Cymmetria MazeRunner USER GUIDE

Similar documents
Cymmetria MazeRunner INSTALLATION GUIDE

MazeRunner COMMUNITY EDITION USER GUIDE

Cymmetria MazeRunner COMMUNITY EDITION USER GUIDE

Cisco Modeling Labs OVA Installation

Install and Configure FindIT Network Manager and FindIT Network Probe on a VMware Virtual Machine

FileCruiser VM Quick Configuration Guide For Trial Version V1.0

Deploy the ExtraHop Discover Appliance with VMware

Version 2.3 User Guide

Installing or Upgrading ANM Virtual Appliance

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

Installing Cisco MSE in a VMware Virtual Machine

VMware ESX ESXi and vsphere. Installation Guide

F5 iworkflow and Citrix XenServer: Setup. Version 2.0.1

Cisco Prime Collaboration Deployment

Redhat OpenStack 5.0 and PLUMgrid OpenStack Networking Suite 2.0 Installation Hands-on lab guide

Installing and Configuring vcenter Support Assistant

CA Agile Central Administrator Guide. CA Agile Central On-Premises

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

Plexxi HCN Plexxi Connect Installation, Upgrade and Administration Guide Release 3.0.0

dctrack Quick Setup Guide (Recommended) Obtain a dctrack Support Website Username and Password

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

User Manual. Virtual and Hardware Appliance User Manual - Version

Deploy the ExtraHop Discover Appliance with VMware

Cisco Integrated Management Controller (IMC) Supervisor is a management system that allows you to manage rack mount servers on a large scale.

Scrutinizer Virtual Appliance Deployment Guide Page i. Scrutinizer Virtual Appliance Deployment Guide. plixer

Deploying the Cisco Tetration Analytics Virtual

Installing and Configuring vcloud Connector

OS10 Virtualization Guide. Enterprise Edition

Getting Started Guide. Installation and Setup Instructions. For version Copyright 2009 Code 42 Software, Inc. All rights reserved

HiveManager Virtual Appliance QuickStart

Product Version 1.1 Document Version 1.0-A

VMware vrealize Log Insight Getting Started Guide

Basic Configuration Installation Guide

CA Agile Central Installation Guide On-Premises release

Installing and Configuring vcloud Connector

vrealize Suite Lifecycle Manager 1.1 Installation, Upgrade, and Management vrealize Suite 2017

VMware vcenter AppSpeed Installation and Upgrade Guide AppSpeed 1.2

VMware vfabric Data Director Installation Guide

Installing and Upgrading Cisco Network Registrar Virtual Appliance

If you re not using VMware vsphere Client 4.1, your screens may vary. ITEM Example s Values Your Values

ISO Installation Guide. Version 1.2 December 2015

LiveNX Upgrade Guide from v5.2.0 to v5.2.1

RecoverPoint for Virtual Machines

Installing Cisco CMX in a VMware Virtual Machine

SRA Virtual Appliance Getting Started Guide

Installing Cisco Virtual Switch Update Manager

WatchGuard Dimension v2.1.1 Update 3 Release Notes


Free Download: Quick Start Guide

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

Deploy the ExtraHop Explore Appliance on a Linux KVM

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

Cisco VDS Service Broker Software Installation Guide for UCS Platforms

WatchGuard Dimension v1.1 Update 1 Release Notes

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Dell Storage Compellent Integration Tools for VMware

Global Management System (GMS) Virtual Appliance 6.0 Getting Started Guide

vrealize Network Insight Installation Guide

Getting Started with ESXi Embedded

Stealthwatch Flow Sensor Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Configure HyperFlex Hardware Acceleration Cards

UDP Director Virtual Edition

Installation of Cisco Business Edition 6000H/M

Basic Configuration Installation Guide

FusionHub. SpeedFusion Virtual Appliance. Installation Guide Version Peplink


How to Deploy Axon on VMware vcenter

F5 iworkflow and Linux KVM: Setup. Version 2.0.2

FusionHub. Evaluation Guide. SpeedFusion Virtual Appliance. Version Peplink

Easy Setup Guide. Cisco FindIT Network Probe. You can easily set up your FindIT Network Probe in this step-by-step guide.

Proofpoint Threat Response

All - In - One for Hyper- V

Contents. Limitations. Prerequisites. Configuration

VMware vfabric Data Director Installation Guide

ACE Live on RSP: Installation Instructions

WatchGuard Dimension v2.0 Update 2 Release Notes. Introducing New Dimension Command. Build Number Revision Date 13 August 2015

Remote PC Guide Series - Volume 2

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Quick Start Guide ViPR Controller & ViPR SolutionPack

ESET Remote Administrator v6 Getting Started Guide for MSPs January 2017

Quick Start Guide ViPR Controller & ViPR SolutionPack

How to Deploy vcenter on the HX Data Platform

Installation and Upgrade

SOA Software API Gateway Appliance 6.3 Administration Guide

WatchGuard XTMv Setup Guide Fireware XTM v11.8

SteelCentral AppResponse 11 Virtual Edition Installation Guide

Sophos Virtual Appliance. setup guide

GX-V. Quick Start Guide. VMware vsphere / vsphere Hypervisor. Before You Begin SUMMARY OF TASKS WORKSHEET

