Deception: Labyrinth

Labyrinth detects any targeted, suspicious activity at an early stage of an attack. Labyrinth Points (network decoys) are designed to capture threat activity as the attacker tries to understand the network and find their target. When an attacker attacks a specific Point, Labyrinth collects all the details about it: the sources of the threat, the tools used and the vulnerabilities exploited. At the same time, all actual resources and services operate without any disruption.

Labyrinth supports security operations teams (SOCs) with highly reliable alerts, with less than 1% false alarms. By nature, Labyrinth Points are silent until they are touched. No one is supposed to interact with them, so any interaction with a point is extremely suspicious. This differentiates Labyrinth from security solutions that aim to analyse all network activity and produce a lot of digital 'noise'.

Labyrinth provides an intelligent analytical tool for incident investigation and threat identification. All collected incidents are enriched with the necessary security data from the incident response platform. The breach indicators (IoCs) generated by Labyrinth are automatically synchronised with third-party solutions to prevent attacks. This allows immediate action to be taken in the event of an attack: understanding it, performing forensic analysis, responding confidently and developing better defences for the future.

Most detection technologies stop an attack once it is detected and do not give the attacker a chance to investigate it. Labyrinth allows you to learn more about the nature of the attack and better understand the tools and techniques used by attackers. The solution generates and installs artefacts (fake data) on hosts (stations and servers) with the aim of engaging attackers with a tempting decoy. Instead of waiting to see what the attacker's next move will be, the artefacts direct the attacker to an isolated environment to be observed.

To effectively counter targeted attacks, it is crucial to understand the attackers' techniques, tools and objectives. Labyrinth's deception platform lulls hackers or malicious internal intruders into a false sense of security and provides insight into their skills and motives. Knowing what attackers know about corporate networks, applications and employees helps create more accurate profiles of attackers and apply the best possible defence against them. It also reveals weaknesses in corporate defences that could be exploited by attackers in the future.

The Labyrinth deception platform implemented in corporate networks can serve as a highly reliable warning system for attacks that bypass network edge security. Seeder agents, deployed on servers and workstations, mimic the most 'palatable' artefacts to an attacker. What appears to be a high-powered and poorly protected administrator account is a trap that lures the attacker into the Labyrinth system. It is then possible to monitor the attackers' actions of interacting with the Points (the system's decoys), gathering valuable information about threats that have penetrated other corporate network defences.

In the lateral movement phase, the attacker moves from one resource to another on the corporate network. Labyrinth's deception platform is designed to detect early reconnaissance, credential theft and internal traffic. It allows companies to gain visibility of such threats at an early stage, a complex task for traditional security solutions. Labyrinth directs the next step in the deception ecosystem attack and immediately reveals the attacker.

The Labyrinth platform's detection mechanism is particularly effective in reducing dwell time, the time an attacker remains unnoticed on a corporate network. Long dwell time is a key prerequisite for an attacker to successfully launch an attack. Labyrinth reduces the dwell time of attacks by configuring honeypots, decoys and artefacts for attackers. Labyrinth's deception platform reduces the time and ability of attackers to move through corporate networks and stops them before they reach critical resources and services.

Labyrinth's deception platform is based on Points - high-interaction honeypots with intelligent functions. Points are identical to enterprise resources and run real operating systems, applications and services with fake data. They allow the attacker to log in and respond to their request to understand their intentions. Points lure for long periods of time, observing attackers and collecting valuable data about their tools and techniques. In addition to this, Points creates local breach indicators (IoCs) and machine-readable threat information (MRTI).

Points reflect vulnerabilities in production networks, emulating the real operating system/image, services and applications for IoT, SCADA / OT / ICS, POS, network and telecoms environments. Fake workstations, servers, devices, applications, services and protocols look identical to real assets. The points not only emulate the vulnerabilities most attractive to attackers, but also behave like real hosts. Depending on the type, they can send broadcast requests, change IP addresses and connect to message sites. This makes it possible to mix decoys in a production environment and differentiate them from the rest of the assets so that they can be selected as a target for an attacker.

Labyrinth implements a full imitation stack to provide the highest level of protection to its customers. Low-interaction artefacts on the front line of defence emulate in-house applications and are only used for basic threat detection. They are easy to detect and bypass and inform attackers that they are in a minefield. This distracts opportunistic attackers and gives targeted attackers false confidence that they have discovered imitations in the network. Meanwhile, high-interaction decoys go unnoticed and provide detection of advanced threats.

The Labyrinth deception platform automatically identifies hosts, services and connection paths between them to streamline and customise the creation and deployment of decoys and traps. Advanced networking features allow new paths to be dynamically created in Labyrinth and Points to be updated. Labyrinth provides automated management and periodic refreshing of Points deployed in a production environment to maintain their authenticity. The lightweight, automated and flexible solution saves time and provides a high level of security from day one of deployment.

Labyrinth can be scaled effectively in large, distributed corporate networks. Each emulated Point is a lightweight process running on a virtual machine. As a result, scalability is not based on computing resources, but on constructing and deploying a comprehensive set of decoys and traps across the network environment. The automated creation and deployment of Points helps companies streamline the scaling process and achieve full protection of all network segments.