mazerunner community edition user guide€¦ · machine port group, where your virtual machine is...

September 12, 2016

Cymmetria MazeRunner

USER GUIDE

© Cymmetria MazeRunner 2 www.cymmetria.com

Supported environments (all must have nested virtualization enabled – follow the links below to learn more)

VMware Player (7 or higher)

VMware Workstation (11 or higher)

ESXi server (5.1 or higher)

KVM hypervisor

Not supported: VirtualBox

Requirements

Minimum requirements for installation:

150GB minimum storage, 500GB recommended

2GB of RAM (add 2GB for each additional nested decoy)

1 x CPU @ 2 GHz (add another CPU core for each additional nested decoy)

VMware hypervisor (Player 7 or higher; Workstation 11 or higher; ESXi server 5.1 or higher) or KVM

hypervisor, with nested virtualization enabled

Additional requirements

Nested virtualization

Promiscuous mode

Quick start

1. First choose which hypervisor you will use to run your MazeRunner virtual machine. Cymmetria

suggests using a VMware Player hypervisor, as this is the most straightforward option and involves

the least number of steps (it is also free). Other hypervisors are supported as well.

2. Enable nested virtualization on your hypervisor. Please refer to "Installation and setup" on page 6 for

more information.

3. MazeRunner uses DHCP by default. For advanced networking setup or VLAN support, please refer to

"MazeRunner network configuration" on page 48.

4. On the campaign screen, create a new decoy, service, and breadcrumb, and connect them to each

other. "Using MazeRunner" on page 28 will walk you through all aspects of product usage.

5. On the breadcrumbs screen, use the deploy button to generate a breadcrumb installation script and

then deploy it to endpoints.

6. Once the breadcrumbs are deployed, your deception campaign is ready. You can review the

Dashboard and the Investigation screen for alerts of attackers accessing your decoys.

7. You can export your deception stories for backup, or as templates to be used by other people. Please

refer to "Load from file" (on page 38) and "Exporting your deception campaign" (on page 45) for

detailed instructions.

8. If you encounter any difficulties while working through this guide, please refer to "Appendix A –

FAQ" (on page 58) for help.


CONTENTS

Introduction – What is MazeRunner? ................................................................................................................................... 5

Installation and setup ........................................................................................................................................................... 6

Virtual appliance (VMware Player) ................................................................................................................................... 6

Virtual appliance (VMware Workstation) ......................................................................................................................... 9

Virtual appliance (VMware ESXi) .................................................................................................................................... 12

Enabling nested virtualization using vCenter .............................................................................................................. 16

Enabling nested virtualization using VMware Workstation (version 11 and up)........................................................ 18

Enabling nested virtualization using SSH .................................................................................................................... 20

Powering on your virtual machine .............................................................................................................................. 22

Virtual appliance (KVM) .................................................................................................................................................. 25

Using MazeRunner .............................................................................................................................................................. 28

First use ........................................................................................................................................................................... 28

Product interface ............................................................................................................................................................ 31

Notification center .......................................................................................................................................................... 31

Deception story wizard ................................................................................................................................................... 31

System menu .................................................................................................................................................................. 32

Creating a deception campaign (using the deception story wizard) .............................................................................. 34

Load from template .................................................................................................................................................... 34

Load from file .............................................................................................................................................................. 38

Creating a basic deception campaign (manually) ........................................................................................................... 41

Create a new decoy .................................................................................................................................................... 41

Create a new service ................................................................................................................................................... 42

Create a new breadcrumb .......................................................................................................................................... 42

Exporting your deception campaign ............................................................................................................................... 45

Endpoints screen ............................................................................................................................................................ 46

Dashboard ....................................................................................................................................................................... 46

Investigation screen ........................................................................................................................................................ 46

MazeRunner network configuration ................................................................................................................................... 48

Static IP ........................................................................................................................................................................... 48

VLAN support .................................................................................................................................................................. 49

Software integration ........................................................................................................................................................... 53

ThreatConnect ................................................................................................................................................................ 53

Appendix A – FAQ ............................................................................................................................................................... 58


Nested virtualization support ......................................................................................................................................... 58

Service is inactive/unable to deploy breadcrumbs ......................................................................................................... 59

Creating users ................................................................................................................................................................. 59

Running Internet-facing decoys ...................................................................................................................................... 59

Creating a web application service ................................................................................................................................. 60


INTRODUCTION – WHAT IS MAZERUNNER?

MazeRunner is a platform for creating effective deception stories. Attackers making lateral movement will

first collect information on their next targets. At that time, they will find breadcrumbs deployed by

MazeRunner that point to decoys. Once the attackers connect to the decoys, they are led to believe that

they have successfully gained access to a target machine. Having gained a false sense of security, attackers

reveal their attack tools and methods, which defenders are then able to document and analyze.

Finally, MazeRunner communicates with an organization's existing defense infrastructure, exporting threat

information that allows for the creation of attack signatures.