MOVE AntiVirus page-level reference

Dell Storage Integration Tools for VMware

Threat Response Auto Pull (TRAP) - Installation Guide

Lighthouse 5 User Guide. Revision

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

McAfee Boot Attestation Service 3.5.0

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

McAfee MOVE AntiVirus Installation Guide. (McAfee epolicy Orchestrator)

akkadian Global Directory 3.0 System Administration Guide

Installing the Cisco Nexus 1000V Software Using ISO or OVA Files

akkadian Provisioning Manager Express

Transcription:

Cymmetria MazeRunner USER GUIDE September 12, 2016

Supported environments (all must have nested virtualization enabled follow the links below to learn more) VMware Player (7 or higher) VMware Workstation (11 or higher) ESXi server (5.1 or higher) KVM hypervisor Not supported: VirtualBox Requirements Minimum requirements for installation: 150GB minimum storage, 500GB recommended 2GB of RAM (add 2GB for each additional nested decoy) 1 x CPU @ 2 GHz (add another CPU core for each additional nested decoy) VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM hypervisor, with nested virtualization enabled Additional requirements Nested virtualization Promiscuous mode Quick start 1. First choose which hypervisor you will use to run your MazeRunner virtual machine. Cymmetria suggests using a VMware Player hypervisor, as this is the most straightforward option and involves the least number of steps (it is also free). Other hypervisors are supported as well. 2. Enable nested virtualization on your hypervisor. Please refer to "Installation and setup" on page 6 for more information. 3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to "MazeRunner network configuration" on page 48. 4. On the campaign screen, create a new decoy, service, and breadcrumb, and connect them to each other. "Using MazeRunner" on page 28 will walk you through all aspects of product usage. 5. On the breadcrumbs screen, use the deploy button to generate a breadcrumb installation script and then deploy it to endpoints. 6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the Dashboard and the Investigation screen for alerts of attackers accessing your decoys. 7. You can export your deception stories for backup, or as templates to be used by other people. Please refer to "Load from file" (on page 38) and "Exporting your deception campaign" (on page 45) for detailed instructions. 8. If you encounter any difficulties while working through this guide, please refer to "Appendix A FAQ" (on page 58) for help. Cymmetria MazeRunner 2 www.cymmetria.com

CONTENTS Introduction What is MazeRunner?... 5 Installation and setup... 6 Virtual appliance (VMware Player)... 6 Virtual appliance (VMware Workstation)... 9 Virtual appliance (VMware ESXi)... 12 Enabling nested virtualization using vcenter... 16 Enabling nested virtualization using VMware Workstation (version 11 and up)... 18 Enabling nested virtualization using SSH... 20 Powering on your virtual machine... 22 Virtual appliance (KVM)... 25 Using MazeRunner... 28 First use... 28 Product interface... 31 Notification center... 31 Deception story wizard... 31 System menu... 32 Creating a deception campaign (using the deception story wizard)... 34 Load from template... 34 Load from file... 38 Creating a basic deception campaign (manually)... 41 Create a new decoy... 41 Create a new service... 42 Create a new breadcrumb... 42 Exporting your deception campaign... 45 Endpoints screen... 46 Dashboard... 46 Investigation screen... 46 MazeRunner network configuration... 48 Static IP... 48 VLAN support... 49 Software integration... 53 ThreatConnect... 53 Appendix A FAQ... 58 Cymmetria MazeRunner 3 www.cymmetria.com

Nested virtualization support... 58 Service is inactive/unable to deploy breadcrumbs... 59 Creating users... 59 Running Internet-facing decoys... 59 Creating a web application service... 60 Cymmetria MazeRunner 4 www.cymmetria.com

INTRODUCTION WHAT IS MAZERUNNER? MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will first collect information on their next targets. At that time, they will find breadcrumbs deployed by MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that they have successfully gained access to a target machine. Having gained a false sense of security, attackers reveal their attack tools and methods, which defenders are then able to document and analyze. Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat information that allows for the creation of attack signatures. For a more detailed overview of MazeRunner, please read our product whitepaper, which can be downloaded for free from our website. Cymmetria MazeRunner 5 www.cymmetria.com

INSTALLATION AND SETUP This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It includes information on MazeRunner's platform and deployment. VIRTUAL APPLIANCE (VMWARE PLAYER) To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open with", and then select "VMware Player"). You will need to provide a name and local storage path for the new virtual machine, and then click "Import": 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Cymmetria MazeRunner 6 www.cymmetria.com

c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Play virtual machine": 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 7 www.cymmetria.com

Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled "MazeRunner network configuration" on page 48 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 8 www.cymmetria.com

