. Click the View Active Directory button. Select the domain you would like to import and click "Import from Active Directory": You can see the import's progress in the task manager's Running tab: Once the process is complete, you will see a red dot on the task manager icon, and the import details on the Complete tab: 2. You will now see your Active Directory details on the screen. To the right of each organizational unit (OU), notice that there are two numbers: one labeled "Self" and one labeled "Total". The number next to "Self" indicates the number of endpoints in that particular OU; the number next to "Total" indicates the total number of endpoints under that OU, including those of other OUs: Cymmetria MazeRunner 2017 Community Edition

53 3. Now you need to import endpoints from your Active Directory organizational units. You may select specific endpoints to import by clicking the checkbox next to an OU's name (which selects only the endpoints in that particular OU), or click "Select all": Before importing, you must assign the endpoints you would like to import to specific deployment groups. Notice that two new functions appear on the right side of your screen when you select any OU: "Assign to group" and "Clear assignment". After you have clicked the checkbox next to an OU's name, click "Assign to group" and select the desired deployment group from the drop-down list. You can choose from an existing deployment group that you previously created, import your endpoints without assigning them to a deployment group (you will need to assign them later) or create a new deployment group to assign the endpoints to: Cymmetria MazeRunner 2017 Community Edition

54 This will assign all endpoints on that particular OU to the selected deployment group. You will see the name of the deployment group to which an OU's endpoints have been assigned, to the right of the OU name and endpoint count. You can assign all endpoints to one deployment group, or to different deployment groups: If you would like to change to which deployment group your endpoints have been assigned, mark the checkbox next to an OU's name and re-assign to another deployment group by using the "Assign to group" function. You can use the "Clear assignment" function to clear the assignment for selected endpoints. NOTE: Only endpoints that have been assigned to a deployment group will be imported. Remember that, if you would like to import endpoints and assign them to a deployment group later, simply chose "Import without assigning" from the Assign to group drop-down options: 4. If for some reason you would like to remove the data from an Active Directory domain that you have previously imported to MazeRunner, simply click "Delete retrieved data": Cymmetria MazeRunner 2017 Community Edition

55 5. Once you are ready, click "Start importing assigned endpoints daily": NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally clicked the button. For example, if you click "Start importing assigned endpoints daily" at 2:00pm, the selected endpoints will import daily at 2:00pm 7. If you would like to stop this daily import, simply click "Stop importing assigned endpoints daily". You can check the status of your import in the task manager's Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at which time you can view import details on the task manager's Complete tab: 7 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will be refreshed/updated, but its deployment group will not be changed. Cymmetria MazeRunner 2017 Community Edition

56 IMPORTING ENDPOINTS FROM CIDR BLOCKS As an alternative to importing endpoints from Active Directory, MazeRunner allows you to import endpoints from CIDR blocks. To import endpoints from CIDR blocks, complete the following steps: 1. Navigate to the Endpoints screen and click "Import endpoints", and then click on the CIDR blocks tab: 2. Click on the Add mapping button to add CIDR blocks and assign them to deployment groups. NOTE: You cannot enter overlapping CIDR blocks. 3. Enter the CIDR block from which you would like to import, then use the Deployment group dropdown to assign the endpoints in this CIDR block to a deployment group. You can import your block without assigning it to a deployment group (you will need to assign it later), choose from an existing deployment group that you previously created, or create a new deployment group to assign the block to: 4. Click "Create" to finish. If you would like to make changes to the information you entered, you can do so using the "Edit" and "Delete" functions, located in the Actions column. After importing multiple CIDR blocks, you can use the "On/Off" button in the Status column of each block to skip certain CIDR blocks, but import others, during your daily import. When you are ready, click "Start importing endpoints from CIDR blocks daily": Cymmetria MazeRunner 2017 Community Edition

57 NOTE: Once you click this button, your selected endpoints will continue to import (i.e., refresh) daily, at the time you originally clicked the button. For example, if you click "Start importing endpoints from CIDR blocks daily" at 2:00pm, the selected endpoints will import daily at 2:00pm 8. If you would like to stop this daily import, simply click "Stop importing endpoints from CIDR blocks daily". You can check the status of your import in the task manager's Running tab. You will see a notification (red dot on the task manager icon) once the import is complete, at which time you can view import details on the task manager's Complete tab: POST-IMPORT Navigate back to MazeRunner's Endpoints screen; all of the endpoints you imported are now shown here. Notice the endpoint status chart at the top of the screen. Right after importing endpoints for the first time, 100% of your endpoints will be "clean", since you have not yet deployed any breadcrumbs to them: For a full explanation of the different endpoints statuses, as well as information on the various actions that can be taken on your endpoints, see the section entitled Endpoints screen. For now, let's look at how to deploy breadcrumbs to your endpoints (next section). 8 If an endpoint already exists in MazeRunner and has already been assigned to a deployment group, the endpoint will be refreshed/updated, but its deployment group will not be changed. Cymmetria MazeRunner 2017 Community Edition

58 DEPLOYING BREADCRUMBS To save time and resources, you can automate breadcrumb deployment using the Endpoints screen (Cymmetria recommends this option). You can also deploy breadcrumbs manually from the Breadcrumbs sub screen of the Campaign screen. DEPLOYING BREADCRUMBS FROM THE ENDPOINTS SCREEN From the Endpoints screen, you can deploy breadcrumbs to your endpoints manually or automatically. To set up automatic breadcrumb deployment, complete the following steps: 1. Click "Deploy campaign" and choose from the first two deployment methods in the drop-down list: 2. Enter your local admin credentials (username, password, and endpoint IP or hostname 9 ). NOTE: If the user is a domain user (versus a local user on an endpoint), you will need to fill in the optional domain name. 3. Click "Test credentials" to ensure you have entered everything correctly. If something is not right, proceed according to the error message shown on your screen. 4. Choose a run mode and select the deployment groups you would like to deploy, then click "Deploy": 9 This is the IP or hostname of an endpoint on which the credentials will be tested. It is only used for this test, and is not mandatory for the deployment. Cymmetria MazeRunner 2017 Community Edition