For a more detailed overview of MazeRunner, please read our product whitepaper, which can be

downloaded for free from our website.

http://l.cymmetria.com/mazerunner-product-whitepaper


INSTALLATION AND SETUP

This section will guide you through the installation and setup of Cymmetria's MazeRunner solution. It

includes information on MazeRunner's platform and deployment.

VIRTUAL APPLIANCE (VMWARE PLAYER)

To begin, make sure you have VMware Player installed on your computer. Then, navigate to the directory in

which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Player, double-click on the OVA file (if you have multiple

hypervisors installed on your computer, you will need to right-click on the OVA file, select "Open

with", and then select "VMware Player"). You will need to provide a name and local storage path for

the new virtual machine, and then click "Import":

2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":

b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":


c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Play virtual machine":

4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:


Save this IP address; you will need to use it in subsequent sections of this guide.

That's it! MazeRunner is now ready for use.

By default, MazeRunner obtains its network configuration through DHCP. If you would like to change

MazeRunner's network configuration, see the section entitled "MazeRunner network configuration" on page

48 of this guide.

Learn more about how to get started with MazeRunner by reading the Using MazeRunner section of this

guide.


VIRTUAL APPLIANCE (VMWARE WORKSTATION)

To begin, make sure you have VMware Workstation installed on your computer. Then, navigate to the

directory in which the MazeRunner OVA file is stored and proceed according to the following instructions:

1. To import MazeRunner into VMware Workstation, double-click on the OVA file. You will need to

provide a name and local storage path for the new virtual machine, and then click "Import":

2. Before powering on your new virtual machine, you must enable nested virtualization support in

order to run MazeRunner with nested decoys. To do this:

a. Make sure the virtual machine is turned off, and then right-click on it and select "Settings…":


b. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI"

and "Virtualize CPU performance counters" boxes are checked, then click "OK":

c. Nested virtualization is now enabled.

3. Now you can power on your virtual machine by clicking "Power on this virtual machine":

4. Once your virtual machine finishes booting, you will see its assigned IP address displayed on the

console:






48 of this guide.


guide.


VIRTUAL APPLIANCE (VMWARE ESXI)

To begin, open your vSphere Client and connect to your ESXi server by entering your username and

password. From the File drop-down menu, choose "Deploy OVF Template" and open the MazeRunner OVA

file supplied.

Move through the stages of deploying the OVF Template:

1. Choose a name for your virtual machine (for example, "Cymmetria MazeRunner").

2. Choose your specific datacenter as the Host / Cluster on which to run the deployed template.

3. Select a destination for storing the virtual machine files.

4. Use the default values that appear in the Disk Format section.

5. Notice that the source network is shown as "bridged". Click "Next" to review all parameters and

finish the virtual machine creation:

After your virtual machine has finished being deployed (this will take some time), select your virtual machine

from the side bar on the left-hand side of the screen, then navigate to Home Inventory Hosts and

Clusters:


Open the Configuration tab and choose "Networking" by clicking on the link located in the Hardware box to

the left:

To make the nested virtual machines accessible from the network, enable Promiscuous Mode for the Virtual

Machine Port Group, where your virtual machine is connected (in our example, “Maze”). To do this, go to

“Properties”, select your virtual machine's port group, and then click “Edit”:


Go to the Security tab and make sure both “Promiscuous Mode” and “Forged Transmits” are enabled

("Accept"). Click "OK":

Why do we need Promiscuous Mode and Forged Transmits? In order for the nested virtual machines to

receive data packets, we need to enable these functions. If you do not enable Promiscuous Mode and

Forged Transmits, you will only be able to use OVA decoys, which are not nested.

Now you must enable nested virtualization support, in order to run MazeRunner with nested decoys. There

are three common methods used to enable nested virtualization in ESXi products:

1. using vCenter

2. using VMware Workstation

3. using SSH


To find out which of these three methods you will need to use, you must look at which VMware hypervisor

you are running. To do this, open vSphere Client and go to Help About VMware vSphere:

If you see the following pop-up window, it means you are using vCenter:

If you see the following pop-up window, it means you are using ESXi:


If you are using vCenter, see the instructions provided in the section entitled "Enabling nested virtualization

using vCenter", below. If you are using ESXi, you have two options for enabling nested virtualization: via

VMware Workstation or SSH (see the relevant sections on page 18 and 20 of this guide).

ENABLING NESTED VIRTUALIZATION USING VCENTER

The following steps will guide you through enabling nested virtualization using vCenter.

1. Open vSphere Web Client in your web browser by navigating to the IP address of your vCenter server

(using HTTPS), and log in with the same credentials you used to log in to your vSphere client:

2. Make sure your virtual machine is turned off, then select "VMs and Templates" from the Home

menu:


3. Right-click on your virtual machine and select "Edit Settings…":

4. Expand the CPU drop-down options, check the Hardware virtualization and Performance counters

checkboxes, and click "OK":


Nested virtualization is now enabled. Please continue to the "Powering on your virtual machine" section of

this guide.

ENABLING NESTED VIRTUALIZATION USING VMWARE WORKSTATION (VERSION 11 AND UP)

The following steps will guide you through enabling nested virtualization using VMware Workstation (version

11 and up).

