L A B Y R I N T H

Loading

Always good to know that your solution is efficient and deliver significant value to customers! In this blogpost we described several real-world use cases of Labyrinth Deception Platform, from one of our users.
The network of this client is very distributed and architecturally Labyrinth Deception Platform consists of 5 WorkerVM linked to one AdminVM. Each of the network segments covered by our Honeynets contains 20-50 of network baits (Points). The Point types are selected in accordance with the types of real hosts and services that are most common in these subnets.
Only for the last 3 months, Labyrinth was able to detect and prevent the next incidents in the customer environment:

  • Using the integration with SIEM system, Labyrinth revealed the use of credentials distributed by Seeder agents to real hosts, which were specified in the content of one of the file decoys - RDP-link file. Further investigation showed that an external attacker gained access to the internal host using a phishing attack and examined the files on the host for credentials / passwords / hashes, etc. And after finding the fake credentials, he tried to apply them on several real hosts to gain unauthorized access to them.
  • About "forgotten" systems. One of the customer’s employees came back to the office after maternity leave and started using her desktop computer. During her absence, the PC fleet was updated, but everyone forgot about this PC. Her computer running Win XP was infected with Wanna Cry and immediately after start working tried to exploit a vulnerability in one of the Labyrinth's decoys. This activity was immediately detected and using the integration with Firewalls and SIEM, the host was isolated, so malware did not spread further across the network.
  • Generating a new Labyrinth Deception Platform configuration, the solution found a web interface of one of the SCADA modules in one of the subnets and created UniversalWebPoint to imitate it. After some time, several alerts were created by this UWB, that indicated the presence of an attacker in the middle of security perimeter, who trying to get access to the SCADA control subsystems.