59 NOTE: You will not be able to select and deploy a group if at least one of the following is applicable: 1. There are no endpoints in the group. 2. One or more of the breadcrumbs in the group is inactive. 3. There are no breadcrumbs in the group. If any of the above is applicable, make sure that your decoy(s) are turned on (check the Decoy sub screen of the Campaign screen), that you have assigned breadcrumbs to groups (check the Breadcrumbs sub screen of the Campaign screen), and that you have assigned endpoints to groups (check the Endpoints screen). Cymmetria recommends deploying breadcrumbs automatically. Manual deployment is useful if automatic deployment is impossible, or if you would like to use other orchestration software such as Chef, McAfee epo or Tanium. To deploy breadcrumbs manually, complete the following steps: 1. Click "Deploy campaign" and choose "Manual" from the Deployment method drop-down list: Cymmetria MazeRunner 2017 Community Edition

60 2. Choose your preferred deployment option and download the relevant installation files by clicking on the appropriate download button. If you are deploying to a Windows OS, you have three deployment options from which to choose: 1. Deployment Package A ZIP file containing a folder for each breadcrumb group. Each folder contains both an install and uninstall shell script for that deployment group. 2. Executable A ZIP file containing a folder for each breadcrumb group. Each folder contains both an installer and uninstaller (in EXE format) for each breadcrumb group. 3. Windows Installer A ZIP file containing a folder for each breadcrumb group. Each folder contains both an install and uninstall file (in MSI format) for each breadcrumb group. If you are deploying to a Linux OS, you must choose the "Deployment package" option. 3. You will need to unpack the ZIP file and run the installation files contained in each breadcrumb group folder (as administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the script/executable, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP file from the endpoint (after saving the uninstall files in a safe location for later use) once you are finished. After deploying manually, a beacon 10 will be sent from the endpoint to update MazeRunner about the status of the deployment. Now that you have deployed breadcrumbs to your endpoints, you can expand each endpoint by clicking the + icon to see details about the breadcrumbs on that endpoint: NOTE: It might take the endpoint status a few more minutes to update, due to the time it takes the breadcrumb to install, and possible network delays. 10 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect to it over HTTPS (port 443). Cymmetria MazeRunner 2017 Community Edition

61 DEPLOYING BREADCRUMBS FROM THE CAMPAIGN SCREEN You can manually deploy individual breadcrumbs or deployment groups from the Breadcrumbs sub screen of the Campaign screen. The process for both is identical, except for the first step. To deploy your breadcrumbs to your endpoint from the Breadcrumbs sub screen, follow these steps: 1. In order to deploy a single breadcrumb to your endpoint, click "Deploy" on the breadcrumb you selected: To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click "Deploy group": 2. Both of these actions will generate an installer (the uninstaller is also located here) that you can then deploy to endpoints. For Windows, the installer is either a ZIP file containing shell scripts (PowerShell), an executable (EXE) or a Windows installer (MSI); for Linux, it is always a ZIP file containing shell scripts (BASH): 3. Download the appropriate installer for your operating system by making your selection and then clicking "Windows" or "Linux". You will need to unpack and run this installer (as administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the installer, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have Cymmetria MazeRunner 2017 Community Edition

62 been deployed. If you downloaded a ZIP file, remember to remove it from the endpoint (after saving the uninstall files in a safe location for later use) once you are finished. You can now validate the deployment on the Endpoints screen (see relevant section on page 96). SCHEDULING A CAMPAIGN REFRESH You can schedule breadcrumb deployment at regular intervals by configuring a campaign refresh schedule; this can be done from the Campaign and Deployment sub screen of System Configuration. Scheduling a campaign refresh will cause the following to happen: 1. If there are new endpoints in a deployment group (new endpoints may have arrived via the Active Directory or CIDR blocks automatic importation feature, for example), the refresh feature will deploy to them. 2. Breadcrumbs with randomized credentials will have the credentials changed to new random values, to update the deception campaign. To schedule a campaign refresh, navigate to System Menu > Configure > Campaign and Deployment: You can define your campaign refresh schedule by choosing to refresh your campaign automatically, and setting the interval (in hours, days or weeks) at which to refresh. The campaign will refresh each time the interval of time you set passes; the starting point is the moment the configuration is saved: Cymmetria MazeRunner 2017 Community Edition

63 You can also define your deployment settings. Choose an install method, run method (executable or native script), and deployment path: Lastly, enter the local admin credentials to use in the deployment. You can test these credentials using the relevant field and the Test credentials button: NOTE: If you do not configure local admin credentials for endpoints, or if they change, you will receive an error message at the next designated refresh interval. Please make sure these credentials are configured correctly, otherwise your campaign refresh will fail. Be sure to save your configuration when you are finished. Cymmetria MazeRunner 2017 Community Edition

64 INTEGRATING WITH A SYSLOG / SIEM Integrating with a syslog/siem can be done from the Outputs sub screen in System Configuration. Navigate to System Menu > Configure > Outputs: Here you can define settings for syslog (UDP/TCP port and address), , reporting, and ThreatConnect (enable TAXII server). Integrating with a syslog/siem works especially well with Splunk and ArcSight. Cymmetria MazeRunner 2017 Community Edition

65 ADVANCED USAGE Now that you have a handle on basic configuration and usage, you are ready to learn about the advanced configuration options available to MazeRunner users. MAZERUNNER NETWORK CONFIGURATION This section includes information on configuring static IP, and enabling VLAN support and non-promiscuous mode. STATIC IP By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, follow these steps: 1. Open the server's console. The console can be accessed using your hypervisor UI. 2. Log in as "usern": a. Enter 'usern' as the MazeRunner login. For example: b. Enter the password 'Password1!' 11 and then enter static. For example: Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address, DNS search domains). If you do not know your network details, contact your IT administrator. You will also need to choose the main network interface for MazeRunner management. NOTE: During automated deployment, the nameserver (DNS server) and the DNS search domains will be used to look up endpoint names. 11 You will be prompted to change this password on first use of MazeRunner. Cymmetria MazeRunner 2017 Community Edition

66 VLAN SUPPORT VLAN support can be enabled by following the steps outlined below (make sure you have already completed the steps outlined for configuring VLAN support, on page 19 of this guide): 1. In MazeRunner, click on the gear icon on the top right navigation bar to access the System Menu, and select "Configure": 2. On the Networking tab, check the "Enable decoy VLAN support", and then click "Save configuration". NOTE: You can change the VLAN trunk interface field before saving: 3. Next, click the Add VLAN button: 4. Enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use numbers, not letters or other characters. If you are using static IP in your network, please assign the Cymmetria management server a static IP address and a subnet mask in the spaces provided. If you have a separate DNS server for this VLAN, be sure to add its address in the DNS field. To deploy breadcrumbs to endpoints Cymmetria MazeRunner 2017 Community Edition

