This article describes how to use FortiDeceptor Decoys &
Deception Lures (CACHE CREDENTIALS & SMB & RDP) to detect activities related
to the DarkSide ransomware malware attack.
DarkSide uses VPN vulnerabilities and phishing emails to exploit its targets.
For more information about this ransomware attack, see the Fortinet blog post:
https://www.fortiguard.com/threat-signal-report/3943/colonial-pipeline-attack-attributed-to-darkside...
The threat actor uses built-in windows command and hacking tools to move laterally based on the malware analysis. Built-in commands such as 'net' and 'ping' to perform basic reconnaissance of the internal network and tools like MIMKATZ & Cobalt Strike to dump password & memory and PSEXEC & RDP to move laterally inside the network.
Based on threat actor TTP's above, Cyber deception using deception decoys and lures will deceive and detect the threat actor early in the kill chain.
Cyber Deception Against DarkSide Ransomware Reconnaissance phase:
1. FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. Network decoys like Linux/windows endpoints & servers, WEB & DB & GIT application, IoT/OT, and many more.
2. Based on the network decoys deployment, FortiDeceptor generates and deploy Deception Lures like fake network drive and fake user & pass across every endpoint/server in your network.
3. Deception lures will detect the DarkSide threat actor early in the kill chain by placing the following Deception Lures:
a. SMB Deception Lure will generate a fake network drive with fake files. This network drive will deceive the threat actor while using windows commands like "NET," "PING," or running the ransomware payload that will start to encrypt the local & network drives and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
b. Cache Credentials Deception Lure will deploy fake user & password to the endpoint & server. This fake user & password will deceive the threat actor while using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
c. RDP Deception Lure will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
Cyber Deception Against DarkSide Ransomware:
FortiDeceptor is Part of the Fortinet Security Fabric.
FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.
For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.
https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.