- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
- Fortinet Community
- Knowledge Base
- FortiDeceptor
- Technical Tip: How to use FortiDeceptor to detect ...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Scope
Solution
This article
describes how to use FortiDeceptor Deception Decoys and Lure to detect activities
related to Microsoft Exchange vulnerabilities exploited by HAFNIUM.
For more information on the vulnerabilities being exploited, see the FortiGuard
Lab Threat Signal Report:
Out of Band Patches Released for Active Exploitation of
Microsoft Exchange Server
Cyber Deception Against HAFNIUM:
The HAFNIUM group uses several RCE (remote code execution) exploits against the Microsoft Exchange server and runs a web shell backdoor to move further inside the network.
The RCE (remote code execution) exploits allow the attacker writing web shells (ASPX files) to execute malicious activities like dumping credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally inside the network.
Using the combination of Deception Decoys in the network focusing on the data center segments (“crown jewels”) and Deception lures deployed across servers and endpoints will discover the attack in the reconnaissance phase.
1. A threat actor that uses RCE (remote code execution) exploits and runs a web shell on the exchange server to collect intelligence from the server and network around to move laterally.
2. Collecting intelligence using dumping credentials, file access, and network scanning (passive/active) will provide a mixed mode of real & fake network information.
3. Fake information can be like fake cache credentials, fake files, fake network drives, fake network connections, and more.
4. Using any of the fake data against the network will detect the threat actor and trigger a real-time alert to automate a threat mitigation response to block or isolate the threat actor.
Scope
FortiDeceptor V.3.2.1, V.3.3 – Deception Decoys & Lures- full network deployment
Solution
- Deploy servers Decoys across the data center segments (“crown jewels”) and the endpoints network
segments. Decoys like Windows & Linux endpoint/server, DB servers, Web
Servers, ERP, POS, GIT. (you can use your own gold image to deploy custom
decoys that will be identical to your environment and have them join to your
domain)
- FortiDeceptor will generate a set of Deception Lures based on your Decoys deployment with the ability to customize them to be identical to your environment.
- Please verify that FortiDeceptor generates a deception lure package with the following Deception Lures, RDP, SMB (fake user and fake network drive), Cached Credentials, Fake Network Connection, and SSH.
- FortiDeceptor enforces the use of a real domain user/s for the cache credentials Lure as threat actor will check the user identity against the A/D before using it for lateral movement. (please create a user with Logon Restrictions. See this Link for help -> https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/ )
- Download the Deception lure package from the Decoy configuration section
- Deploy the Deception lure package across your servers & endpoints using the A/D Logon script. Keep in mind that the Deception lure package is an “Agent-Less” technology. (see FortiDeceptor Admin guide)
- To verify the Deception lure package deployment, please run the command “net use” on any endpoint that is part of the domain, and you should see the network drive map configuration in place. You can also open the Windows Credential Manager and verify that the fake save passwords exist.
- FortiDeceptor technology will detect the threat actor when the threat actor will use the fake data against the network for lateral movement. Part of the Deception components will detect the attacker even during the intelligence-gathering phase, like accessing a fake network drive share from the web shell.
- FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat actor.
FortiDeceptor is Part of the Fortinet Security Fabric.
- FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.
- For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.
https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.