VIRTUAL APPLIANCE (VMWARE WORKSTATION) To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the directory in which the MazeRunner OVA file is stored and proceed according to the following instructions: 1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to provide a name and local storage path for the new virtual machine, and then click "Import": 2. Before powering on your new virtual machine, you must enable nested virtualization support in order to run MazeRunner with nested decoys. To do this: a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings ": Cymmetria MazeRunner 9 www.cymmetria.com

b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": c. Nested virtualization is now enabled. 3. Now you can power on your virtual machine by clicking "Power on this virtual machine": 4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 10 www.cymmetria.com

Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled "MazeRunner network configuration" on page 48 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 11 www.cymmetria.com

VIRTUAL APPLIANCE (VMWARE ESXI) To begin, open your vsphere Client and connect to your ESXi server by entering your username and password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA file supplied. Move through the stages of deploying the OVF Template: 1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner"). 2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template. 3. Select a destination for storing the virtual machine files. 4. Use the default values that appear in the Disk Format section. 5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and finish the virtual machine creation: After your virtual machine has finished being deployed (this will take some time), select your virtual machine from the side bar on the left-hand side of the screen, then navigate to Home Inventory Hosts and Clusters: Cymmetria MazeRunner 12 www.cymmetria.com

Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to the left: To make the nested virtual machines accessible from the network, enable Promiscuous Mode for the Virtual Machine Port Group, where your virtual machine is connected (in our example, Maze ). To do this, go to Properties, select your virtual machine's port group, and then click Edit : Cymmetria MazeRunner 13 www.cymmetria.com

Go to the Security tab and make sure both Promiscuous Mode and Forged Transmits are enabled ("Accept"). Click "OK": Why do we need Promiscuous Mode and Forged Transmits? In order for the nested virtual machines to receive data packets, we need to enable these functions. If you do not enable Promiscuous Mode and Forged Transmits, you will only be able to use OVA decoys, which are not nested. Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There are three common methods used to enable nested virtualization in ESXi products: 1. using vcenter 2. using VMware Workstation 3. using SSH Cymmetria MazeRunner 14 www.cymmetria.com

To find out which of these three methods you will need to use, you must look at which VMware hypervisor you are running. To do this, open vsphere Client and go to Help About VMware vsphere: If you see the following pop-up window, it means you are using vcenter: If you see the following pop-up window, it means you are using ESXi: Cymmetria MazeRunner 15 www.cymmetria.com

If you are using vcenter, see the instructions provided in the section entitled "Enabling nested virtualization using vcenter", below. If you are using ESXi, you have two options for enabling nested virtualization: via VMware Workstation or SSH (see the relevant sections on page 18 and 20 of this guide). ENABLING NESTED VIRTUALIZATION USING VCENTER The following steps will guide you through enabling nested virtualization using vcenter. 1. Open vsphere Web Client in your web browser by navigating to the IP address of your vcenter server (using HTTPS), and log in with the same credentials you used to log in to your vsphere client: 2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home menu: Cymmetria MazeRunner 16 www.cymmetria.com

3. Right-click on your virtual machine and select "Edit Settings ": 4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters checkboxes, and click "OK": Cymmetria MazeRunner 17 www.cymmetria.com

Nested virtualization is now enabled. Please continue to the "Powering on your virtual machine" section of this guide. ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP) The following steps will guide you through enabling nested virtualization using VMware Workstation (version 11 and up). 1. Open VMware Workstation and navigate to File Connect to Server : 2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine. Make sure the virtual machine is turned off, and then right-click on it and select "Settings " (you may have to double-click on your virtual machine name before right-clicking): Cymmetria MazeRunner 18 www.cymmetria.com

3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and "Virtualize CPU performance counters" boxes are checked, then click "OK": Nested virtualization is now enabled. Please continue to the "Powering on your virtual machine" section of this guide. Cymmetria MazeRunner 19 www.cymmetria.com

ENABLING NESTED VIRTUALIZATION USING SSH The following steps will guide you through enabling nested virtualization using SSH. 1. In your vsphere client, under the Configuration tab, choose "Security Profile" from the Software box on the bottom left of the screen, and then click "Properties": 2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options Start OK: 3. Follow the same steps to enable the SSH service: Cymmetria MazeRunner 20 www.cymmetria.com

4. Once finished, click "OK". 5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials. To do this: a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console: Cymmetria MazeRunner 21 www.cymmetria.com

b. In the SSH console, enter your username and password. Your shell should look like this: 6. Navigate to the MazeRunner virtual machine directory, located in /vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example: 7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit the.vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags to the end of the file: vhv.enable = "TRUE" vpmc.enable = "TRUE Nested virtualization is now enabled. Please continue to the "Powering on your virtual machine" section of this guide. POWERING ON YOUR VIRTUAL MACHINE Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open vsphere Client and navigate to Home Inventory VMs and Templates: Cymmetria MazeRunner 22 www.cymmetria.com

Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine": Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 23 www.cymmetria.com

Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled "MazeRunner network configuration" on page 48 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 24 www.cymmetria.com