1. Open VMware Workstation and navigate to File → Connect to Server…:

2. Enter your login details (your ESXi credentials) and navigate to your MazeRunner virtual machine.

Make sure the virtual machine is turned off, and then right-click on it and select "Settings…" (you

may have to double-click on your virtual machine name before right-clicking):


3. Select the Processors option and make sure the "Virtualize Intel VT-x/EPT or AMD-V/RVI" and

"Virtualize CPU performance counters" boxes are checked, then click "OK":


this guide.


ENABLING NESTED VIRTUALIZATION USING SSH

The following steps will guide you through enabling nested virtualization using SSH.

1. In your vSphere client, under the Configuration tab, choose "Security Profile" from the Software box

on the bottom left of the screen, and then click "Properties":

2. Enable the ESXi Shell by selecting it from the list of labels, and then clicking on Options → Start →

OK:

3. Follow the same steps to enable the SSH service:


4. Once finished, click "OK".

5. Log in to the ESXi Shell via an SSH client (PuTTY, for example), using your ESXi root user's credentials.

To do this:

a. Open PuTTY. In PuTTY, click "Open" to open a new SSH console:


b. In the SSH console, enter your username and password. Your shell should look like this:

6. Navigate to the MazeRunner virtual machine directory, located in

/vmfs/volumes/<datastore_name>/<virtual_machine_name>/. For example:

7. Make sure your MazeRunner virtual machine is turned off. Then, use your editor of choice to edit

the .vmx file (for example, "MazeRunner_release.vmx") in this directory by adding the following flags

to the end of the file:

vhv.enable = "TRUE"

vpmc.enable = "TRUE”


this guide.

POWERING ON YOUR VIRTUAL MACHINE

Once you have enabled nested virtualization, you can power on your new virtual machine. To do this, open

vSphere Client and navigate to Home Inventory VMs and Templates:


Use the search bar to find your virtual machine, select it, and then click "Power on the virtual machine":

Switch to the Console tab to see the virtual machine powering on. Once it finishes booting, you will see its

assigned IP address displayed on the console:






48 of this guide.


guide.


VIRTUAL APPLIANCE (KVM)

To begin, open a terminal, navigate to the directory in which the MazeRunner DSK file is stored (in QCOW2

format), and proceed according to the following instructions:

1. Enable promiscuous mode – Check if promiscuous mode is enabled on the network interface to

which MazeRunner's virtual machine bridge will be connected (if you know that it is already enabled,

you can skip to step 3 of this section now):

a. Run the command 'netstat -i'.

b. If the network interface to which you are going to connect the virtual machine bridge has 'P'

in its flag (as shown in Figure A), promiscuous mode is already enabled and you can skip to

step 3 of this section now:

Figure A. netstat -i command output with promiscuous mode off/on.

2. If promiscuous mode is off, you will need to enable it according to the following instructions

(depending on which OS you are using). To enable promiscuous mode:

a. On Red Hat/CentOs:

i. Open /etc/sysconfig/network-scripts/ifcfg-X (replace X with the name of the network

interface to which MazeRunner's virtual machine bridge will be connected).

ii. Add the line 'PROMISC=yes' to the end of the file.

b. On Ubuntu/Debian:

i. Open the "interfaces" file located in /etc/network.

ii. Add the following lines under the configuration for the network interface to which

MazeRunner's virtual machine bridge will be connected:

up ifconfig $IFACE up

up ip link set $IFACE promisc on

down ip link set $IFACE promisc off

down ifconfig $IFACE down


3. Import the MazeRunner image (DSK file) using the following command (run as root):

virt-install -n <name> -r <amount_of_RAM> --os-type=linux --os-variant= ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=<name_of_network_bridge>,model=virtio --vnc --

noautoconsole --import --cpu=host

For example:

virt-install -n MazeRunner -r 16384 --os-type=linux --os-variant=ubuntu14.04 --disk

MazeRunnerVirt.dsk,bus=virtio -w bridge=virbr0,model=virtio --vnc --noautoconsole --import --

cpu=host

*NOTE: On some older virt-install versions, the os-variant argument for "ubuntu14.04" was

"ubuntutrusty". You can check the available variants on your system using the command 'osinfo-

query os'.

Parameters Detailed:

-n [an internal name for your virtual machine]

-r [the amount of RAM, in MB, for your virtual machine]

--os-type [the type of OS – Linux or Windows]

--os-variant [the distribution or version – for a full list, run command 'man virt-

install']

--disk [specifies media to use as storage for the guest, with various options]

-w [the network configuration]

--vnc [configures the graphics card to use VNC, allowing you to use virt-viewer or

virt-manager to see the desktop]

--noautoconsole [configures the installer to NOT automatically try to open virt-

viewer to view the console in order to complete the installation – this is helpful

if you are working on a remote system through SSH]

4. Check that the virtual machine was created successfully (we will use Virtual Machine Manager to do

this in our example):

a. Open Virtual Machine Manager and find the name you gave to the MazeRunner virtual

machine in step 3:

b. Click on the Open button and wait for the MazeRunner virtual machine to boot. Once it

finishes booting, you will see its assigned IP address displayed on the console:


c. Save this IP address; you will need to use it in subsequent sections of this guide.