67 in different subnets, enter CIDR blocks (separated by commas) in the Routing CIDR blocks field. A gateway must be set if you plan to route specific CIDR blocks. When you are finished, click "Create": That's it! VLAN support is now configured. NOTE: When you define a new decoy in MazeRunner (when building your deception campaign either manually or with the help of the wizard; see page 39 for details), you will need to select your VLAN ID from the drop-down list: NON-PROMISCUOUS MODE If you did not enable promiscuous mode during installation and setup, you will only be able to use OVA decoys. If you would like to use nested decoys, you must enable non-promiscuous mode by selecting the Run MazeRunner in non-promiscuous mode option from the Networking tab of the System Configuration screen. Cymmetria MazeRunner 2017 Community Edition

68 To enable non-promiscuous mode, follow these steps: 1. Make sure you have completed the steps outlined for using MazeRunner without promiscuous mode, on page 16 of this guide. 2. Also make sure you have chosen the main network interface for MazeRunner management: NOTE: If you already configured static IP, please reference the section entitled Static IP. 3. In MazeRunner, click on the gear icon on the top right navigation bar to access the System Menu, and select "Configure": 4. On the Networking tab, select the Run MazeRunner in non-promiscuous mode option, and then click "Save configuration": Cymmetria MazeRunner 2017 Community Edition

69 That's it! You have now enabled non-promiscuous mode. NOTE: When you define a new nested decoy in MazeRunner (when building your deception campaign either manually or with the help of the wizard; see page 39 for details), you will need to select an interface from the drop-down list: NOTE: You can create only one decoy for each interface. SSL CERTIFICATE You can view MazeRunner's current server certificate and download the certification authority (CA) certificate. Additionally, you can replace the server certificate with a new certificate signed by your trusted CA. If you would like to update the details of your certificate, you can also replace the server certificate with a new certificate signed by MazeRunner. To carry out any of these actions, click on the gear icon on the top right navigation bar to access the System Menu, and select "Configure": On the SSL Certificate tab (the tab on the far right), you will see several options. To download the current CA certificate, simply click the Download SSL CA certificate button: Cymmetria MazeRunner 2017 Community Edition

70 To replace the current server certificate with one signed by your trusted CA, click "Create certificate request" and fill in your information. Click "Download" to download the certificate signing request (CSR): After downloading, sign the certificate with your trusted CA. NOTE: You will also need the CA's certificate for the next step. When available, upload the certificate signed by your trusted CA (PEM encoded certificate) and the CA's certificate (PEM encoded CA certificate) by clicking "Upload", choosing the appropriate files, and clicking "Create and use": Cymmetria MazeRunner 2017 Community Edition

71 If you would like to update the details of your certificate, you can replace the server certificate with a new certificate signed by MazeRunner. To do this, follow these steps: 1. Click "Create certificate signed by MazeRunner" and fill in your information. 2. Click "Create and use" to replace the certificate. NOTE: After submitting this form, you will have to restart your browser to use MazeRunner. All OVA and EC2 decoys will need to be recreated manually: Cymmetria MazeRunner 2017 Community Edition

72 SOC You can connect MazeRunner to your SOC (e.g., via MazeRunner API, ArcSight Data Platform, ArcSight ESM or Splunk), in order to use the ActiveSOC 12 and Responder features, which are discussed in the next sections. To add a SOC interface, follow these steps: 1. Click the Add button next to SOC interfaces : 2. Select an interface type from the drop-down options: 3. Fill in the required information according to the SOC interface you chose. If you chose ArcSight or Splunk, you will need to test the connection by clicking Test connection : 4. Click Save to finish. You will now see the details of the SOC interface you added in the SOC interfaces table. To edit or delete an interface, use the links located in the Actions column on the right-hand side of the screen. 12 The ActiveSOC feature is only available in MazeRunner Enterprise Edition. Cymmetria MazeRunner 2017 Community Edition

73 RESPONDER MazeRunner s Responder (Pass-the-Hash) feature allows MazeRunner to periodically broadcast deceptive credentials from endpoints. Attackers listening in on the network using the Responder.py tool (or a similar tool) will capture these broadcasts and will potentially use these deceptive credentials. The Responder feature gives you more deception options, as its alerting is based on SOC events in addition to decoy access (it is essentially a standalone breadcrumb). To use the Responder feature, first make sure you have added a SOC interface. See the section entitled SOC for instructions on how to do so. NOTE: Make sure that the DC of the domain(s) you want to monitor sends its Windows event logs to the SOC interface you configured. Next, you might need to map custom Responder fields mapping 13. MazeRunner will query the SOC interfaces you configured to find evidence of someone using the Responder breadcrumbs that were deployed by MazeRunner. When MazeRunner is querying your SOC interface, it uses the following default field names in the query (according to your interface type): Field name Splunk ArcSight Data Platform Username Account_Name destinationusername Domain Account_Domain destinationntdomain Event_code EventCode externalid Endpoint_hostname Workstation_Name destinationhostname Endpoint_ip Source_Network_Address destinationaddress NOTE: ArcSight ESM is not supported for use with the Responder feature. If any of these fields is serialized differently in your SOC interface, you will need to add custom mapping for these fields. To do this, follow these steps: 1. Click the Add button next to Map Responder fields : 13 If you would like to use an API SOC interface with the Responder feature, you must map the interface's fields. Cymmetria MazeRunner 2017 Community Edition

74 2. From the drop-down list, choose the SOC interface you would like to map (you can have more than one mapping for each SOC interface). Then, fill out the remaining mandatory fields and click Add : Now you can turn on the Responder. NOTE: If you try to turn on the Responder before adding a SOC interface, you will be prompted to add a SOC interface. To turn on the Responder, follow these steps: 1. Click the Turn on button next to Responder : 2. Enter your local/domain admin credentials to remotely access endpoints (if you are using a domain user, enter a domain name), and then click Save : Cymmetria MazeRunner 2017 Community Edition

