Professional Documents
Culture Documents
Microsoft PowerPoint - FDC - Q2 - 19 APAC Workshopv1.0 (Compressed) .PPTX (Read-Only)
Microsoft PowerPoint - FDC - Q2 - 19 APAC Workshopv1.0 (Compressed) .PPTX (Read-Only)
Microsoft PowerPoint - FDC - Q2 - 19 APAC Workshopv1.0 (Compressed) .PPTX (Read-Only)
1
EMEA FDC INTL CSE’s
Kash Ahmad
kash@fortinet.com aarafat@fortinet.com
London Dubai
Regional Teams
• Escalations
• Workshop Support
• Event Support
• Live Demo’s
• Latest Updates
cse_fdc_intl@fortinet.com
2
Agenda
• FortiDeceptor Introduction
4
Why FortiDeceptor?
- Proactive early warning
Security Padlock
- High confidence alerts
Secure Payment
- East – west visibility
Online Privacy - Automated detection & response
Email Virus Threat
Antivirus Firewall
Secure Data Folder
Example of an Advanced Cyber Attack
HACKER ALERT
1 2 3 4 5 6
Mobile Security
Computer
Security
Targeted Sophisticated Attack Attacker Key Data Attacker
Reconnaissance Stealthy Penetrates Moves is Exfiltrated Objectives
Attacks are the Enterprise Undetected Accomplished
Launched
5
Deployment Workflow
Sniff egress traffic to Determine deception OS Generate token Monitoring engine on Incidents and
extract VLAN info for each VLAN/Subnet installation package deception VMs watches token deployment
attackers activities records are
Support manually Determine deception Install token package
» Created processes correlated to
input VLAN or VM network address on real hosts to direct
» Network RECON provide attacker’s
Subnet info mode (Static or DHCP) attackers to deception
» Modified registry/files lateral movement
VMs
Determine event Dynamically configure » Dropped payload
monitoring IP of each decoys on deception VMs Token install info is » Elevated privileges
VLAN/Subnet recorded on FDC for » Executed system
Admins can shutdown/
later lateral movement commands
restart/delete deception
correlation » SSH, RDP login
VMs
» HTTP/FTP access
» etc
6
Isn’t it just a Honeypot?
• It's more advanced than a honeypot as you have full control and deep audit
capability which can integrate into your existing security infrastructure
• Talking of Honeypots…….
.. …. . . ……….
ESXi2 ESXi1
Management Network
Default Gateway 10.1.2.1
FTP Server
Singapore VPN
10.1.1.20
FW
Deception Network
Default Gateway 10.1.1.1
Lab Access
VPN: SSL
118.201.61.6:10443
11
Fortinet LDAP Credentials
Workshop Connectivity
Ensure everything works before moving on
12
IP Addresses Table Allocation
Note your Group’s IP Addresses – Subnet Masks are /24
13
IP Addresses Table Allocation
Note your Group’s IP Addresses – Subnet Mask are /24
14
Initial Configuration & Initialisation
of Deception Network
FortiDeceptor Initial Configuration
Initial Parameters for FortiDeceptor Appliance
• Make sure that you have a valid license and no Decoy Services or Deception VMs running
16
FDC Initial Configuration
Initial Parameters for FDC Appliance
• Update the System Time with your timezone and time (from Dashboard) and verify DNS
(Network>System DNS) and default route for the system (Network>System Routing)
• port1 is the management port whilst port2 will be used for the Deception Network
17
FDC Initial Configuration
Deception Images
• Go to Deception>Deception Images, confirm that you have the Linux and Windows Images
• The Images should have “Initialized” status
18
FDC Initial Configuration
Monitored Network
• Go to Deception>Monitored
Network>Click ‘Add New Vlan
Subnet’
• Create new interface as
following:
• Interface: port2
• VLAN ID: 0
• Deception Monitor IP/Mask:
Your Group FDC Deception IP.
Should be from 10.1.1.X
network
• Click Save
• Wait until the interface reports
the status as ‘Initialized’ (this
may take a few minutes and
you will have to refresh GUI)
19
Deploy Linux Deception VM &
Download Linux Lures
Deploy Linux Deception VM
Deploying Decoy Services
• Go to Deception>Deploy Wizard>Click ‘+’
button.
• Configure as follows:
• Name: Linux_ssh_samba
• Available VMs: ubuntu16v1
• Add SSH Decoy Service with the following settings:
• Username: localuser
• Password: fortinet
• Click ‘Update’.