48 of this guide.


guide.


USING MAZERUNNER

Congratulations! You have completed the installation and setup of your MazeRunner appliance. You are now

ready to start using the MazeRunner platform. Use the information in the following sections to get

acquainted with, and start using, MazeRunner.

FIRST USE

Whether you are using a VMware Player, VMware Workstation, VMware ESXi or KVM hypervisor, your

MazeRunner virtual machine was assigned an IP address at the end of the installation and setup process. Use

this IP address to access the virtual machine from a web browser (make sure to use an HTTPS connection; for

example, https://<IP_address>). You will be taken to MazeRunner's signup screen:


Proceed according to the following instructions in order to complete initial signup:

1. Enter your email address and the activation key you received from Cymmetria (if you have not

received an activation key, contact [email protected]):

2. Choose an admin password, and a password for usern (usern is a network configuration user that is

used for accessing the Cymmetria management server; please assign usern a password that is

different from your admin password):

3. System time zone is automatically set to UTC; you may change this by selecting a different time zone

from the drop-down list. You can also set the HTTP proxy server:

4. Be sure to read and understand Cymmetria's end-user license agreement and privacy policy; you will

need to agree to the terms of both in order to continue:

mailto:[email protected]

https://www.cymmetria.com/legal/1.1.0/eula/eula

https://www.cymmetria.com/legal/1.1.0/eula/privacy-policy


5. Click "Continue" to finish.

Once finished, you will be redirected to MazeRunner's main screen:

You are now ready to start creating deception campaigns.

NOTE: For all future uses of MazeRunner, you will simply need to log in to your account using your username

and password:


PRODUCT INTERFACE

MazeRunner has a user-friendly interface. You can use the top navigation bar to move between the main

parts of the product:

● Dashboard – Your deception battle map, where you control and review your campaigns.

● Campaign screen – Here you create the different components of your deception campaign.

● Endpoints screen – This screen shows the endpoints on which you have placed breadcrumbs.

● Investigation screen – Used for viewing your campaign's events and alerts. Here you can see every

move an attacker has made.

NOTIFICATION CENTER

The notification center, accessed from the speech bubble icon on

the top right navigation bar, displays alerts and notifications

regarding your MazeRunner activity. This includes campaign

import status, any issues that need your attention, and more.

DECEPTION STORY WIZARD

This tool, accessed from the wand icon on the top right navigation bar, assists you in building your deception

campaign. The wizard allows you to choose from templates that have been prepared by Cymmetria's

security team, or load a custom campaign file. Alternatively, you can build your own customized deception

stories without the help of the wizard.

For more information on how to build deception stories using the wizard, see the section entitled "Creating a

deception campaign (using the deception story wizard)" on page 34.


SYSTEM MENU

This menu, accessed from the gear icon on the top right navigation bar, allows you to

configure MazeRunner, manage users, change password, import/export campaigns, view

your access log, and upgrade the system.

System configuration, which can be reached by clicking "Configure", contains four sub

screens:

1. General – Here you can enter a virus database URL, choose to send anonymous

data to Cymmetria, set the time zone, enable endpoints tracking, view/change

the NTP server URL, and enter HTTP proxy server details (e.g.,

https://<IP>:<PORT>):

2. Outputs – Here you can define settings for syslog (UDP/TCP port and address), email, and

ThreatConnect (enable TAXII server):


3. Networking – Here you can add a decoy MAC address prefix, enable non-promiscuous mode, enable

VLAN support, and view the VLAN trunk interface:

4. Alerting Policy – Here you can set system-wide rules to be performed for specific types of events.

You can also define user rules that override any system rules:

In terms of which action should be taken for each event, you can choose from "Ignore", "Mute"

(default setting), and "Alert":

Ignore – The event is not seen anywhere.

Mute – The event is only seen on the Investigation screen; however, you can check the box

marked "Send muted alerts" on the Outputs sub screen to set MazeRunner to send muted

alerts via syslog as well.

Alert – The event is seen on both the Investigation screen and the Dashboard, and an alert is

sent via syslog and email.


CREATING A DECEPTION CAMPAIGN (USING THE DECEPTION STORY WIZARD)

A deception campaign consists of three elements:

1. Decoys – Decoys are virtual machines (servers or other devices) running Windows or Linux systems.

They look and act like production machines. When a decoy is accessed, there is no doubt that this is

the work of an attacker. Decoys are only reached by following a breadcrumb found on an endpoint.

2. Services – Each decoy server runs live services (e.g., SMB, SSH, OpenVPN servers, etc.). Each

breadcrumb leads to a specific service on a decoy machine.

3. Breadcrumbs – These are passive elements of data (e.g. browser cookies, SSH credentials, shared

folder mappings, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by

attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is

compatible with a user’s habits, so they blend into the environment and do not raise suspicion.

Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story.

By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a

more elaborate deception network.