VIRTUAL APPLIANCE (KVM) To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2 format), and proceed according to the following instructions: 1. Enable promiscuous mode Check if promiscuous mode is enabled on the network interface to which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled, you can skip to step 3 of this section now): a. Run the command 'netstat -i'. b. If the network interface to which you are going to connect the virtual machine bridge has 'P' in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to step 3 of this section now: Figure A. netstat -i command output with promiscuous mode off/on. 2. If promiscuous mode is off, you will need to enable it according to the following instructions (depending on which OS you are using). To enable promiscuous mode: a. On Red Hat/CentOs: i. Open /etc/sysconfig/network-scripts/ifcfg-x (replace X with the name of the network interface to which MazeRunner's virtual machine bridge will be connected). ii. Add the line 'PROMISC=yes' to the end of the file. b. On Ubuntu/Debian: i. Open the "interfaces" file located in /etc/network. ii. Add the following lines under the configuration for the network interface to which MazeRunner's virtual machine bridge will be connected: up ifconfig $IFACE up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down Cymmetria MazeRunner 25 www.cymmetria.com

3. Import the MazeRunner image (DSK file) using the following command (run as root): virt-install -n <name> -r <amount_of_ram> --os-type=linux --os-variant= ubuntu14.04 --disk MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc -- noautoconsole --import --cpu=host For example: virt-install -n MazeRunner -r 16384 --os-type=linux --os-variant=ubuntu14.04 --disk MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import -- cpu=host *NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was "ubuntutrusty". You can check the available variants on your system using the command 'osinfoquery os'. Parameters Detailed: -n [an internal name for your virtual machine] -r [the amount of RAM, in MB, for your virtual machine] --os-type [the type of OS Linux or Windows] --os-variant [the distribution or version for a full list, run command 'man virtinstall'] --disk [specifies media to use as storage for the guest, with various options] -w [the network configuration] --vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or virt-manager to see the desktop] --noautoconsole [configures the installer to NOT automatically try to open virtviewer to view the console in order to complete the installation this is helpful if you are working on a remote system through SSH] 4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do this in our example): a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual machine in step 3: b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it finishes booting, you will see its assigned IP address displayed on the console: Cymmetria MazeRunner 26 www.cymmetria.com

c. Save this IP address; you will need to use it in subsequent sections of this guide. That's it! MazeRunner is now ready for use. By default, MazeRunner obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, see the section entitled "MazeRunner network configuration" on page 48 of this guide. Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this guide. Cymmetria MazeRunner 27 www.cymmetria.com

USING MAZERUNNER Congratulations! You have completed the installation and setup of your MazeRunner appliance. You are now ready to start using the MazeRunner platform. Use the information in the following sections to get acquainted with, and start using, MazeRunner. FIRST USE Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for example, https://<ip_address>). You will be taken to MazeRunner's signup screen: Cymmetria MazeRunner 28 www.cymmetria.com

Proceed according to the following instructions in order to complete initial signup: 1. Enter your email address and the activation key you received from Cymmetria (if you have not received an activation key, contact support@cymmetria.com): 2. Choose an admin password, and a password for usern (usern is a network configuration user that is used for accessing the Cymmetria management server; please assign usern a password that is different from your admin password): 3. System time zone is automatically set to UTC; you may change this by selecting a different time zone from the drop-down list. You can also set the HTTP proxy server: 4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will need to agree to the terms of both in order to continue: Cymmetria MazeRunner 29 www.cymmetria.com

5. Click "Continue" to finish. Once finished, you will be redirected to MazeRunner's main screen: You are now ready to start creating deception campaigns. NOTE: For all future uses of MazeRunner, you will simply need to log in to your account using your username and password: Cymmetria MazeRunner 30 www.cymmetria.com

PRODUCT INTERFACE MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main parts of the product: Dashboard Your deception battle map, where you control and review your campaigns. Campaign screen Here you create the different components of your deception campaign. Endpoints screen This screen shows the endpoints on which you have placed breadcrumbs. Investigation screen Used for viewing your campaign's events and alerts. Here you can see every move an attacker has made. NOTIFICATION CENTER The notification center, accessed from the speech bubble icon on the top right navigation bar, displays alerts and notifications regarding your MazeRunner activity. This includes campaign import status, any issues that need your attention, and more. DECEPTION STORY WIZARD This tool, accessed from the wand icon on the top right navigation bar, assists you in building your deception campaign. The wizard allows you to choose from templates that have been prepared by Cymmetria's security team, or load a custom campaign file. Alternatively, you can build your own customized deception stories without the help of the wizard. For more information on how to build deception stories using the wizard, see the section entitled "Creating a deception campaign (using the deception story wizard)" on page 34. Cymmetria MazeRunner 31 www.cymmetria.com

