This post is to help you get up and running with the Ridgeback Agent using the basic deception configuration. The Ridgeback Platform is very versatile and extensible, so don’t be put off if this configuration is too simplistic for your needs. To get started, we will need the Ridgeback Agent software (with a valid license code), a host for the software (either a server or a VM), a switch fabric (either physical or virtual), and two or more hosts attached to the switch fabric. Set up one of the hosts with some hacking tools. I recommend Kali Linux. We will be using nmap for the basic validation.
Here are some examples of how the Ridgeback Agent can be deployed. Pick one that works for you.
In addition to deploying the software, there should be other hosts on the network. Here is an example of other hosts on the network.
In this diagram, the Ridgeback Agent is running on bare-metal and not in a VM. The Ridgeback is also connected (via an Ethernet interface) to a physical switch. With this configuration, all of the endpoints (in gray boxes) are vulnerable to being deceived by the Ridgeback. The endpoint that is hosting Ridgeback is a special case, which I will not cover here. For the simple case, assume that the endpoint running Ridgeback is a trusted machine function as a security device. (There is a Ridgeback Appliance that addresses the problem of interface sharing, and also work is underway to merge the Ridgeback with a virtual switched fabric in the data plane. Again, a topic for another day.)
Let us say the endpoints in the diagram are all on the same VLAN and subnet or network segment, perhaps 10.1.1.0/24. (Multiple VLANs? Yep, a topic for another day.) Once Ridgeback is running, from one of the non-Ridgeback hosts you can run:
nmap -Pn 10.1.1.0/24
If you actually try to scan the whole subnet, be prepared for what happens next. Ridgeback’s job is not to do something like “If see A, then do B.” Instead, depending on what plugins you have installed, Ridgeback will start playing rugby with nmap. It is interesting, and sometimes fun, as long as you are on the blue team.
After you have done whatever scanning you want to do, go in the Ridgeback interface and view the graph of the interest matrix. Here is a sample basic graph that shows a network under attack. The “omygosh everything is red” kind of gives it away.
I hope this helps explain some of the Ridgeback Agent in the basic deception configuration. If you have specific questions, hop over to the Ridgeback community forums.