Using MazeRunner's deception story wizard, you can build a deception campaign with the help of templates

that have been prepared by Cymmetria's security team, or by loading a custom campaign file. Alternatively,

you can build your own customized deception stories without the help of the wizard; see "Creating a basic

deception campaign (manually)" on page 41 of this guide.

LOAD FROM TEMPLATE

The wizard gives you the option to use deception story templates that have been prepared by Cymmetria's

security team. To do this:

1. Select "Load from template" and click "Next":

2. You will see a variety of prepared deception stories (for example, backup server, internal website,

VPN server, and file server). You will also see a complete deception scenario; this is a collection of

multiple deception stories based on a common theme. Each of these stories and scenarios includes a

short description to help you decide which you would like to include in your campaign. Choose any

number and combination of these deception stories and scenarios to build your deception

campaign, then click "Next":


3. You will now see a more in-depth description of the deception stories/scenarios you selected. The

wizard will automatically populate all of the necessary information fields for each deception

story/scenario you selected. If you would like to customize any information, you may edit individual

information fields. NOTE: If you customize a field, be sure to click the Set button to apply your

changes before clicking "Next":

4. You will now see a summary of what you have just built. If everything is as you would like it to be,

click "Create" to save and create your new campaign. MazeRunner will validate the entities; if there

are any issues, an error message will be presented and you will need to resolve the issue(s) before

proceeding:


5. Check that your campaign has been created successfully (you will see a red dot on the notification

center icon indicating that you have a new notification; open the notifications to check that the

campaign has been created successfully). Here's an example of what your screen will look like once

your campaign has been created successfully:

6. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs

(sub screens). You will need to activate each of your servers by using the On/Off buttons on the

Decoys sub screen, and then deploy your breadcrumbs on the Breadcrumbs sub screen. To deploy

your breadcrumbs to your endpoint, follow these steps:

a. On the Breadcrumbs sub screen, notice the column "Deployment groups". Deployment

groups are used to group several breadcrumbs together for ease of management and

deployment; as you can see, the wizard has already created some groups and added

breadcrumbs to those groups for you.

b. You can deploy individual breadcrumbs or deployment groups. The process for both is

identical, except for the first step. In order to deploy a single breadcrumb to your endpoint,

click "Deploy" on the breadcrumb you selected:


To deploy a deployment group, select the group from the All Breadcrumbs drop-down list

and click "Deploy group":

i. Both of these actions will generate an installation script (uninstall scripts are also

located here) that you can then deploy to endpoints:

ii. Download the appropriate installation script for your operating system (Windows or

Linux). You will need to unpack and run this script (as Administrator or root) on the

endpoint, in order to place the breadcrumb(s). Note that the script, once executed,

will delete itself and all accompanying files in order to leave no trace of which

breadcrumbs have been deployed. Remember to remove the ZIP file from your

system once you are finished.

c. You can now validate the deployment on the Endpoints screen (see relevant section on page

46).

That’s it! Your deception campaign is up and running. Jump to the sections entitled "Exporting your

deception campaign" on page 45 and "Endpoints screen" on page 46 to continue learning about the

MazeRunner platform.


LOAD FROM FILE

The wizard gives you the option to load a deception campaign from a file (.cmpn). NOTE: In order to use this

option, you will need a .cmpn file, which is a Json file in a format that is recognizable to MazeRunner. This

type of file can be obtained by exporting a MazeRunner campaign file (System menu Export Campaign)

that you have previously created (or one that has been provided to you by Cymmetria), which can then be

edited using a text editor of your choice.

To load a deception campaign from a file (.cmpn):

1. Open the wizard, select "Load from file" and click "Next".

2. Click the Choose File button and select your .cmpn file, then click "Next":

3. The wizard will populate all of the information fields for the .cmpn file you selected. If you would like

to customize any information, you may edit individual information fields. NOTE: If you customize a

field, be sure to click the Set button to apply your changes before clicking "Next":

4. You will now see a summary of what you have just built. If everything is as you would like it to be,

click "Create" to save and create your new campaign. MazeRunner will validate the entities; if there

are any issues, an error message will be presented and you will need to resolve the issue(s) before

proceeding:


5. Check that your campaign has been created successfully (you will see a red dot on the notification

center icon indicating that you have a new notification will turn red; open the notifications to check

that the campaign has been created successfully). Here's an example of what your screen will look

like once your campaign has been created successfully:

6. You can now view the details of your campaign by using the Decoys, Services, and Breadcrumbs tabs

(sub screens). You will need to activate each of your servers by using the On/Off buttons on the

Decoys sub screen, and then deploy your breadcrumbs on the Breadcrumbs sub screen. To deploy

your breadcrumbs to your endpoint, follow these steps:

a. On the Breadcrumbs sub screen, notice the column "Deployment groups". Deployment

groups are used to group several breadcrumbs together for ease of management and

deployment; as you can see, the wizard has already created some groups and added

breadcrumbs to those groups for you.

b. You can deploy individual breadcrumbs or deployment groups. The process for both is

identical, except for the first step. In order to deploy a single breadcrumb to your endpoint,

click "Deploy" on the breadcrumb you selected:


To deploy a deployment group, select the group from the All Breadcrumbs drop-down list

and click "Deploy group":

i. Both of these actions will generate an installation script (uninstall scripts are also

located here) that you can then deploy to endpoints:

ii. Download the appropriate installation script for your operating system (Windows or

Linux). You will need to unpack and run this script (as Administrator or root) on the

endpoint, in order to place the breadcrumb(s). Note that the script, once executed,

will delete itself and all accompanying files in order to leave no trace of which

breadcrumbs have been deployed. Remember to remove the ZIP file from your

system once you are finished.

c. You can now validate the deployment on the Endpoints screen (see relevant section on page

46).

