L A B Y R I N T H

Loading

Read our latest case study to get to know how our customer, Polygraph Combine "Ukraina”, was able to ensure the protection of their IT network, with a security perimeter eroded by remote workers, and catch adversaries with Labyrinth Deception Platform.

Summary

State Enterprise "Polygraph Combine "Ukraina" for securities’ production" many years maintains its leading position for the production of identification documents, securities forms, secure printing products , etc. "Passport" Ukraine "to travel abroad" is rated 27th among 130 countries and entitling entry without a visa up to 89 countries; with a visa when crossing the border - up to 41 countries.

Challenge

With the transition of the Company's employees to remote work due to quarantine, obtaining the maximum visibility of events inside the perimeter and detection of anomalous actions of employees connected via VPN were crucial tasks for IT team. It was also essential to collect more data about the DMZ segment and the hosts interacting with it.
Special efforts had to be contributed to securing access to the Askod system within the network.

Realization

One Labyrinth Admin VM and several Labyrinth Worker VMs were deployed on the VmWare vSphere hypervisor in the server LAN and DMZ (only Worker VMs) segments.

  • Five Honeynets were composed:
  • For Points in the DMZ segment (25 IP)
  • For Points in IT test-segment (45 IP)
  • For Points in physical-security-devices-segment (30 IP)
  • For Points in the company-management-segment (120 IP)
  • For Points in production-segment (64 IP)

UniversalWebPoint was used in most cases within all segments. In the segment of the Company's management, AskodPointType was additionally used.

Seeder agents have been extended to:

  • Real servers running production web services
  • All test servers
  • On laptops and workstations of the company-managementsegment segment
  • Home laptops, that were used for VPN-connection


Client’s Infrastructure

  • Up to 1000 LAN hosts
  • Up to 3 web services in DMZ
  • Up to 9 non-web services in DMZ on different servers

Solution

Deployment of the Labyrinth system and coverage of the Client's infrastructure was provided in few directions:

  1. Several UniversalWebPoint imitating real services from this segment were located in the DMZ, and several Points were deployed with imitation of remote-control services: ssh, rdp, rest-api.
  2. Within the company-management-segment both specialized Point types (Ascod, 1C) and workstation simulations were used: RDP, wmi, ssh, netbios & etc.
  3. The IT-segment was flooded with a wide variety of IT s for providing attackers the maximum number of different vectors of further "attacks".
  4. The LAN was filled with Points' imitating various file storages: ftp, sftp, samba, nfs, webdav. Simulations of various databases were also created.
  5. Multiple Breadcrumbs were distributed on all critical hosts to distract the attacker to simulated services / hosts

Results

Before Labyrinth’s deployment within the perimeter of the Client's network, no tool to increase the visibility of user actions and network software was used.

After the system was deployed, it was possible to detect anomalous software behavior in the DMZ segment, which was the result of an incorrect configuration.

Cases of unauthorized use of LAN resources by users who connected to the network via VPN due to quarantine were identified and studied.

On one of the workstations, suspicious scripts that scanned the network and carried out bruteforce attacks on the ssh and rdp services were identified.