75 Now create a Responder breadcrumb. To do so, follow these steps: 1. Go to the Breadcrumbs sub screen of the Campaign screen and click Add breadcrumb : 2. Select Responder - Pass the Hash as the breadcrumb type and fill in all of the fields, including the Deployment groups field 14, then click Create. NOTE: Domain name is the name of the domain that you want to monitor for Pass-the-Hash attacks: After the Responder breadcrumb is assigned to a deployment group, MazeRunner will begin to deploy on endpoints in that deployment group one by one. Every time MazeRunner deploys on an endpoint, the Responder breadcrumb s credentials are broadcasted. MazeRunner aims to maximize the likelihood of an attacker intercepting deceptive credentials. In order to do this, the Responder breadcrumb will broadcast (each time from a different endpoint) a maximum of 1,000 times during a 24-hour period. The interval between each broadcast ranges from 86 seconds (more than 1,000 endpoints) to 24 hours (for a single endpoint). If you have more than 1,000 endpoints in a deployment group, then each day a random subset of 1,000 endpoints will be selected from all of the endpoints in that group. 14 You must assign Responder breadcrumbs to a deployment group. Cymmetria MazeRunner 2017 Community Edition

76 In order to check that the Responder deployment and alerting are working properly, complete the following steps: 1. To check that the deployment worked, go to System Configuration > SOC and click the Show activity button next to the Responder section: In the Event column, check that there is at least one entry with the status "deployment successful". If after approximately 10 minutes you do not see an entry, please make sure that the Responder feature is turned on and that it is configured correctly. If you see an entry with a "deployment failed" status, please refer to this FAQ. 2. To check that alerting is working, select a server in your domain (the domain being monitored in the SOC interface you configured earlier) that has a network share, and run the following net use command: net use \\<server_address> /user:<breadcrumb_domain>\<breadcrumb_username> <breadcrumb_password> Within approximately 10 minutes, you should see a Network Credential Interaction alert on MazeRunner s Investigation screen. If you do not see an alert, please check your SOC configuration (the SOC interface you added as well as the Responder fields mapping you set up). Now, whenever MazeRunner deploys the Responder breadcrumb to one of your endpoints, if there is an attacker in your network who is using Responder.py (or a similar tool), the attacker will record the Responder breadcrumb credentials. If the attacker then uses these credentials on a machine in one of your monitored domains, MazeRunner will raise an alert and you will see the details on the Investigation screen. For more information about the Responder activity feed, see the ActiveSOC and Responder activity feed section on page 80. Cymmetria MazeRunner 2017 Community Edition

77 ACTIVESOC ENTERPRISE EDITION ONLY Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. The following documentation is provided here to give Community Edition users an explanation of how the feature works. ActiveSOC allows MazeRunner to deploy breadcrumbs to endpoints in your organization based on events observed by your SOC. Using ActiveSOC, you can set up specific rules that, when verified, will cause MazeRunner to assign an endpoint to a deployment group (as defined by your rule) and deploy that group s breadcrumbs to the endpoint. MazeRunner achieves this through integration with your SIEM or through the MazeRunner API. By automatically deploying deception tailored to specific suspicious behavior (e.g., privilege escalation or abnormal traffic), ActiveSOC is able to create new intelligence out of below-thethreshold events, and also validate events that might otherwise be ignored by analysts. Before turning on ActiveSOC, you will need to add a SOC interface. See the section entitled SOC for information on how to do this. Once you have added a SOC interface, complete the following steps to turn on ActiveSOC: 1. Click the Turn on button next to ActiveSOC : 2. Enter your local admin credentials to remotely access endpoints (if you are using a domain user, enter a domain name), and then click Save : Cymmetria MazeRunner 2017 Community Edition

78 Rules Enterprise Edition note: This feature is currently available to MazeRunner Enterprise customers only. This form is made available to Community Edition users solely as an example of how the ActiveSOC feature is configured, and rules configured here cannot be saved. Add rules to define the response to specific SOC events 15. The rules will define how to identify the relevant endpoint, how to filter the specific event, and to which deployment group to assign it and for how long. To add a rule, follow these steps: 1. Click the Add button next to Rules. Enter a name for your rule and choose the SOC interface to which you would like it to apply (each rule will be defined for a specific SOC interface): 2. Define how to identify the endpoint in this type of event. Select the field from where your SIEM s target data is extracted (IP address or Hostname), fill in a field name, and if you would like, fill in a DNS suffix (for example, hostname "myhost" and DNS suffix "mydomain.local" will become "myhost.mydomain.local"): 3. For ArcSight ESM, each rule must have a query. The query is the name (ArcSight ESM QueryViewer) predefined on your ArcSight ESM, from which MazeRunner will receive the events. All other rule conditions will apply to the events received from that query. It's important to note that the 15 Events could include, for example: A user logging in from an unusual location A privilege escalation alert (someone logged in as admin) A computer connecting to an IP that doesn t exist and then reaching a decoy Someone attempting to access a web page/app that doesn t exist Cymmetria MazeRunner 2017 Community Edition

79 frequency of retrieval is dependent on the frequency of the query as defined in ArcSight ESM and not controlled from within MazeRunner: 4. Add conditions for your event (field name and value). Be as specific as you can (there is no limit to the number of conditions you can add per event): 5. Choose the deployment group to which you would like to deploy when this rule is verified, and the deployment duration (how long to keep the breadcrumbs on the endpoint). For example, if you enter 4 here, the breadcrumbs will be deleted from the endpoint after 4 hours: 6. When you are finished, click Add. You will now see the details of the rule you added in the Rules table. In the Rank column of the Rules table, note that there are two arrows; these are used to set priority for a rule. Clicking the up/down arrows will move the location of rules in the table, thereby changing their rank (a rule with a rank of 0 has the highest priority). Notice the On/Off button in the Actions columns on the right-hand of the screen. Use this button to activate and deactivate specific rules at certain times. You can also delete and edit your rules from this column. That s it! From now on, if a rule you set is verified, MazeRunner will assign the endpoint to a deployment group (as defined by your rule) and deploy that group s breadcrumbs to the endpoint. When this happens, a Cymmetria MazeRunner 2017 Community Edition