That’s it! Your deception campaign is up and running. Jump to the sections entitled "Exporting your

deception campaign" on page 45 and "Endpoints screen" on page 46 to continue learning about the

MazeRunner platform.


CREATING A BASIC DECEPTION CAMPAIGN (MANUALLY)

A deception campaign consists of three elements:

1. Decoys – Decoys are virtual machines (servers or other devices), running Windows or Linux systems.

They look and act like production machines. When a decoy is accessed, there is no doubt that this is

the work of an attacker. Decoys are only reached by following a breadcrumb found on an endpoint.

2. Services – Each decoy server runs live services (e.g. SMB, SSH, OpenVPN servers, etc.). Each

breadcrumb leads to a specific service on a decoy machine.

3. Breadcrumbs – These are passive elements of data (e.g., browser cookies, SSH credentials, shared

folder mappings, OpenVPN scripts, etc.), placed on an organization's endpoints to be found by

attackers during the reconnaissance phase. Breadcrumbs are placed in a natural manner that is

compatible with a user’s habits, so they blend into the environment and do not raise suspicion.

Breadcrumbs and decoys can be used separately or as part of an end-to-end deception story.

By dividing deception campaigns into three basic components, MazeRunner allows you to easily create a

more elaborate deception network.

The following is a step-by-step guide for manually creating the basic elements of a deception campaign.

CREATE A NEW DECOY

In this stage, you will create a decoy server.

1. Go to the Campaign screen (the Deception Story Wizard may pop up; simply click "Close wizard" to

define your campaign manually). On the Decoy sub screen, click the Add decoy button.

2. Fill in the required information. For example, to start an Ubuntu server, include a meaningful name

such as "HR_Server", a hostname such as "hrsrvr01", and choose KVM as the VM type. If you would

like to configure a static IP, check the box labeled "Manually configure network settings" and fill out

the Static IP field.

3. Click "Create" in order to create the decoy.

4. Power on the server using the On/Off button, which is located between the Status and IP columns.

5. That's it! Here is an example of what your screen will look like:


CREATE A NEW SERVICE

In this stage you will add services (SMB, SSH, OpenVPN, etc.) to your decoy. For the purposes of this

example, let's assume that you want to create a deception story for your HR department.


define your campaign manually). On the Services sub screen, click the Add service button.

2. Enter an appropriate name (e.g., "Personnel_Files") and select the desired service type (e.g., SMB

service).

3. Add necessary data (for example, if you chose an SMB service, you will need a name for its shared

folder and a ZIP file for the content). Click "Create".

4. Choose the new service and connect it to the decoy (in this case, the decoy named "HR_Server" that

we created in the previous section). Do this by clicking on the Connect to decoy button and selecting

"HR_Server" from the drop-down list:

5. That's it! Here is an example of what your screen will look like:

CREATE A NEW BREADCRUMB

In this stage you will create the bait and connect it to the previously created decoy and service.


define your campaign manually). On the Breadcrumbs sub screen, click "Add breadcrumb".

2. Select an appropriate name, and then select the breadcrumb type (make sure it matches the service

you have defined). For example, you could select a network share breadcrumb and name it

"Personnel_Files_BC".

3. After filling in all of the fields (according to the breadcrumb type you chose), click "Create". NOTE:

Some breadcrumbs will allow you to create a user (you will need to enter a username and

password).


4. Connect this breadcrumb to a service by clicking the Connect to service button and selecting a

service from the drop-down list:

5. Notice the Add deployment group button next to the Add breadcrumb button. Deployment groups

are used to group several breadcrumbs together for ease of management and deployment;

Cymmetria recommends the use of deployment groups in your campaigns. To create a new

deployment group:

a. Click the Add deployment group button, enter a name for your deployment group (e.g., "IT"

or "all users"), and click "Create":

b. Now you can add breadcrumbs to this group. To do so, type "IT" in the Deployment groups

column on the right-hand side of the screen, and select the new group from the drop-down

list that appears. You can see that your breadcrumb now belongs to the IT deployment

group:


6. Now you are ready to deploy your breadcrumb or deployment group. The process for both is

identical, except for the first step. In order to deploy a single breadcrumb to your endpoint, click

"Deploy" on the breadcrumb you selected:

To deploy a deployment group, select the group from the All Breadcrumbs drop-down list and click

"Deploy group":

a. Both of these actions will generate an installation script (uninstall scripts are also located

here) that you can then deploy to endpoints:

b. Download the appropriate installation script for your operating system (Windows or Linux).