• On the same page (further down) Add a SAMBA
Decoy Service with the following settings :
• Username: cfo
• Password: fortinet
• Share name: finance
• Click ‘Update’
• Click ‘Done’
22
Deploy Linux Deception VM
Deploy Decoy VM
• Verify the Network Settings of the
Deployed VM
• If you wish to save the this
configuration; you can click on
‘Template’
• If everything looks ok, Click ‘Deploy’
23
Deploy Linux Deception VM
Monitored Network
• FDC will start to deploy the Linux VM with the configured parameters. The status will be ‘Initializing’
• Click ‘Refresh’ intermittently until the Status changes to ‘Running’
24
Deploy Linux Deception VM
Monitored Network
• After VM Initialization, hover your mouse pointer over the ‘Action’ icons to display the values
• Only click on ‘View Details’
Action Explanation
- View Detail: view the VM configuration. Please see the figure
- Stop: Stop the VM temporarily
- Delete: Delete the VM
- Download: Download tokens package of the VM
- Attack Test: launch an attack against the deception VM to be
available in the alerts
25
Deploy Linux Deception VM
Dashboard Settings
• Go back to the Dashboard
• Locate the widget “Decoy
Service Distribution”. Make
sure that you have two
decoys of SSH and SAMBA
• Locate the widget “Deception
VM Distribution” and make
sure that you have Linux
Ubuntu as the deception VM
26
Deploy Linux Deception VM
Deception Status
• Go to Deception>Deception Map
• Verify that you have the Linux VM and its Deception Service Icons
• Click on each Icon to view its details
• Click on the VM icon to get the VM Configuration
27
Deploy Linux Deception VM
Tokens/Lures/Breadcrumbs/Fish-Hooks etc. etc.
28
Deploy Linux Deception VM
Understanding Lures
31
Deploy Linux Deception VM
Optional: Installing the Lure – SSH - Linux
• On your Linux/MacOS laptop go to <package download location>/FDC_TokenPKG_**/ubuntu/
And enter sudo python ubuntu_token.py this will install the lure, example below
32
Accessing the SSH Linux Lures
and Decoy Services
Decoy Service Access
Access Lures – SSH - Linux
• To access the SSH Deception Service via the Lure (using
the SSH shortcut) enter
ssh local_10_1_1_X, password: fortinet
34
Decoy Service Access
Incident
• Go to the Dashboard. Have a look to the ‘Incidents and Events Distribution’ widget.
• Verify that you have 1 incident (outer circle) and events (inner) circle with different types.
• Notice that you have started to see incidents in ‘Incidents & Events Count’ widget.
35
Decoy Service Access
Incident
• Go to Incident>Attack Map. Verify there is an attack from 10.1.1.1 (this is the NAT’d IP address of your PC)
• Click on the ‘Victim’, on the pop-up window, click on ‘VIEW INCIDENT’. You will be redirected to Incident>Analysis
36
Decoy Service Access
Incident
• Verify that you see all the actions/commands executed on the deception VM.
• Note that actions are ordered by time, all actions are grouped by single incident.
37
Decoy Service Access
Incident
38
Decoy Service Access
SSH Incident
39
Accessing the SAMBA Linux
Lures and Decoy Services
Decoy Service Access
SAMBA Access
• If you have the Linux Lure, verify that SAMBA lure is installed in the ~/Documents folder on your Linux/MacOS
• Have a look to the symbolic link of the samba lure, notice the username and password configured in the SAMBA
Deception Service
• Either using the Lure shortcut or a SAMBA browser, connect to the SAMBA Deception Service
41
Decoy Service Access
SAMBA Incident
• Go to Deception>Analysis. Verify the new incident details and its associated events
• Verify the user name recorded in the incident that is used to accessed the shared folder.
42
Decoy Service Access
Attack Map
• Go to Incident> Attack Map. Have a look to the new attack reported from the new attacker
• NOTE: the attack map can be different from one case to another. The SAMBA attack has been launched from
Different source (IP address) in the screenshot
43
Deploy Linux Deception VM
Tokens
• Go to Incident>Deception Map. Click on the tokens to have a look to the token details used to trigger the attack.
• EPIP: Endpoint IP address.
• EPNAME: Endpoint Machine Name.
• EPOS: Endpoint OS.
44
Linux Deception VM Labs Complete
• This completes the Linux Deception Labs, please make sure you stop the Linux
Decoy VM before moving on
45
Deploy Windows Deception VM &
Download Windows Lures
Deploy Windows Deception VM
Deploying VM
• Go to Deception>Deploy
Wizard>Click ‘+’ button
• Set the config as:
• Name: windows_rdp_smb
• Available VMs: Win7x86v1
• On RDP: add decoy as:
• Username: ahmad
• Password: fortinet
• Click ‘Update’.
• On SAMBA: add decoy as:
• Username: kash
• Password: fortinet
• Share name: private
• Click ‘update’.