80 new record will be created in the ActiveSOC activity feed and a new endpoint will appear on the Endpoints screen. The breadcrumbs that were deployed will be removed from the endpoint after the period of time you defined in your rule. For more information about the ActiveSOC activity feed, see the ActiveSOC and Responder activity feed section below. ACTIVESOC AND RESPONDER ACTIVITY FEED The ActiveSOC and Responder activity feed can be accessed by clicking the Show activity button, located to the right of the "Responder" section: Here you can monitor all ActiveSOC 16 and Responder activity and export the information to CSV: You can filter and search your activity feed using the funnel icons. To do so, click on a funnel icon to the right of a column title, choose your filter criteria from the available options, then click "apply": NOTE: If filtering by endpoint or deployment group, you will need to enter the endpoint IP address and the deployment group name, respectively. 16 The ActiveSOC feature is only available in MazeRunner Enterprise Edition. Cymmetria MazeRunner 2017 Community Edition

81 To clear your filter results, click again on the funnel icon to the right of the column title and then click "clear". To clean your feed (delete all entries), click "Clean feed": CHANGING ALERTING POLICY Changing your alerting policy can be done from the Alerting Policy sub screen in System Configuration. Navigate to System Menu > Configure > Alerting Policy: Here you can define the system-wide policy for handling events. For each event, you can define whether it will be ignored, recorded in MazeRunner, or recorded in MazeRunner AND sent to the syslog server. You do this by setting system-wide rules to be performed for specific types of events. You can also define user rules that override any system rules. System-wide rules: These are the built-in rules that define which action should be taken for each event type. You can choose from "Ignore", "Mute" (default setting), and "Alert": Ignore The event is not seen anywhere. Mute The event is only seen on the Investigation screen; however, you can check the box marked "Send muted alerts" on the Outputs sub screen to set MazeRunner to send muted alerts via syslog as well. Alert The event is seen on both the Investigation screen and the Dashboard, and an alert is sent via syslog and . Cymmetria MazeRunner 2017 Community Edition

82 User rules: Here you can define rules that will override the system rules. To do this, follow these steps: 1. Click "Add rule" to open the rule creation form: 2. To which decoy(s) and service(s) would you like this rule to apply? Make your selections from the drop-down lists. 3. You can choose to set a rule for actions originating from a specific IP address. To do this, fill in the IP address in the field provided. Please note that IP addresses are matched exactly. 4. You can also choose to set a rule for a specific file located on a decoy (e.g., "/bin/netcat" or "myshare/important.txt"). To do this, fill in the relevant filename in the field provided. The filename specified will apply to SMB alerts, code execution alerts, and unsigned code execution alerts. Please note that the filename is matched exactly (SMB alerts will contain the share name, there is a distinction between / and \, and names are case sensitive). 5. To which type of alert should this rule apply? Choose one from the drop-down list. NOTE: You will need to create a separate rule for each type of alert: Cymmetria MazeRunner 2017 Community Edition

83 6. What would you like to happen? Choose an action ("Ignore", "Mute", "Alert" or "Shut down decoy") from the drop-down list. If you choose "Shut down decoy", any decoy(s) related to that alert will be automatically shut down when the alert is processed. IMPORTANT: Shutting down the decoy is independent of the action you set for each event type ("Ignore", "Mute", "Alert"); an alert may be ignored by another rule and still shut down the decoy. 7. Once you have finished defining your new rule, click "Create". Cymmetria MazeRunner 2017 Community Edition

84 INTEGRATING WITH THREATCONNECT This section will show you how to set up ThreatConnect for use with MazeRunner. Before proceeding, please install and set up MazeRunner according to the guidelines provided for virtual appliance (VMware Player, VMware Workstation, VMware ESXi or KVM). To set up ThreatConnect integration, follow these steps: 1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of which feed to connect, please check with your ThreatConnect contact). In this example, our feed is called "Cymmetria TAXII Source": 2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared on your screen. Click on the gear icon to go to your TAXII feed's Source Config: 3. In Source Config, go to the Data tab: Cymmetria MazeRunner 2017 Community Edition

85 4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange: 5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window has popped up on your screen: Cymmetria MazeRunner 2017 Community Edition

86 Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII server URL found in MazeRunner's System configuration settings. To do this: a) Open MazeRunner in your browser by navigating to your virtual machine's IP address (using HTTPS). Click on the gear icon located in the top right-hand corner of the screen, and select "Configure": b) On the Outputs tab, you will find "ThreatConnect Settings". Check the box next to "Enable TAXII server", click the purple Save configuration button, and then copy the link found in the "TAXII server URL" field: c) Go back into ThreatConnect and paste this URL into the space provided, then click "Next". Cymmetria MazeRunner 2017 Community Edition

87 6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5 will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not need to use these credentials again; they are only required by ThreatConnect in order to proceed to the next step), then click "Next": 7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called "alerts_feed"), then click "Next": 8. Click "Next" until you reach the Confirm tab, and then click "SAVE". Cymmetria MazeRunner 2017 Community Edition

88 PRODUCT REFERENCE The following sections provide an overview of the MazeRunner platform, including its user interface and additional functionalities. PRODUCT INTERFACE MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main parts of the product: Dashboard Your deception battle map, where you control and review your campaigns. Campaign screen Here you create the different components of your deception campaign. Endpoints screen From this screen you can view and manage your endpoints, as well as deploy breadcrumbs. Investigation screen Used for viewing your campaign's events and alerts. Here you can see every move an attacker has made. Alternatively, you may manage the platform using the MazeRunner API. Almost everything that can be done using the MazeRunner interface can also be achieved by using the API. For details, see our online API documentation. TASK MANAGER The task manager, accessed from the speech bubble icon with the clock symbol that is located on the top right navigation bar, displays MazeRunner tasks and their statuses. By clicking the icon, you can view the status of tasks that are currently running (on the Running tab), and see a list of completed tasks (on the Complete tab). NOTE: Stopped and failed tasks can be seen on the Complete tab alongside successful tasks. If you would like to stop a task that has already been started, you can do so from the Running tab. To stop a task that is currently in progress, click the Stop button to the right of the task's status bar: Once you do this, the task will move to the Complete tab and it's status will appear as "Stopped": Cymmetria MazeRunner 2017 Community Edition