You will need to unpack and run this script (as Administrator or root) on the endpoint, in

order to place the breadcrumb(s). Note that the script, once executed, will delete itself and

all accompanying files in order to leave no trace of which breadcrumbs have been deployed.

Remember to remove the ZIP file from your system once you are finished.

7. You can now validate the deployment on the Endpoints screen (see relevant section on page 46).

That’s it! Your deception campaign is up and running.


EXPORTING YOUR DECEPTION CAMPAIGN

A deception campaign can be exported to a file. This allows you to back up your campaigns, copy them for

reuse or allow other people in the security community to use your deception stories as templates for their

own deception campaigns.

To export your campaign, navigate to the settings drop-down (gear icon located in the top right-hand corner

of the screen) and choose “Export Campaign”:

Now choose a name for your campaign and click on “Export”. The deception campaign file will start

downloading immediately:


ENDPOINTS SCREEN

This screen will show you endpoints containing breadcrumbs, along with their status, details, and possible

actions that can be taken:

DASHBOARD

The Dashboard is where you can view your deception campaign:

Scrolling down below the campaign display, you will see alerts that require your attention. Each of these

events can be expanded to display more information regarding the alert.

To see all events and alerts in the system you can go to the Investigation screen.

INVESTIGATION SCREEN

This screen will show you the deception campaign events and alerts. Each time an attacker carries out an

action on a decoy machine, an event is created. Not every event warrants an alert; for example, events such

as port scans and protocol connections are documented without raising alerts. The following are examples of

common types of events documented by MazeRunner:

1. Port access – An indication that an attacker has probed a decoy. This type of event usually precedes

an actual attack.

2. Interaction event – An attacker might try to interact with one of the services on a decoy; this type of

event will notify the user of such attempts. For example, an SSH Interaction event would indicate

that an attacker has in some way interacted with a decoy's SSH service.


3. Code execution – An indication that an attacker has executed a program on a decoy.

You can expand each entry for more information on the event, or filter your results to show only the events

that interest you:

That's it! You now know how to use MazeRunner's platform to create a basic deception campaign.

Learn more about what can be done with MazeRunner by reading the MazeRunner network configuration

and Software integration sections of this guide.

We're here to help. If you have any questions, please contact us at [email protected].

mailto:[email protected]


MAZERUNNER NETWORK CONFIGURATION

This section includes information on configuring static IP and VLAN support.

STATIC IP

By default, MazeRunner automatically obtains its network configuration through DHCP. If you would like to

change MazeRunner's network configuration, follow these steps:

1. Open the server's console. The console can be accessed using your hypervisor UI.

2. Log in as "usern":

a. Enter 'usern' as the MazeRunner login. For example:

b. Enter the password 'Password1!'1 and then enter ‘static’. For example:

Enter the details relevant to your network (IP address, netmask, default gateway, nameserver IP address). If

you do not know your network details, contact your IT administrator.

That's it! MazeRunner is now configured and ready for use.

Learn more about what can be done with MazeRunner by reading the Software integration section of this

guide.

1 You will be prompted to change this password on first use.


VLAN SUPPORT

VLAN support can be enabled by following the steps outlined below (note that these steps assume you are

using a VMware hypervisor):

1. Make sure that your port group is configured to accept VLAN tagging. If you already know that this

is configured correctly, skip to step 2.

a. In your vSphere control panel, access the Properties menu of the switch to which

MazeRunner is connected by navigating to Configuration Networking Properties…:

b. Under the Ports tab, select the appropriate switch name and click "Edit…":

c. Under the General tab, select "All (4095)" as the VLAN ID:


d. To make sure that the network adapter "sees" the VLAN network, expand the Networks list

under the Status area in Configuration Networking Properties Network Adapters:

2. In MazeRunner (make sure you've read "Using MazeRunner" on page 28 before proceeding), click

on the gear icon on the top right navigation bar to access the system menu, and select "Configure":


3. On the Networking tab, check the "Enable VLAN support" box, and then click "Save configuration":

4. Next, click the Add VLAN button:

5. Enter a VLAN ID (for example, "2"). NOTE: VLAN ID must use numbers, not letters or other

characters. If you are using static IP in your network, please assign the Cymmetria management

server a static IP address in the space provided, then click "Create":


That's it! MazeRunner is now configured and ready for use. NOTE: When you define a new decoy in

MazeRunner (when building your deception campaign), you will need to select your VLAN ID from the drop-

down list:

Learn more about what can be done with MazeRunner by reading the Software integration section of this

guide.


SOFTWARE INTEGRATION

This section will show you how to set up ThreatConnect for use with MazeRunner. Before proceeding, please

install and set up MazeRunner according to the guidelines provided for virtual appliance (VMware Player,

VMware Workstation, VMware ESXi or KVM).