SYSTEM MENU This menu, accessed from the gear icon on the top right navigation bar, allows you to configure MazeRunner, manage users, change password, import/export campaigns, view your access log, and upgrade the system. System configuration, which can be reached by clicking "Configure", contains four sub screens: 1. General Here you can enter a virus database URL, choose to send anonymous data to Cymmetria, set the time zone, enable endpoints tracking, view/change the NTP server URL, and enter HTTP proxy server details (e.g., https://<ip>:<port>): 2. Outputs Here you can define settings for syslog (UDP/TCP port and address), email, and ThreatConnect (enable TAXII server): Cymmetria MazeRunner 32 www.cymmetria.com

3. Networking Here you can add a decoy MAC address prefix, enable non-promiscuous mode, enable VLAN support, and view the VLAN trunk interface: 4. Alerting Policy Here you can set system-wide rules to be performed for specific types of events. You can also define user rules that override any system rules: In terms of which action should be taken for each event, you can choose from "Ignore", "Mute" (default setting), and "Alert": Ignore The event is not seen anywhere. Mute The event is only seen on the Investigation screen; however, you can check the box marked "Send muted alerts" on the Outputs sub screen to set MazeRunner to send muted alerts via syslog as well. Alert The event is seen on both the Investigation screen and the Dashboard, and an alert is sent via syslog and email. Cymmetria MazeRunner 33 www.cymmetria.com

CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD) A deception campaign consists of three elements: 1. Decoys Decoys are virtual machines (servers or other devices) running Windows or Linux systems. They look and act like production machines. When a decoy is accessed, there is no doubt that this is the work of an attacker. Decoys are only reached by following a breadcrumb found on an endpoint. 2. Services Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each breadcrumb leads to a specific service on a decoy machine. 3. Breadcrumbs These are passive elements of data (e.g. browser cookies, SSH credentials, shared folder mappings, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible with a user s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story. By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a more elaborate deception network. Using MazeRunner's deception story wizard, you can build a deception campaign with the help of templates that have been prepared by Cymmetria's security team, or by loading a custom campaign file. Alternatively, you can build your own customized deception stories without the help of the wizard; see "Creating a basic deception campaign (manually)" on page 41 of this guide. LOAD FROM TEMPLATE The wizard gives you the option to use deception story templates that have been prepared by Cymmetria's security team. To do this: 1. Select "Load from template" and click "Next": 2. You will see a variety of prepared deception stories (for example, backup server, internal website, VPN server, and file server). You will also see a complete deception scenario; this is a collection of multiple deception stories based on a common theme. Each of these stories and scenarios includes a short description to help you decide which you would like to include in your campaign. Choose any number and combination of these deception stories and scenarios to build your deception campaign, then click "Next": Cymmetria MazeRunner 34 www.cymmetria.com

3. You will now see a more in-depth description of the deception stories/scenarios you selected. The wizard will automatically populate all of the necessary information fields for each deception story/scenario you selected. If you would like to customize any information, you may edit individual information fields. NOTE: If you customize a field, be sure to click the Set button to apply your changes before clicking "Next": 4. You will now see a summary of what you have just built. If everything is as you would like it to be, click "Create" to save and create your new campaign. MazeRunner will validate the entities; if there are any issues, an error message will be presented and you will need to resolve the issue(s) before proceeding: Cymmetria MazeRunner 35 www.cymmetria.com

5. Check that your campaign has been created successfully (you will see a red dot on the notification center icon indicating that you have a new notification; open the notifications to check that the campaign has been created successfully). Here's an example of what your screen will look like once your campaign has been created successfully: 6. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs (sub screens). You will need to activate each of your servers by using the On/Off buttons on the Decoys sub screen, and then deploy your breadcrumbs on the Breadcrumbs sub screen. To deploy your breadcrumbs to your endpoint, follow these steps: a. On the Breadcrumbs sub screen, notice the column "Deployment groups". Deployment groups are used to group several breadcrumbs together for ease of management and deployment; as you can see, the wizard has already created some groups and added breadcrumbs to those groups for you. b. You can deploy individual breadcrumbs or deployment groups. The process for both is identical, except for the first step. In order to deploy a single breadcrumb to your endpoint, click "Deploy" on the breadcrumb you selected: Cymmetria MazeRunner 36 www.cymmetria.com

To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click "Deploy group": i. Both of these actions will generate an installation script (uninstall scripts are also located here) that you can then deploy to endpoints: ii. Download the appropriate installation script for your operating system (Windows or Linux). You will need to unpack and run this script (as Administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the script, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP file from your system once you are finished. c. You can now validate the deployment on the Endpoints screen (see relevant section on page 46). That s it! Your deception campaign is up and running. Jump to the sections entitled "Exporting your deception campaign" on page 45 and "Endpoints screen" on page 46 to continue learning about the MazeRunner platform. Cymmetria MazeRunner 37 www.cymmetria.com