89 NOTE: If you stop a task (for example, a breadcrumb deployment) before it has completed, you will need to navigate to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and clean the endpoints on which breadcrumbs have already managed to deploy before you stopped the deployment. For more information on how to do this, see Filter options and Bulk actions in the Endpoints screen section on page 96. If a task fails, you will see this detailed in the task's status bar on the Complete tab: To check failed deployments, you will need to go to the Endpoints screen, filter out all the endpoints with a Deployment Failed status, and expand the endpoint rows to check why they failed. For more information on how to do this, see Filter options on page 97. NOTIFICATION CENTER The notification center, accessed from the speech bubble icon on the top right navigation bar, displays alerts and notifications regarding your MazeRunner activity. This includes campaign import status, any issues that need your attention, and more. Cymmetria MazeRunner 2017 Community Edition

90 DECEPTION STORY WIZARD This tool, accessed from the wand icon on the top right navigation bar, assists you in building your deception campaign. The wizard allows you to choose from templates that have been prepared by Cymmetria's security team. Alternatively, you can build your own customized deception stories without the help of the wizard. For more information on how to build deception stories using the wizard, see the section entitled Creating a deception campaign (using the deception story wizard) on page 43. SYSTEM MENU This menu, accessed from the gear icon on the top right navigation bar, allows you to configure MazeRunner, run diagnostics, manage users, manage API keys, change password, import/export campaigns, view your access log, send logs to Cymmetria, and update the system. CONFIGURE The System Configuration screen, which can be reached by clicking "Configure", contains seven sub screens: 1. General Here you can enter a virus database URL, choose to send anonymous data to Cymmetria, automatically download updates, set the time zone, enable endpoints tracking (send beacon 17 ), view/change the NTP server URL, enter HTTP proxy server details (e.g., set the number of hours of inactivity before logout, and restore the default configuration for General, Outputs, and Networking: 17 The beacon is part of the breadcrumb installer (and uninstaller) that communicates with MazeRunner. It relays the status of the endpoint and reports on the success or failure of breadcrumb installation. For the beacon to work, the MazeRunner management server must be accessible to endpoints, meaning that endpoints should be able to connect to it over HTTPS (port 443). Cymmetria MazeRunner 2017 Community Edition

91 2. Outputs Here you can define settings for syslog (UDP/TCP port and address), , reporting, and ThreatConnect (enable TAXII server). See Integrating with a syslog / SIEM on page 64 for more information. 3. Networking Here you can add a decoy MAC address prefix and set MazeRunner's networking configuration. You can choose to use the default configuration, run MazeRunner in non-promiscuous mode or enable VLAN support for decoys and view/change the VLAN trunk interface: 4. Access control Here you can enable access control to MazeRunner's management interface by limiting access to specific IP addresses. To add an IP address to your access control whitelist, click "Add rule", enter the IP address, and then click "Create": CAUTION! If this is not done properly, you risk losing your own access to MazeRunner. Please ensure the validity of the information you enter here. If something goes wrong, please contact Cymmetria support. 5. Alerting policy Here you can define the system-wide policy for handling events. See Changing alerting policy on page 81 for more details. Cymmetria MazeRunner 2017 Community Edition

92 6. Campaign and deployment Here you can define your campaign refresh schedule, deployment settings, and local admin credentials for endpoints (as well as test those credentials). See Scheduling a campaign refresh on page 62 for detailed instructions. 7. Active Directory Here you can import domains from an Active Directory for use when managing your endpoints and automating breadcrumb deployment. Please see Importing endpoints from Active Directory on page 50 for more information. 8. SOC Here you can connect SOC interfaces to MazeRunner, in order to use the ActiveSOC and Responder features. See SOC on page 72 for more information. 9. SSL Certificate Here you can view the current server certificate and download the CA certificate. You can also replace the certificate with a new certificate signed by MazeRunner or signed by a certification authority (CA). See SSL Certificate on page 69 for more information. DIAGNOSTICS MazeRunner diagnostics, which can be reached by clicking "Diagnostics", allows you to run diagnostics to review the current configuration of MazeRunner. Simply click "Run MazeRunner diagnostics": If a test was unsuccessful, you will see a red X and an error message with further instructions on how to proceed: Cymmetria MazeRunner 2017 Community Edition

93 MANAGE USERS User management, which can be reached by clicking "Manage Users", allows you to add and delete users to/from MazeRunner. To add a new user: 1. Click "Add user". Define a unique username and password, then click "Create": 2. Users can be removed at any time by clicking "Delete" in the Actions column on the right-hand side of the screen. MANAGE API KEYS Almost everything that can be done using the MazeRunner interface can also be achieved by using the API. On the Manage API keys screen, you can create API keys to allow users to access the MazeRunner API. To do so, follow these steps: 1. Click "Create API key", enter a description (this is an internal description), and click "Create": 2. Your new API key details (description, key ID, and secret key) will appear on the screen. NOTE: Be sure to record the secret key, as this is the only time you will see it. 3. API keys can be removed at any time by clicking "Delete" in the Actions column on the right-hand side of the screen. In order to ensure you are communicating with MazeRunner, click "Download SSL CA certificate" and add this to your API script. For more details on the MazeRunner API, see our online API documentation. Cymmetria MazeRunner 2017 Community Edition

94 CHANGE PASSWORD If you would like to change your password, you can do so here. Simply enter your old password and your desired new password, and then click "Update": ACCESS LOG The access log records the date and time each user accesses MazeRunner, and from which IP address: SEND LOGS TO CYMMETRIA Sending logs to Cymmetria will allow us to better investigate issues related to your specific MazeRunner instance. You can send logs automatically by entering your address in the field provided and then clicking "Send logs automatically": Cymmetria MazeRunner 2017 Community Edition

95 SYSTEM UPDATE Use the System Update wizard to check for MazeRunner updates or upload and install an update file you received from Cymmetria. When you select "System Update" from the System Menu, the MazeRunner Update window will open and display the current system status (either that MazeRunner is up-to-date or prompting you to check for updates). To check for updates, click "Check for updates": If an update is available, you will be prompted to download and install it. The system will reboot after installation is complete. To upload and install an update file you received from Cymmetria, click "Upload and install an update file". Once you click this button, the update file will upload and then automatically begin to install. NOTE: During installation, you will not be able to use MazeRunner; the system will reboot after installation is complete: If your update fails, please contact Cymmetria support and we will be happy to help you. IMPORTANT: If your MazeRunner server is connected to the Internet, it will automatically check for version updates once a week and will prompt you with a notification if there is a new version to download. Also, when a new version of MazeRunner is released, Cymmetria will notify you by . This way, if your MazeRunner is not connected to the Internet, you can manually update the system by using the MazeRunner Update wizard to upload an update file. Cymmetria MazeRunner 2017 Community Edition

