Loading
1. NEW AND IMPROVED
1.1. Integrations: Crowdstrike
The integration allows you to:
Enrich the alert with data about the host from which the attack was launched based on the alert's Source IP;
Isolate the host if it has a Crowdstrike agent, and this host is the source of the alert; Network containment (optional).
1.2. Integrations: Fortigate
Labyrinth Deception Platform integrates with available Fortigate devices for:
Enriching alerts with data about the attacking host;
Implementing a mechanism to isolate a host in the network if it is involved in a security incident, i.e., if it has been observed performing malicious actions on Point.
1.3. New Point types for SCADA/OT protection
To protect SCADA/OT, new Point types have been developed that can emulate Web interfaces PLC, Siemens S7COMM, SNMP, Modbus, etc.
1.3.1. Siemens Simatic S7-1200
This Point type emulates PLC Siemens Simatic S7-1200, namely:
web interface;
S7COMM protocol for communication with PLC ;
SNMP.
1.3.2. Siemens Simatic S7-300 and S7-1500
Like the previous Point type, S7-300 and S7-1500 emulate S7COMM, SNMP but without a web interface. However, the alerting and overall performance of SNMP and S7COMM are identical to S7-1200.
1.3.3. Rockwell Allen Bradley PLC та Ethernet Processor SLC-500
Also, web interface simulations were added for Rockwell Allen Bradley:
Allen Bradley PLC CompactLogix 5069-L320ER/A
Allen Bradley Ethernet Processor SLC-500 (1747-L552/C)
1.3.4. Modbus TCP RTU
Modbus TCP Server is a type of Point that uses TCP/IP networks for communication. If it is present in the Honeynet settings, it is possible to detect any interaction with the Point via the Modbus TCP protocol: an attempt to read and write registers, an attempt to get a description of the server, etc.
1.3.5. MQTT Server imitation
MQTT is not directly related to SCADA, but rather to the IoT topic. MQTT Broker is a Point type, which is a full-fledged MQTT broker and allows you to publish notifications to the topics, subscribe to the topics, etc.
Currently, there are two options for implementing this type of Point:
MQTT Broker with anonymous access to it. This means that when connecting to it, publishing notifications, or subscribing to topics, there is no need to authenticate.
MQTT Broker with Authentication is a variant of the Point type that requires the client to authenticate with a username and a password corresponding to it.
1.4. User password reset
If the system user has lost or forgotten his password, the tenant administrator or superuser can reset it. In this case, a one-time password (OTP) will be generated, and the user must change the password to a new one at the next login.
1.5. Timezone awareness
Date, time, and time intervals are displayed to the user according to the time zone settings in the system. This includes the alert time on Point, the date range for dashboard data, the time range in Settings -> General -> Trusted IPs, etc.
1.5. Improvement of the Latest Alerts sidebar
The new design of the sidebar makes it easier, faster, and better to analyze events.
1.6. KVM official support
Installation of an AdminVM on KVM-based platforms (Proxmox, OpenStack, etc.) is officially supported. Details of the installation process are described in the User Manual.
2. FIXES
2.1. The removal of the Seeder Agent with a large number of Seeder Tasks
In lab conditions, we noticed a problem with the removal of the Seeder Agent when a large number of Labyrinth regenerations were performed. It is currently fixed, but our team is ready to respond quickly in case of a recurrence.