LOAD FROM FILE The wizard gives you the option to load a deception campaign from a file (.cmpn). NOTE: In order to use this option, you will need a.cmpn file, which is a Json file in a format that is recognizable to MazeRunner. This type of file can be obtained by exporting a MazeRunner campaign file (System menu Export Campaign) that you have previously created (or one that has been provided to you by Cymmetria), which can then be edited using a text editor of your choice. To load a deception campaign from a file (.cmpn): 1. Open the wizard, select "Load from file" and click "Next". 2. Click the Choose File button and select your.cmpn file, then click "Next": 3. The wizard will populate all of the information fields for the.cmpn file you selected. If you would like to customize any information, you may edit individual information fields. NOTE: If you customize a field, be sure to click the Set button to apply your changes before clicking "Next": 4. You will now see a summary of what you have just built. If everything is as you would like it to be, click "Create" to save and create your new campaign. MazeRunner will validate the entities; if there are any issues, an error message will be presented and you will need to resolve the issue(s) before proceeding: Cymmetria MazeRunner 38 www.cymmetria.com

5. Check that your campaign has been created successfully (you will see a red dot on the notification center icon indicating that you have a new notification will turn red; open the notifications to check that the campaign has been created successfully). Here's an example of what your screen will look like once your campaign has been created successfully: 6. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs (sub screens). You will need to activate each of your servers by using the On/Off buttons on the Decoys sub screen, and then deploy your breadcrumbs on the Breadcrumbs sub screen. To deploy your breadcrumbs to your endpoint, follow these steps: a. On the Breadcrumbs sub screen, notice the column "Deployment groups". Deployment groups are used to group several breadcrumbs together for ease of management and deployment; as you can see, the wizard has already created some groups and added breadcrumbs to those groups for you. b. You can deploy individual breadcrumbs or deployment groups. The process for both is identical, except for the first step. In order to deploy a single breadcrumb to your endpoint, click "Deploy" on the breadcrumb you selected: Cymmetria MazeRunner 39 www.cymmetria.com

To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click "Deploy group": i. Both of these actions will generate an installation script (uninstall scripts are also located here) that you can then deploy to endpoints: ii. Download the appropriate installation script for your operating system (Windows or Linux). You will need to unpack and run this script (as Administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the script, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP file from your system once you are finished. c. You can now validate the deployment on the Endpoints screen (see relevant section on page 46). That s it! Your deception campaign is up and running. Jump to the sections entitled "Exporting your deception campaign" on page 45 and "Endpoints screen" on page 46 to continue learning about the MazeRunner platform. Cymmetria MazeRunner 40 www.cymmetria.com

CREATING A BASIC DECEPTION CAMPAIGN (MANUALLY) A deception campaign consists of three elements: 1. Decoys Decoys are virtual machines (servers or other devices), running Windows or Linux systems. They look and act like production machines. When a decoy is accessed, there is no doubt that this is the work of an attacker. Decoys are only reached by following a breadcrumb found on an endpoint. 2. Services Each decoy server runs live services (e.g. SMB, SSH, OpenVPN servers, etc.). Each breadcrumb leads to a specific service on a decoy machine. 3. Breadcrumbs These are passive elements of data (e.g., browser cookies, SSH credentials, shared folder mappings, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is compatible with a user s habits, so they blend into the environment and do not raise suspicion. Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story. By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a more elaborate deception network. The following is a step-by-step guide for manually creating the basic elements of a deception campaign. CREATE A NEW DECOY In this stage, you will create a decoy server. 1. Go to the Campaign screen (the Deception Story Wizard may pop up; simply click "Close wizard" to define your campaign manually). On the Decoy sub screen, click the Add decoy button. 2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name such as "HR_Server", a hostname such as "hrsrvr01", and choose KVM as the VM type. If you would like to configure a static IP, check the box labeled "Manually configure network settings" and fill out the Static IP field. 3. Click "Create" in order to create the decoy. 4. Power on the server using the On/Off button, which is located between the Status and IP columns. 5. That's it! Here is an example of what your screen will look like: Cymmetria MazeRunner 41 www.cymmetria.com

CREATE A NEW SERVICE In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this example, let's assume that you want to create a deception story for your HR department. 1. Go to the Campaign screen (the Deception Story Wizard may pop up; simply click "Close wizard" to define your campaign manually). On the Services sub screen, click the Add service button. 2. Enter an appropriate name (e.g., "Personnel_Files") and select the desired service type (e.g., SMB service). 3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared folder and a ZIP file for the content). Click "Create". 4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that we created in the previous section). Do this by clicking on the Connect to decoy button and selecting "HR_Server" from the drop-down list: 5. That's it! Here is an example of what your screen will look like: CREATE A NEW BREADCRUMB In this stage you will create the bait and connect it to the previously created decoy and service. 1. Go to the Campaign screen (the Deception Story Wizard may pop up; simply click "Close wizard" to define your campaign manually). On the Breadcrumbs sub screen, click "Add breadcrumb". 2. Select an appropriate name, and then select the breadcrumb type (make sure it matches the service you have defined). For example, you could select a network share breadcrumb and name it "Personnel_Files_BC". 3. After filling in all of the fields (according to the breadcrumb type you chose), click "Create". NOTE: Some breadcrumbs will allow you to create a user (you will need to enter a username and password). Cymmetria MazeRunner 42 www.cymmetria.com