96 ENDPOINTS SCREEN This screen shows you endpoints and the breadcrumbs they contain, along with their status, details, and possible actions that can be taken: Notice the endpoint status chart at the top of the screen. An endpoint's status is defined as follows: Clean The endpoint contains no breadcrumbs (usually when the endpoint has recently been imported and no action has been taken on it) Deployment Failed Breadcrumb deployment to the endpoint was unsuccessful (a detailed error message will be shown when you expand the endpoint row) Inactive The endpoint contains breadcrumbs, but a subset of those breadcrumbs are inactive Active Breadcrumbs have been deployed to the endpoint successfully, and are active NOTE: You can redeploy breadcrumbs to endpoints that had issues by choosing the relevant Run mode in the breadcrumb deployment form (see Deploying breadcrumbs for more information): After you have deployed breadcrumbs to your endpoints, you will be able to expand each endpoint by clicking the + icon to see details about the breadcrumbs on that endpoint. Cymmetria MazeRunner 2017 Community Edition

97 You have already learned how to import endpoints from Active Directory and from CIDR blocks, and how to deploy breadcrumbs to those endpoints; now let's look at what else you can do with your endpoints from the Endpoints screen. FILTER OPTIONS There are several filter options available on the Endpoints screen. You can use the Search bar and the Filter / Refresh endpoints button, and/or the funnel icon to the right of certain column titles (Status, Deployment groups, First install date, Last update, and Last logon). To filter using the Search bar: 1. Type your search criteria into the Search bar and then click "Filter / Refresh endpoints". You can search using letters and numbers pertaining to an endpoint's hostname, IP address or operating system (e.g., searching 'ultim' would return a result showing all endpoints running a Windows 7 Ultimate N operating system): 2. To clear your filter results and return to the main screen (where all endpoints are visible), simply delete the criteria you entered into the Search bar, then click "Filter / Refresh endpoints". To filter using the funnel icon to the right of column titles: 1. Click on the funnel icon to the right of a column title, choose your filter criteria from the available options, then click "apply": Cymmetria MazeRunner 2017 Community Edition

98 2. To clear your filter results and return to the main screen (where all endpoints are visible), click again on the funnel icon to the right of the column title and then click "clear". BULK ACTIONS Using the checkboxes next to each endpoint, you can take bulk actions on selected endpoints. You can delete or clean endpoints, and re-assign them to a different deployment group. To delete an endpoint and its related breadcrumbs (remove from database completely): 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk action buttons to appear: 2. Click the "Delete selected" button; when prompted to confirm the action, click "Yes": 3. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. To clean an endpoint (connect remotely and remove breadcrumbs on that endpoint): 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk action buttons to appear: Cymmetria MazeRunner 2017 Community Edition

99 2. Click the "Clean selected" button. You will need to choose your preferred deployment method (executable or native script) and enter your local admin credentials, then click "Clean": 3. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. To re-assign an endpoint to a different deployment group: 1. Select the endpoint(s) to which you would like this action to apply by clicking the checkbox to the left of the endpoint hostname. This will cause the bulk action buttons to appear: 2. Click the "Re-assign to group" button. From the drop-down list, choose the deployment group to which you would like to re-assign the selected endpoint, then click "Assign": 3. Once the action has been completed successfully, you will see a green confirmation message appear next to the notification center at the top right-hand corner of your screen. NOTE: An endpoint and its breadcrumbs must belong to the same deployment group. Therefore, if the endpoint you reassigned contains breadcrumbs from a different deployment group, your endpoint will become inactive and you will see an error message when you expand the endpoint row. You will need to clean the endpoint and redeploy its breadcrumbs either manually or automatically to resolve this. Cymmetria MazeRunner 2017 Community Edition

100 DASHBOARD The Dashboard is where you can view your deception campaign: Scrolling down below the campaign display, you will see alerts that require your attention. Each of these events can be expanded to display more information regarding the alert. Notice that, if MazeRunner has raised an alert on a machine, that machine will turn red. To see all events and alerts in the system you can go to the Investigation screen. INVESTIGATION SCREEN This screen will show you the deception campaign events and alerts. Each time an attacker carries out an action on a decoy machine, an event is created. Not every event warrants an alert; for example, events such as port scans and protocol connections are documented without raising alerts. The following are examples of common types of events documented by MazeRunner: 1. Port access An indication that an attacker has probed a decoy. This type of event usually precedes an actual attack. 2. Interaction event An attacker might try to interact with one of the services on a decoy; this type of event will notify the user of such attempts. For example, an SSH Interaction event would indicate that an attacker has in some way interacted with a decoy's SSH service. 3. Code execution An indication that an attacker has executed a program on a decoy. 4. Unsigned code execution An indication that an attacker has added and executed a program on a decoy. This is different than a regular code execution, where the program is already located on the decoy. DON'T FORGET: You can configure which action you would like to be taken for different events on the Alerting Policy sub screen of System Configuration. By clicking the + icon, you can expand each entry on the Investigation screen to see more information about the event: Cymmetria MazeRunner 2017 Community Edition

101 You can filter your results to show only the events that interest you; you can also search by keyword: By checking the box next to "Alerts only" (and then clicking "Filter / Refresh events"), you can filter out events and only show alerts: By selecting the checkbox to the right of the + icon, you can delete an event by clicking the Delete all selected button that appears: Cymmetria MazeRunner 2017 Community Edition

102 If you configured it as such on the Outputs sub screen of System Configuration, all alerts will go to a syslog server that may be monitored by your SIEM (e.g., Splunk). To export event and alert information in CSV format, click "Export to CSV" on the bottom left side of the screen: That's it! You now know how to use MazeRunner's platform to create and monitor a basic deception campaign. We're here to help. If you have any questions, please contact us at support@cymmetria.com. Cymmetria MazeRunner 2017 Community Edition

