This article describes how to use FortiDeceptor Deception Decoys and Lure to detect activities related to PTC's Axeda solution which is collectively called 'Access:7' Supply Chain Vulnerabilities.

For more information on the vulnerabilities being exploited, see CISA advisory https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01  

Cyber Deception Against Access:7 Supply Chain Vulnerabilities:

PTC's Axeda solution includes a cloud platform that allows unit manufacturers to establish connectivity to remotely monitor, manage and service a wide range of connected machines, sensors, and devices via what's called the agent, which is installed by the OEMs before the units are sold to customers.

Access:7 could enable hackers to remotely execute malicious code, access sensitive data, or alter the configuration on medical and IoT units running PTC's Axeda remote code and management agent.

Using the combination of Deception Decoys in the network focusing on IoT/OT segments ('crown jewels') and Deception lures deployed across IT servers and endpoints will discover the attack in the reconnaissance or lateral movement phase.

1)A threat actor that compromised an internal desktop/server will Collect intelligence using dumping credentials, file access, and network scanning (passive/active) will provide a mixed-mode of real  and fake network information.

2) Deception Tokens (Fake information) can be fake cache credentials, fake files, fake network drives, fake network connections, and more. Part of the Deception tokens can deceive the attacker to access Axeda windows Desktop Server over RDP or SMB or SQL.

3) Using any of the fake data against the network will detect the threat actor and trigger a real-time alert to automate a threat mitigation response to block or isolate the threat actor.

FortiDeceptor V.3.3 and above– Deception Decoys & Lures- full network deployment

Cyber Deception Against Access:7 - Supply Chain Vulnerabilities:

1) Deploy servers Decoys across the IT network segments. Decoys like Windows and Linux endpoint/server, DB servers, Web Servers, ERP, SAP, GIT, and more. (It is possible to use the  gold image to deploy custom decoys that will be identical to the environment and have them join to the domain).

2) Deploy IoT/OT Decoys across the IoT/OT network segments. Decoys like PLC, HMI, SMART sensors, routers, printers, network camera, and more.

Use the custom decoy feature to deploy decoy with the PTC's Axeda desktop server software.

3) FortiDeceptor will generate a set of Deception Lures based on the Decoys deployment with the ability to customize them to be identical to the environment.

4) Verify that FortiDeceptor generates a deception lure package with the following Deception Lures, RDP, SMB (fake user and fake network drive), Cached Credentials, Fake Network Connection, and SSH.

5) FortiDeceptor enforces the use of a real domain user/s for the cache credentials Lure as a threat actor will check the user identity against the A/D before using it for lateral movement. (Create a user with Logon Restrictions).

See this Link for help:

 https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/ 

6) Download the Deception lure package from the Decoy configuration section.

7) Deploy the Deception lure package across the servers and endpoints using the A/D Logon script.

Keep in mind that the Deception lure package is an “'gent-Less' technology.

(See FortiDeceptor Admin guide).

8) To verify the Deception lure package deployment, run the command 'net use' on any endpoint that is part of the domain, and it will be possible to see the network drive map configuration in place. 

It is also possible to open the Windows Credential Manager and verify that the fake save passwords exist.

9) FortiDeceptor technology will detect the threat actor when the threat actor will use the fake data against the network for lateral movement.

Part of the Deception components will detect the attacker even during the intelligence-gathering phase, like accessing a fake network drive share from the web shell.

10) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat actor.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine unit that has been targeted by ransomware malware.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s