What Is Cyber Deception? Deception-based security catches attackers as they make their first movements within a network. It leverages the fact that, after gaining access to a network, attackers always follow a predictable attack pattern: reconnaissance, lateral movement, and exploitation. Starting from the initial reconnaissance phase, deception technology creates a controlled path for attackers to follow. This path diverts attackers from organizational assets and into controlled environments, giving defenders the upper hand.

How MazeRunner Works

MazeRunner gives organizations a solution for creating effective deception stories. Deception stories, which are comprised of breadcrumbs and decoys, lead attackers to believe that they have successfully gained access to a target machine. Breadcrumbs are data elements (such as credentials) that lead attackers to decoys. Decoys are machines that run live services; when they are attacked, MazeRunner raises an alert and gathers forensic data.

When a decoy is accessed, there is no doubt that this is the work of an attacker. Decoys are only reached by following a breadcrumb found on an endpoint.

Cymmetria’s cyber deception solutionMAZERUNNER

Post-Infection Recon

Attacker takes credentials, shares, etc., from infected machine.

01 Attack Propagation

Attacker will try to use the gathered info (for example, to access a file share for which he found credentials).

02Exploitation

After accessing the network share, the attacker will attempt to breach the server to access more files.

03

Attacker behavior always follows the same basic pattern

Shape attackers’ situational awareness

• Cached credentials• Mapped shares• Browser cookies• Registry keys

High-interaction monitoring of attackers’ every move

• Windows 7• Windows Server• Linux (CentOS)• SSH, OpenVPN• SMB, RDP• HTTP and more…

Rapidly immunize from further attacks

• Credentials, vulnerabilities exploited, malware used, etc.• Hashes (MD5, SHA256)• STIX, Snort

Breadcrumbs Services & Decoys

Mitigation & Forensics

MazeRunner

Deception starts here

Creating realistic environments to hunt cyber attackers

contact@cymmetria.com www.cymmetria.com

contact@cymmetria.com www.cymmetria.com

MazeRunner Cyber Deception

Technology

Virtual or physical appliance; one appliance can serve multiple VLANs

Can be deployed on-premise or in the cloud (Google Cloud, AWS, Microsoft Azure)

Nested virtualization within MazeRunner appliance or instantiation on existing virtualization/cloud infrastructure

Automatically through Active Directory, manually through WMI/GP scripts (provided by the system), or via cloud provisioning scripts

• Alerts output: syslog, Splunk, CEF• Data export: PCAP, binary (memory dumps, malware) • Threat intelligence: STIX (cybOX/TAXII) • IDS: Snort

• 500GB storage• 16GB RAM• 8xCPU @ 2GHz

Platform

Deployment

Decoy Management

Breadcrumb Deployment

Integration

Requirements

Asset ProtectionDivert attackers from organizational assets, and onto decoy networks.

Rapid Attack Mitigation Once a decoy is attacked, signatures are generated and distributed to your existing security mechanisms.

Detailed Forensic DataGet information about the attack’s origin and the tools and tactics used, including detailed forensic data such as memory dumps, PCAP files, executed commands, and more.

MazeRunner Breadcrumbs onEndpoints

Organizational Networks

OrganizationalSecurity Grid

Beat attackers at their own game