103 FAQ / TROUBLESHOOTING This section contains known issues that customers have encountered during MazeRunner installation, setup, and use. DECOYS NOT WORKING Q: My decoys aren't working. What's wrong? A: Decoys sometimes get stuck in booting or configuring status. This can be caused by various issues (e.g., your MazeRunner IP address has been changed). To rectify this issue, go to the Decoys sub screen of the Campaign screen and click "Recreate" (located in the Actions column on the right-hand side of the screen): This will delete your decoy and recreate it, exactly as it was (i.e., you will not lose any current connections to services and breadcrumbs). If this does not solve the problem, please verify that your virtual appliance meets the minimum requirements for running MazeRunner. Pay particular attention to the amount of RAM required per decoy. If you have already tried recreating your decoys and are sure that your virtual appliance meets the minimum requirements for running MazeRunner, yet the problem persists, please contact Cymmetria support so that we can investigate the issue. PROBLEM RESOLVING ENDPOINT NAME Q: When testing the connection to an endpoint prior to automated deployment, I received the message "Could not resolve endpoint name". A: Follow these two steps: 1. Please verify that you are providing the full hostname of the endpoint, including the domain. For example, "myendpoint.mydomain.local" vs. "myendpoint". 2. Please verify that the endpoint hostname you are providing is listed in your DNS server, or alternatively that you correctly configured the DNS server during MazeRunner network configuration. Cymmetria MazeRunner 2017 Community Edition

104 NESTED VIRTUALIZATION SUPPORT Q: Why do I see a "Nested Virtualizaton not supported" message on the Decoys tab? A: This message indicates that you did not enable support of virtualization (this support is not always turned on by default in a VMware environment). If you ignore this message and create a decoy anyway, you will see a "Creation error" message under "Status": See environment-specific instructions for enabling nested virtualization on VMware Player, VMware Workstation, VMware ESXi or KVM. DEPLOYING BREADCRUMBS AUTOMATICALLY TO LINUX MACHINES Q: How do I deploy breadcrumbs automatically to Linux machines? A: You can use the MazeRunner API. Cymmetria's Python SDK also has a fully functional sample script that deploys remotely to Linux machines, which you can use as is or extend to fit your purposes. Additionally, in various cloud environments, some users prefer to install breadcrumbs on the base image that will be cloned by the load-balancer. Cymmetria MazeRunner 2017 Community Edition

105 CREATING USERS Q: How do I add a user to a service when creating my campaign? A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need to enter a username and password when creating the corresponding breadcrumb (you can also choose to randomize a username and password from Cymmetria's breadcrumb pool): You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy. See Creating a basic deception campaign manually on page 46 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link. A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then be able to deploy breadcrumbs. See Creating a basic deception campaign manually on page 46 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. RUNNING INTERNET-FACING DECOYS Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys? A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a large amount of alerts (that are generally not high-interest alerts). The best way to use the MazeRunner platform is to run decoys inside of your organizational network. If however, you decide to run Internet-facing decoys, we recommend you change your alerting policy to generate alerts only on critical events (such as code execution), and to "ignore" others. To set your alerting policy to ignore less-critical alerts, follow these steps: Cymmetria MazeRunner 2017 Community Edition

106 1. In MazeRunner, click on the gear icon on the top right navigation bar to access the System Menu, and select "Configure": 2. On the Alerting Policy tab, you will see a "System-wide rules" section. In the Action column, click on the purple Alert button next to an event type and select "Ignore" from the drop-down options: CREATING A WEB APPLICATION SERVICE Q: Can I create a service using my own web application? A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpmyadmin. To add a web application, follow these steps: 1. Create a ZIP file of your web application. 2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service". 3. Choose "Web application" from the Service type drop-down list: Cymmetria MazeRunner 2017 Community Edition

107 4. Upload your own ZIP file by clicking "Choose File", then click "Create": You have now created a new service using your own web application. For information on how to connect this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on page 46. CREATING A GIT SERVICE Q: Can I create a Git repository service? A: Yes. You can create a Git source code repository with GitLab web UI. This can be done by adding a Git service to your campaign. To add a Git service, follow these steps: 1. Create a ZIP file to house your repository files. MazeRunner will accept a ZIP file for your Git service in one of two formats: a. ZIP file all the files in the ZIP folder will be committed as an initial commit and load to the remote Git service. b. ZIP file with a Git folder the folder will load as a repository, including commit history, to the Git service. NOTE: The Git folder must be on the root ZIP hierarchy. 2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service". 3. Choose "Git" from the Service type drop-down list: Cymmetria MazeRunner 2017 Community Edition

108 4. Upload your ZIP file by clicking "Choose File", then click "Create": You have now created a new Git service. For information on how to connect this service to a decoy, and how to add breadcrumbs, see Creating a basic deception campaign manually on page 46. PROBLEMS DURING OVA IMPORT Q: I received a warning during OVA import saying that the OVA file did not pass OVF specification conformance or virtual hardware compliance checks. A: We are aware of this warning, and it is safe to click "Retry" and import the OVA file as is. Cymmetria MazeRunner 2017 Community Edition

109 PROBLEMS DEPLOYING AN OVA DECOY ON ESXI Q: I receive an error message when trying to deploy an OVA decoy on ESXi. A: You may be using an older version of ESXi. MazeRunner OVA decoys are compatible with ESXi version 5.1 and higher, so if you are using an older version, you will need to update your ESXi. AUTOMATIC DEPLOYMENT TO ENDPOINTS FAILED Deployment to endpoints can fail for various reasons. See below an explanation of the error messages you might have received, and instructions on how to solve the problem. ERROR: COULD NOT RESOLVE HOSTNAME Q: I received the error message "Could not resolve hostname". What does this mean? A: MazeRunner was not able to resolve the hostname of the endpoint to which you are trying to deploy. Please make sure that your DNS server is configured correctly and that the endpoint's hostname has not changed. ERROR: INCORRECT CREDENTIALS Q: I received the error message "Incorrect credentials ". What does this mean? A: MazeRunner failed to log in to the endpoint using the credentials supplied by the user. Please make sure that the credentials are valid and that they belong to an admin account (this can be the local admin on the endpoint). ERROR: SMB TCP PORTS (139, 445) ARE UNREACHABLE Q: I received the error message "SMB TCP ports (139, 445) are unreachable". What does this mean? A: MazeRunner failed to connect to the endpoints via the standard SMB ports. Please make sure that your firewall allows connecting to these ports (either your organization's firewall or the endpoint's local firewall), and that the endpoint accepts connection via these ports (this can be checked using the PsExec tool from the Sysinternals Suite). Cymmetria MazeRunner 2017 Community Edition