FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff
Article Id 228415
Description

This article describes that In a typical ransomware attack, hackers use phishing or other means to introduce malware onto a victim's computer system that then spreads across the network.

Once enough systems have been compromised, the hacker triggers the malware to encrypt all infected systems, rendering the files and data on those devices inaccessible to the organization.

The hacker then attempts to extract a monetary payment from the organization in exchange for the key needed to decrypt the compromised files.

 

Cyber Deception Against Prestige:

The combination of Deception Decoys in the network focusing on the critical & sensitive segments ('crown jewels') and Deception Tokens deployed across the real endpoint and servers will discover the ransomware attack in the reconnaissance phase.

 

1) Most of the time, the Initial access vector use phishing email or client-side attack to inject the malware at the endpoint level.

 

2) The ransomware starts collecting data from the compromised endpoint, such as a security system to bypass it and local and network drives as a target to encrypt.  

 

3) The FortiDeceptor deception Tokens deploy fake network drive share mapped to a network decoy that acts as a fake file server containing fake files.

 

4) In addition, The FortiDeceptor deception Tokens deploy false information like fake cache credentials, fake files, fake network connections, fake MSSQL, and fake applications.

The other deception tokens will detect this lateral movement if the ransomware tries to collect more intelligence for lateral movement before starting the encryption activities.

 

5) Using any fake data above against the network will detect the ransomware and trigger a real-time alert to automate a threat mitigation response to block or isolate the infected machine.

Scope

FortiDeceptor V.3.3 and above – Deception Decoys and Tokens- full network deployment.

Solution

Cyber Deception Against Any Ransomware:

 

1) Deploy servers Decoys across the data center segments ('crown jewels') and the endpoints network segments.

Decoys like Windows and Linux endpoint/servers, DB servers, Web Servers, ERP, POS, and GIT.

 

2) In addition, it is possible to use the own gold image to deploy custom decoys that will be identical to the environment and have it join the domain).

 

3) FortiDeceptor will generate a set of Deception Tokens based on the Decoys deployment with the ability to customize them to be identical to the environment.

 

4) Verify that FortiDeceptor generates a deception tokens package with the following Deception tokens, RDP, SMB (fake user and fake network drive), Cached Credentials, Fake Network Connection, HoneyDOCS, and fake MSSQL ODBC.

 

5) FortiDeceptor enforces the use of a real domain user/s for the cache credentials token as a threat actor will check the user identity against the A/D before using it for lateral movement.

(Create a user with Logon Restrictions to access network decoys only. See this Link for help:

https://ravingroo.com/267/active-directory-user-workstation-logon-restriction/ ).

 

6) Download the Deception token package from the Decoy configuration section.

 

7) Deploy the Deception token package across the real endpoints and servers using the A/D Logon script.

(Remember that the Deception token package is an 'Agent-Less' technology.

(See FortiDeceptor Admin guide under Appendix A - Deception deployment best practices).

 

8) To verify the Deception tokens package deployment, run the command 'net use' on any endpoint that is part of the domain, and the network drive map configuration in place should be visible.

It is also possible to open the Windows Credential Manager and verify that the fake save passwords exist.

 

9) FortiDeceptor will detect the ransomware the moment the ransomware starts encrypting the fake files in the fake network share.

 

10) Suppose the ransomware decides to collect more intelligence for lateral movement before the encryption phase.

In that case, the other deception decoys and tokens will detect his activities because the Fortideceptor deploys several layers of deception in the network and does not rely on a single deception layer.

 

11) FortiDeceptor will leverage the Fortinet Fabric or third-party tools to execute a threat mitigation response to isolate/quarantine the infected machine.

 

12) For ransomware detection video simulation, visit this link:

https://video.fortinet.com/products/fortideceptor/3.3/fortideceptor-3-3-ransomware-detection

 

13) The logical view of the solution:

 

Deception Ransomware.jpg

 

FortiDeceptor is Part of the Fortinet Security Fabric:

 

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiEDR, FortiSIEM, FortiAnalyzer, and other third-party Fabric solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolate/quarantine an infected machine device targeted by ransomware malware:

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s

Contributors