THREATCONNECT

To set up ThreatConnect integration, follow these steps:

1. Open ThreatConnect. In ThreatConnect, navigate to the Dashboard and select the TAXII feed you

would like to connect to MazeRunner (you can connect any valid TAXII feed; if you are unsure of

which feed to connect, please check with your ThreatConnect contact). In this example, our feed is

called "Cymmetria TAXII Source":

2. The Dashboard screen will refresh and you will see that a new section, called "Source", has appeared

on your screen. Click on the gear icon to go to your TAXII feed's Source Config:


3. In Source Config, go to the Data tab:

4. Click "+ NEW INBOUND" to create a new inbound TAXII Exchange:

5. You will now need to configure the new inbound TAXII exchange. Notice that a configuration window

has popped up on your screen:


Enter a name for the new inbound TAXII exchange. For the URL, you will need to enter the TAXII

server URL found in MazeRunner's configuration settings (make sure you've read "Using

MazeRunner" on page 28 before proceeding). To do this:

a) Open MazeRunner in your browser by navigating to your virtual machine's IP address

(using HTTPS). Click on the gear icon located in the top right-hand corner of the screen,

and select "Configure":

b) On the Outputs tab, you will find "ThreatConnect Settings". Check the box next to

"Enable TAXII server", click the purple Save configuration button, and then copy the link

found in the "TAXII server URL" field:


c) Go back into ThreatConnect and paste this URL into the space provided, then click

"Next".

6. On the Login tab, click on "TEST CONNECTION" and the Available Services section will expand. Click

on the POLL service that appears, and you will see that the MazeRunner URL you entered in step 5

will appear at the top of the screen. Enter "Guest" as both the Username and Password (you will not

need to use these credentials again; they are only required by ThreatConnect in order to proceed to

the next step), then click "Next":

7. On the Feed tab, click "Check for available feeds" and select the feed that is shown (called

"alerts_feed"), then click "Next":


8. Click "Next" until you reach the Confirm tab, and then click "SAVE".

That's it! ThreatConnect is now ready for use with MazeRunner.


APPENDIX A – FAQ

This section contains known issues that customers have encountered during MazeRunner installation, setup,

and use.

NESTED VIRTUALIZATION SUPPORT

Q: Why do I see a "Nested Virtualizaton not supported" message on the Decoys tab?

A: This message indicates that you did not enable support of virtualization (this support is not always turned

on by default in a VMware environment). If you ignore this message and create a decoy anyway, another

"Nested virtualization not supported" message will appear under "Status":

See environment-specific instructions for enabling nested virtualization on VMware Player, VMware

Workstation, VMware ESXi or KVM.


SERVICE IS INACTIVE/UNABLE TO DEPLOY BREADCRUMBS

Q: My service is showing as "Inactive"/I am not able to click on my breadcrumb's "Deploy" link.

A: You need to connect your service to a decoy, and make sure that the decoy is powered on. You will then

be able to deploy breadcrumbs. See "Creating a basic deception campaign (manually)" on page 41 for

instructions on adding, connecting, and activating breadcrumbs, services, and decoys.

CREATING USERS

Q: How do I add a user to a service when creating my campaign?

A: Users are added during breadcrumb creation. Depending on the type of service you created, you will need

to enter a username and password when creating the corresponding breadcrumb:

You then need to ensure that the breadcrumb is connected to a service that is connected to an active decoy.

See "Creating a basic deception campaign (manually)" on page 41 for instructions on adding, connecting, and

activating breadcrumbs, services, and decoys.

RUNNING INTERNET-FACING DECOYS

Q: I'm receiving a lot of alerts. Can I run Internet-facing decoys?

A: Yes, you can run Internet-facing decoys; however, these decoys will be scanned often and will generate a

large amount of alerts (that are generally not high-interest alerts). The best way to use the MazeRunner

platform is to run decoys inside of your organizational network. If however, you decide to run Internet-facing

decoys, we recommend you change your alerting policy to generate alerts on critical events (such as code

execution) only, and to "ignore" others. To set your alerting policy to ignore less-critical alerts, follow these

steps:


1. In MazeRunner, click on the gear icon on the top right navigation bar to access the system menu,

and select "Configure":

2. On the Alerting Policy tab, you will see a "System-wide rules" section. In the Action column, click on

the purple Alert button next to an event type and select "Ignore" from the drop-down options:

CREATING A WEB APPLICATION SERVICE

Q: Can I create a service using my own web application?

A: Yes. When adding a service to your campaign, MazeRunner allows you to use your own customized web

application. Currently, MazeRunner supports MediaWiki, SugarCRM, and phpMyAdmin. To add a web

application, follow these steps:

1. Create a ZIP file of your web application.

2. Navigate to the Services tab on MazeRunner's Campaign screen, and click "Add service".

3. Choose "Web Application" from the Service type drop-down list:


4. Upload your own ZIP file by clicking "Choose File", then click "Create":

That's it! You have now created a new service using your own web application. For information on how to

connect this service to a decoy, and how to add breadcrumbs, see "Creating a basic deception campaign

(manually)" on page 41.

mazerunner community edition user guide€¦ · machine port group, where your virtual machine is...

Documents