- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
- Fortinet Community
- Knowledge Base
- FortiDeceptor
- Technical Tip: How to use FortiDeceptor to Detect ...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Scope
Deception Lures (SMB , Cache Credentials, RDP) and Network IT decoys can be used in FortiDeceptor V.3.3 and above
Solution
This article describes how to use FortiDeceptor Decoys &
Deception Lures (CACHE CREDENTIALS & SMB & RDP) to detect activities related
to the DarkSide ransomware malware attack.
DarkSide uses VPN vulnerabilities and phishing emails to exploit its targets.
For more information about this ransomware attack, see the Fortinet blog post:
https://www.fortiguard.com/threat-signal-report/3943/colonial-pipeline-attack-attributed-to-darkside...
The threat actor uses built-in windows command and hacking tools to move laterally based on the malware analysis. Built-in commands such as 'net' and 'ping' to perform basic reconnaissance of the internal network and tools like MIMKATZ & Cobalt Strike to dump password & memory and PSEXEC & RDP to move laterally inside the network.
Based on threat actor TTP's above, Cyber deception using deception decoys and lures will deceive and detect the threat actor early in the kill chain.
Cyber Deception Against DarkSide Ransomware Reconnaissance phase:
1. FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. Network decoys like Linux/windows endpoints & servers, WEB & DB & GIT application, IoT/OT, and many more.
2. Based on the network decoys deployment, FortiDeceptor generates and deploy Deception Lures like fake network drive and fake user & pass across every endpoint/server in your network.
3. Deception lures will detect the DarkSide threat actor early in the kill chain by placing the following Deception Lures:
a. SMB Deception Lure will generate a fake network drive with fake files. This network drive will deceive the threat actor while using windows commands like "NET," "PING," or running the ransomware payload that will start to encrypt the local & network drives and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
b. Cache Credentials Deception Lure will deploy fake user & password to the endpoint & server. This fake user & password will deceive the threat actor while using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
c. RDP Deception Lure will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.
Scope
Deception Lures (SMB , Cache Credentials, RDP) and Network IT decoys can be used in FortiDeceptor V.3.3 and above
Solution
Cyber Deception Against DarkSide Ransomware:
- Configure network segments under the "Deployment Network" section that FortiDeceptor will use to deploy network decoys.
- Deploy network Decoys across the network VLANs segments that are configured under the "Deployment Network" section.
- Download the Deception lure package from the Decoy configuration section
- Deploy the Deception lure package across your endpoint using the A/D Logon script. Keep in mind that the Deception lure package is an "Agent-Less" technology. (see FortiDeceptor Admin guide)
- To verify the Deception lure package deployment, please run the command "net use" on any endpoint that is part of the domain. You should see the network drive map configuration in place or access the windows credentials manager to verify that the fake credentials exist.
- Once the DarkSide Ransomware malware penetrated the network and infected the endpoint, any interaction with Deception Decoy & lure will trigger a real-time alert.
- FortiDeceptor will leverage
the Fortinet Fabric to execute a threat mitigation response to isolated the
threat upon detection.
FortiDeceptor is Part of the Fortinet Security Fabric.
FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.
For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.
https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.