4. Connect this breadcrumb to a service by clicking the Connect to service button and selecting a service from the drop-down list: 5. Notice the Add deployment group button next to the Add breadcrumb button. Deployment groups are used to group several breadcrumbs together for ease of management and deployment; Cymmetria recommends the use of deployment groups in your campaigns. To create a new deployment group: a. Click the Add deployment group button, enter a name for your deployment group (e.g., "IT" or "all users"), and click "Create": b. Now you can add breadcrumbs to this group. To do so, type "IT" in the Deployment groups column on the right-hand side of the screen, and select the new group from the drop-down list that appears. You can see that your breadcrumb now belongs to the IT deployment group: Cymmetria MazeRunner 43 www.cymmetria.com

6. Now you are ready to deploy your breadcrumb or deployment group. The process for both is identical, except for the first step. In order to deploy a single breadcrumb to your endpoint, click "Deploy" on the breadcrumb you selected: To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click "Deploy group": a. Both of these actions will generate an installation script (uninstall scripts are also located here) that you can then deploy to endpoints: b. Download the appropriate installation script for your operating system (Windows or Linux). You will need to unpack and run this script (as Administrator or root) on the endpoint, in order to place the breadcrumb(s). Note that the script, once executed, will delete itself and all accompanying files in order to leave no trace of which breadcrumbs have been deployed. Remember to remove the ZIP file from your system once you are finished. 7. You can now validate the deployment on the Endpoints screen (see relevant section on page 46). That s it! Your deception campaign is up and running. Cymmetria MazeRunner 44 www.cymmetria.com

EXPORTING YOUR DECEPTION CAMPAIGN A deception campaign can be exported to a file. This allows you to back up your campaigns, copy them for reuse or allow other people in the security community to use your deception stories as templates for their own deception campaigns. To export your campaign, navigate to the settings drop-down (gear icon located in the top right-hand corner of the screen) and choose Export Campaign : Now choose a name for your campaign and click on Export. The deception campaign file will start downloading immediately: Cymmetria MazeRunner 45 www.cymmetria.com

ENDPOINTS SCREEN This screen will show you endpoints containing breadcrumbs, along with their status, details, and possible actions that can be taken: DASHBOARD The Dashboard is where you can view your deception campaign: Scrolling down below the campaign display, you will see alerts that require your attention. Each of these events can be expanded to display more information regarding the alert. To see all events and alerts in the system you can go to the Investigation screen. INVESTIGATION SCREEN This screen will show you the deception campaign events and alerts. Each time an attacker carries out an action on a decoy machine, an event is created. Not every event warrants an alert; for example, events such as port scans and protocol connections are documented without raising alerts. The following are examples of common types of events documented by MazeRunner: 1. Port access An indication that an attacker has probed a decoy. This type of event usually precedes an actual attack. 2. Interaction event An attacker might try to interact with one of the services on a decoy; this type of event will notify the user of such attempts. For example, an SSH Interaction event would indicate that an attacker has in some way interacted with a decoy's SSH service. Cymmetria MazeRunner 46 www.cymmetria.com

3. Code execution An indication that an attacker has executed a program on a decoy. You can expand each entry for more information on the event, or filter your results to show only the events that interest you: That's it! You now know how to use MazeRunner's platform to create a basic deception campaign. Learn more about what can be done with MazeRunner by reading the MazeRunner network configuration and Software integration sections of this guide. We're here to help. If you have any questions, please contact us at support@cymmetria.com. Cymmetria MazeRunner 47 www.cymmetria.com

MAZERUNNER NETWORK CONFIGURATION This section includes information on configuring static IP and VLAN support. STATIC IP By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to change MazeRunner's network configuration, follow these steps: 1. Open the server's console. The console can be accessed using your hypervisor UI. 2. Log in as "usern": a. Enter 'usern' as the MazeRunner login. For example: b. Enter the password 'Password1!' 1 and then enter static. For example: Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address). If you do not know your network details, contact your IT administrator. That's it! MazeRunner is now configured and ready for use. Learn more about what can be done with MazeRunner by reading the Software integration section of this guide. 1 You will be prompted to change this password on first use. Cymmetria MazeRunner 48 www.cymmetria.com

VLAN SUPPORT VLAN support can be enabled by following the steps outlined below (note that these steps assume you are using a VMware hypervisor): 1. Make sure that your port group is configured to accept VLAN tagging. If you already know that this is configured correctly, skip to step 2. a. In your vsphere control panel, access the Properties menu of the switch to which MazeRunner is connected by navigating to Configuration Networking Properties : b. Under the Ports tab, select the appropriate switch name and click "Edit ": c. Under the General tab, select "All (4095)" as the VLAN ID: Cymmetria MazeRunner 49 www.cymmetria.com

d. To make sure that the network adapter "sees" the VLAN network, expand the Networks list under the Status area in Configuration Networking Properties Network Adapters: 2. In MazeRunner (make sure you've read "Using MazeRunner" on page 28 before proceeding), click on the gear icon on the top right navigation bar to access the system menu, and select "Configure": Cymmetria MazeRunner 50 www.cymmetria.com