• Click Next
47
Deploy Windows VM
Deploying VM
• On Deploy Wizard, set:
• Hostname: IT_Server
• DNS: 8.8.8.8
• Click ‘Done’
48
Deploy Windows Deception VM
Deploying VM
• Verify the details of
Deployed VM
• If you want to save the
previous configuration, you
can click on ‘Template’ to
be saved as a template to
be used later on for other
segments/deployments
• Click ‘Deploy’
49
Deploy Windows Deception VM
Monitored Network
• FortiDeceptor will start to deploy the Windows VM with the configured parameters. The status will
be ‘Initializing’.
• Click ‘Refresh’ intermittently until the Status changes to ‘Running’ (this may take a few minutes)
50
Deploy Windows Deception VM
Monitored Network
• After VM Initialization, hover your mouse pointer over the ‘Action’ icons to display the values
• Only click on ‘View Details’
Action Explanation
- View Detail: view the VM configuration. Please see the figure
- Stop: Stop the VM temporarily
- Delete: Delete the VM
- Download: Download tokens package of the VM
- Attack Test: launch an attack against the deception VM to be
available in the alerts
51
Deploy Windows Deception VM
Deploying VM
• Go back to the Dashboard
• Locate the widget “Decoy
Service Distribution”. Make
sure that you have four
decoys right now of SSH,
SAMBA, RDP and SMB
• Locate the widget “Deception
VM Distribution” and make
sure that you have linux
Ubuntu and Windows as
deception VMs
52
Deploy Windows Deception VM
Deception Status
• Go to Deception>Deception Map
• Verify that you have the Windows VM and its Deception Service icons
• Click on each icon to get its details.
• Click on the VM icon to get the VM Configuration.
53
Deploy Windows Deception VM
Lures
54
Deploy Windows Deception VM
Lures
• Open the CLI and run the installer “windows_token.exe”. The output of the installer will be available to
the window so you can have a look where lures have been installed
• Try to find the RDP and SMB Lure files in your computer. Hint: files are hidden
56
RDP Windows Lures
Deploy Linux Deception VM
Access Lures – RDP - Windows
• If you installed the Lure, access the RDP Deception service by
running the .rdp file in the Hidden
• Alternatively, you can access the RDP Deception Service directly
• Once connected, follow this sequence:
• Open Windows Explorer
• Run calculator
• Run chrome
• Run regedit
• Close the session
58
Deploy Windows Deception VM
Incident
• Go to the Dashboard. Have a look to the ‘Incidents and Events Distribution’ widget
• Verify that you have new incident (total 3) (outer circle) and events (inner) circle with different types
• Notice that new incidents appears in ‘Incidents & Events Count’ widget
59
Deploy Windows Deception VM
Incident
• Go to Incident-> Attack Map. Verify there is new attack from the same source of attacker (this can be NATTED
IP address. 10.1.1.1– in the diagram).
• Click on the ‘Victim’, on the pop-up window, click on ‘VIEW INCIDENT’. You will be redirected to Incident->Analysis.
60
Deploy Windows Deception VM
RDP-Incident
• Verify that you see all the actions executed on the deception VM.
• Note that actions are ordered by time. all actions are grouped by single incident.
61
Deploy Windows Deception VM
RDP-Incident
62
Accessing the SMB Windows
Lures and Decoy Services
Access Windows Decoy Services
SMB Access
• If you installed the Lure, verify that SMB lure is installed in the
User ’Documents’ folder
• Access the shared folder directly from your OS
• Credentials: kash/fortinet
• Open ‘Private’ folder. Pickup a file and copy it locally then close the Windows
64
Access Windows Decoy Services
Dashboard
• Go to Dashboard. Have a look
to the ‘Incidents and Events
Distribution’ widget
• Verify that you have new
incident (outer circle) and
events (inner) circle with
different types
• Notice that new incidents
appears in ‘Incidents & Events
Count’ widget
65
Access Windows Decoy Services
SMB Analysis
• Go to deception -> Analysis. Verify the new incident details and its associated events.
• Verify the user name recorded in the incident that is used to accessed the shared folder. Should be ‘kash’.
66
Access Windows Decoy Services
Attack Map
• Go to Incident-> Attack Map. Have a look to the new attack reported from the new attacker
• NOTE: the attack map can be different from one case to another. The SAMBA attack has been launched from
Different source (IP address) in the figure
67
Campaigns
Campaigns
Summary
• Go to Incident->Campaign.
Have a look to the details of
information provided
69
Campaigns
Summary
73
73
FortiDeceptor 2.0
AntiRecon and Anti-Exploit Service (ARAE)
What it is?
• Prerequisites:
- IPS and URL inspected and can be viewed under Incident >> Analysis
75
75
FortiDeceptor 2.0
Enhanced Attack Map
76
76
FortiDeceptor 2.1
SCADA OT VM
77
77
FortiDeceptor 2.0
Enhanced Attack Map
78
78
FortiDeceptor - Medium to Long Term Roadmap
79
79