3. On the Networking tab, check the "Enable VLAN support" box, and then click "Save configuration": 4. Next, click the Add VLAN button: 5. Enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use numbers, not letters or other characters. If you are using static IP in your network, please assign the Cymmetria management server a static IP address in the space provided, then click "Create": Cymmetria MazeRunner 51 www.cymmetria.com

That's it! MazeRunner is now configured and ready for use. NOTE: When you define a new decoy in MazeRunner (when building your deception campaign), you will need to select your VLAN ID from the dropdown list: Learn more about what can be done with MazeRunner by reading the Software integration section of this guide. Cymmetria MazeRunner 52 www.cymmetria.com

SOFTWARE INTEGRATION This section will show you how to set up ThreatConnect for use with MazeRunner. Before proceeding, please install and set up MazeRunner according to the guidelines provided for virtual appliance (VMware Player, VMware Workstation, VMware ESXi or KVM). THREATCONNECT To set up ThreatConnect integration, follow these steps: 1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of which feed to connect, please check with your ThreatConnect contact). In this example, our feed is called "Cymmetria TAXII Source": 2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared on your screen. Click on the gear icon to go to your TAXII feed's Source Config: Cymmetria MazeRunner 53 www.cymmetria.com

3. In Source Config, go to the Data tab: 4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange: 5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window has popped up on your screen: Cymmetria MazeRunner 54 www.cymmetria.com

Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII server URL found in MazeRunner's configuration settings (make sure you've read "Using MazeRunner" on page 28 before proceeding). To do this: a) Open MazeRunner in your browser by navigating to your virtual machine's IP address (using HTTPS). Click on the gear icon located in the top right-hand corner of the screen, and select "Configure": b) On the Outputs tab, you will find "ThreatConnect Settings". Check the box next to "Enable TAXII server", click the purple Save configuration button, and then copy the link found in the "TAXII server URL" field: Cymmetria MazeRunner 55 www.cymmetria.com

c) Go back into ThreatConnect and paste this URL into the space provided, then click "Next". 6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5 will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not need to use these credentials again; they are only required by ThreatConnect in order to proceed to the next step), then click "Next": 7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called "alerts_feed"), then click "Next": Cymmetria MazeRunner 56 www.cymmetria.com

8. Click "Next" until you reach the Confirm tab, and then click "SAVE". That's it! ThreatConnect is now ready for use with MazeRunner. Cymmetria MazeRunner 57 www.cymmetria.com

APPENDIX A FAQ This section contains known issues that customers have encountered during MazeRunner installation, setup, and use. NESTED VIRTUALIZATION SUPPORT Q: Why do I see a "Nested Virtualizaton not supported" message on the Decoys tab? A: This message indicates that you did not enable support of virtualization (this support is not always turned on by default in a VMware environment). If you ignore this message and create a decoy anyway, another "Nested virtualization not supported" message will appear under "Status": See environment-specific instructions for enabling nested virtualization on VMware Player, VMware Workstation, VMware ESXi or KVM. Cymmetria MazeRunner 58 www.cymmetria.com

SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link. A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then be able to deploy breadcrumbs. See "Creating a basic deception campaign (manually)" on page 41 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. CREATING USERS Q: How do I add a user to a service when creating my campaign? A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need to enter a username and password when creating the corresponding breadcrumb: You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy. See "Creating a basic deception campaign (manually)" on page 41 for instructions on adding, connecting, and activating breadcrumbs, services, and decoys. RUNNING INTERNET-FACING DECOYS Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys? A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a large amount of alerts (that are generally not high-interest alerts). The best way to use the MazeRunner platform is to run decoys inside of your organizational network. If however, you decide to run Internet-facing decoys, we recommend you change your alerting policy to generate alerts on critical events (such as code execution) only, and to "ignore" others. To set your alerting policy to ignore less-critical alerts, follow these steps: Cymmetria MazeRunner 59 www.cymmetria.com

1. In MazeRunner, click on the gear icon on the top right navigation bar to access the system menu, and select "Configure": 2. On the Alerting Policy tab, you will see a "System-wide rules" section. In the Action column, click on the purple Alert button next to an event type and select "Ignore" from the drop-down options: CREATING A WEB APPLICATION SERVICE Q: Can I create a service using my own web application? A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpmyadmin. To add a web application, follow these steps: 1. Create a ZIP file of your web application. 2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service". 3. Choose "Web Application" from the Service type drop-down list: Cymmetria MazeRunner 60 www.cymmetria.com

4. Upload your own ZIP file by clicking "Choose File", then click "Create": That's it! You have now created a new service using your own web application. For information on how to connect this service to a decoy, and how to add breadcrumbs, see "Creating a basic deception campaign (manually)" on page 41. Cymmetria MazeRunner 61 www.cymmetria.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback