FortiDeceptor Workshop

Deceive, Expose and Eliminate Advanced Attacks

using FortiDeceptor

1
 EMEA FDC INTL CSE’s

Kash Ahmad
kash@fortinet.com aarafat@fortinet.com
London Dubai

Regional Teams

• Escalations
• Workshop Support
• Event Support
• Live Demo’s
• Latest Updates

cse_fdc_intl@fortinet.com
2
 Agenda
• FortiDeceptor Introduction

• Introduction to the Workshop and Lab Setup

• FDC Workshop Labs:

• Initial Configuration & Initialization of Deception Network.

• Deploy Linux Deception VM & Download Linux Lures.

• Triggering Linux Shell lure and generating an alert.

• Deploy Windows Deception VMs & Download Windows Lures.

• Triggering Windows RDP lure and generating an Alert.

• Triggering file Share Alert.

• Understanding Campaigns & Generate a Report.

• FDC v2.0: Features and Roadmap

3
 FortiDeceptor

 Fortinet Deception Technology offering for APT

 Layered defense against advanced threat attacks
 Built from ”The Fabric Up” to be fully integrated

DECEPTION DETECTION DEFUSE

4
 Why FortiDeceptor?
- Proactive early warning
Security Padlock
- High confidence alerts
Secure Payment
- East – west visibility
Online Privacy - Automated detection & response
Email Virus Threat

Antivirus Firewall
Secure Data Folder
Example of an Advanced Cyber Attack
HACKER ALERT
1 2 3 4 5 6
Mobile Security
Computer
Security
Targeted Sophisticated Attack Attacker Key Data Attacker
Reconnaissance Stealthy Penetrates Moves is Exfiltrated Objectives
Attacks are the Enterprise Undetected Accomplished
Launched

Preparation Intrusion Active Breach Fallout

5
 Deployment Workflow

1. Network 2. Deploy Deception 3. Generate Token 4. Monitor Threat 5. Analyze &

Discovery VMs & Install Activities Correlate

 Sniff egress traffic to  Determine deception OS  Generate token  Monitoring engine on  Incidents and
extract VLAN info for each VLAN/Subnet installation package deception VMs watches token deployment
attackers activities records are
 Support manually  Determine deception  Install token package
» Created processes correlated to
input VLAN or VM network address on real hosts to direct
» Network RECON provide attacker’s
Subnet info mode (Static or DHCP) attackers to deception
» Modified registry/files lateral movement
VMs
 Determine event  Dynamically configure » Dropped payload
monitoring IP of each decoys on deception VMs  Token install info is » Elevated privileges
VLAN/Subnet recorded on FDC for » Executed system
 Admins can shutdown/
later lateral movement commands
restart/delete deception
correlation » SSH, RDP login
VMs
» HTTP/FTP access
» etc

 Event alerts are sent to

FDC and Sys Admin is
alarmed

6
Isn’t it just a Honeypot?

• It's more advanced than a honeypot as you have full control and deep audit
capability which can integrate into your existing security infrastructure
• Talking of Honeypots…….

18-05-04 An Education In Honeypot.pptx

https://fortinet.egnyte.com/dl/hG1S6JidrD

18-05-04 An Education In Honeypot.mp4 7

https://fortinet.egnyte.com/dl/MeLW0xA0Y3
FortiDeceptor Snapshot
Things to know
• Base Operating Systems; Windows7-64bit and Ubuntu16 (Deception Images)
• FortiDeceptor uses Clones of Base Operating Systems (Decoy VM) max of 16 virtual interfaces
• Currently 4 Decoy Services. RDP, SMB for Windows and SSH, SAMBA for Ubuntu (Decoy
Services)
• A Token Package is used to add breadcrumbs on real endpoints and lure an attacker to a
Deception VM (Token, Breadcrumb, Lure, Fish-Hook etc.)
• Tokens are normally distributed within the real endpoints and other IT assets on the network to
maximize the deception surface
• Shortcuts to Decoy Services and VMs, can be installed on both Linux and Windows
• Platforms
• FDC-1000F: 2 WIN VMs (include 1x Win7 and 1 x Win10 licenses) and 8 Linux VMs, upgradable up
to max 16 VMs (256 decoys)
• FDC-VM: FortiDeceptor-VM virtual appliance with 0 VMs, upgradable to max 16 VMs (256 decoys)
8
Network Topology
 Deception Network
Deception Network 10.1.1.X/24
FDC-10 FDC-N 10.1.1.X/24 FDC-1 FDC-N

.. …. . . ……….

Management Network Management Network

10.1.2.X/24 10.1.2.X/24

ESXi2 ESXi1

Management Network
Default Gateway 10.1.2.1
FTP Server
Singapore VPN
10.1.1.20
FW
Deception Network
Default Gateway 10.1.1.1

Lab Access
VPN: SSL
118.201.61.6:10443
11
Fortinet LDAP Credentials
 Workshop Connectivity
Ensure everything works before moving on

• Establish SSL-VPN Connection to the Lab (118.201.61.6 Port 10443)

• Username and Password are your Fortinet LDAP Credentials

• All FortiDeceptor’s Management Interfaces can be accessed directly (https://10.1.2.<Group IP>)

• Deception Network is also accessed directly (10.1.1.X/24)
• FortiDeceptor’s have Windows and Ubuntu Images installed and licensed
• IP addresses in the Lab screenshots are for illustration purposes only; the screenshots do not
necessarily reflect the IP addresses you will be using
• Just ask the CSEs if you have any questions

12
IP Addresses Table Allocation
Note your Group’s IP Addresses – Subnet Masks are /24

Management Deception Linux Deception Windows

Group No.
Interface Interface VM Deception VM
1 10.1.2.180 10.1.1.180 10.1.1.101 10.1.1.111
2 10.1.2.182 10.1.1.182 10.1.1.102 10.1.1.112
3 10.1.2.183 10.1.1.183 10.1.1.103 10.1.1.113
4 10.1.2.184 10.1.1.184 10.1.1.104 10.1.1.114
5 10.1.2.185 10.1.1.185 10.1.1.105 10.1.1.115
6 10.1.2.186 10.1.1.186 10.1.1.106 10.1.1.116
7 10.1.2.187 10.1.1.187 10.1.1.107 10.1.1.117
8 10.1.2.188 10.1.1.188 10.1.1.108 10.1.1.118
9 10.1.2.189 10.1.1.189 10.1.1.109 10.1.1.119

13
IP Addresses Table Allocation
Note your Group’s IP Addresses – Subnet Mask are /24

Management FDC Deception Linux Deception Windows

Group No.
Interface Interface VM Deception VM
10 10.1.2.190 10.1.1.190 10.1.1.130 10.1.1.140
11 10.1.2.191 10.1.1.191 10.1.1.131 10.1.1.141
12 10.1.2.192 10.1.1.192 10.1.1.132 10.1.1.142
13 10.1.2.193 10.1.1.193 10.1.1.133 10.1.1.143
14 10.1.2.194 10.1.1.194 10.1.1.134 10.1.1.144
15 10.1.2.195 10.1.1.195 10.1.1.135 10.1.1.145
16 10.1.2.196 10.1.1.196 10.1.1.136 10.1.1.146
17 10.1.2.197 10.1.1.187 10.1.1.137 10.1.1.147
18 10.1.2.199 10.1.1.199 10.1.1.139 10.1.1.149

14
Initial Configuration & Initialisation
of Deception Network
FortiDeceptor Initial Configuration
Initial Parameters for FortiDeceptor Appliance

• Login to your FortiDeceptor using the Management Interface

• https://your-group-IP credentials: admin, no password.

• Make sure that you have a valid license and no Decoy Services or Deception VMs running

16
FDC Initial Configuration
Initial Parameters for FDC Appliance
• Update the System Time with your timezone and time (from Dashboard) and verify DNS
(Network>System DNS) and default route for the system (Network>System Routing)
• port1 is the management port whilst port2 will be used for the Deception Network

17
FDC Initial Configuration
Deception Images

• Go to Deception>Deception Images, confirm that you have the Linux and Windows Images
• The Images should have “Initialized” status

18
FDC Initial Configuration
Monitored Network
• Go to Deception>Monitored
Network>Click ‘Add New Vlan
Subnet’
• Create new interface as
following:
• Interface: port2
• VLAN ID: 0
• Deception Monitor IP/Mask:
Your Group FDC Deception IP.
Should be from 10.1.1.X
network

• Click Save
• Wait until the interface reports
the status as ‘Initialized’ (this
may take a few minutes and
you will have to refresh GUI)

19
Deploy Linux Deception VM &
Download Linux Lures
Deploy Linux Deception VM
Deploying Decoy Services
• Go to Deception>Deploy Wizard>Click ‘+’
button.
• Configure as follows:
• Name: Linux_ssh_samba
• Available VMs: ubuntu16v1
• Add SSH Decoy Service with the following settings:
• Username: localuser
• Password: fortinet
• Click ‘Update’.
• On the same page (further down) Add a SAMBA
Decoy Service with the following settings :
• Username: cfo
• Password: fortinet
• Share name: finance
• Click ‘Update’

• Ensure ’Launch Immediately’ is ticked

• At the bottom of the screen, Click Next
21
Deploy Linux Deception VM
Decoy VM Network
• Under the Set Network Configuration
• Change the Hostname to: FinanceServer
• Set the DNS: 8.8.8.8

• Click ‘+ Add Interface’.

• On Deploy Interface: select port2:subnet
10.1.1.X
• Once selected, set the details as:
• Addressing Mode: Static
• Gateway: 10.1.1.1
• IP Count: 1
• IP Ranges: Your-Group-Linux-Deception-VM IP.

• Click ‘Done’

22
 Deploy Linux Deception VM
Deploy Decoy VM
• Verify the Network Settings of the
Deployed VM
• If you wish to save the this
configuration; you can click on
‘Template’
• If everything looks ok, Click ‘Deploy’

23
Deploy Linux Deception VM
Monitored Network
• FDC will start to deploy the Linux VM with the configured parameters. The status will be ‘Initializing’
• Click ‘Refresh’ intermittently until the Status changes to ‘Running’

24
Deploy Linux Deception VM
Monitored Network
• After VM Initialization, hover your mouse pointer over the ‘Action’ icons to display the values
• Only click on ‘View Details’

Action Explanation
- View Detail: view the VM configuration. Please see the figure
- Stop: Stop the VM temporarily
- Delete: Delete the VM
- Download: Download tokens package of the VM
- Attack Test: launch an attack against the deception VM to be
available in the alerts
25
Deploy Linux Deception VM
Dashboard Settings
• Go back to the Dashboard
• Locate the widget “Decoy
Service Distribution”. Make
sure that you have two
decoys of SSH and SAMBA
• Locate the widget “Deception
VM Distribution” and make
sure that you have Linux
Ubuntu as the deception VM

26
Deploy Linux Deception VM
Deception Status

• Go to Deception>Deception Map
• Verify that you have the Linux VM and its Deception Service Icons
• Click on each Icon to view its details
• Click on the VM icon to get the VM Configuration
27
Deploy Linux Deception VM
Tokens/Lures/Breadcrumbs/Fish-Hooks etc. etc.

• Go to Deception>Deception Status>Select the Linux VM>Click ‘Download Package’

• Save the package and extract the content

28
Deploy Linux Deception VM
Understanding Lures

• Verify the content of the package have installers for windows

and Linux OSs
• Open README.txt for both Ubuntu and Windows and identify what lures and where they will be installed
29
Linux Lure Installation
Linux Lure Installation

• Installing the Linux Lure is optional (and of course requires Linux

or MacOS)
• If you do not install the Lure, you can still access the SSH
Deception directly rather than using the hidden shortcut that the
lure creates
• You will require a ssh capable client to access the SSH Lure

31
 Deploy Linux Deception VM
Optional: Installing the Lure – SSH - Linux
• On your Linux/MacOS laptop go to <package download location>/FDC_TokenPKG_**/ubuntu/
And enter sudo python ubuntu_token.py this will install the lure, example below

• Verify that the new connection added under ~/.ssh/config

• You need to find host details of ‘localuser_10_1_1_X’. X = Group-Deception-Linux-VM IP address last octet

32
Accessing the SSH Linux Lures
and Decoy Services
 Decoy Service Access
Access Lures – SSH - Linux
• To access the SSH Deception Service via the Lure (using
the SSH shortcut) enter
ssh local_10_1_1_X, password: fortinet

• To access the Deception Service directly enter

ssh localuser@10_1_1_X, password: fortinet

• Once your on the Deception VM

• In sequence, issue the following commands:
whoami
pwd
wget http://2016.eicar.org/download/eicar.com
find / -name *.jpg
cd /var/www/html
ftp 10.1.1.20
credentials: ftpuser/fortinet
put plant.jpg
exit
exit

34
Decoy Service Access
Incident

• Go to the Dashboard. Have a look to the ‘Incidents and Events Distribution’ widget.
• Verify that you have 1 incident (outer circle) and events (inner) circle with different types.
• Notice that you have started to see incidents in ‘Incidents & Events Count’ widget.
35
 Decoy Service Access
Incident

• Go to Incident>Attack Map. Verify there is an attack from 10.1.1.1 (this is the NAT’d IP address of your PC)
• Click on the ‘Victim’, on the pop-up window, click on ‘VIEW INCIDENT’. You will be redirected to Incident>Analysis

36
 Decoy Service Access
Incident

• Verify that you see all the actions/commands executed on the deception VM.
• Note that actions are ordered by time, all actions are grouped by single incident.

37
 Decoy Service Access
Incident

• In the same page, click on ‘Table’ view.

• This view display all actions in Tabular format for summary of commands in sequence.

38
 Decoy Service Access
SSH Incident

• In the same page, click on ‘Table’ view.

• This view display all actions in Tabular format for summary of commands in sequence.

39
Accessing the SAMBA Linux
Lures and Decoy Services
 Decoy Service Access
SAMBA Access
• If you have the Linux Lure, verify that SAMBA lure is installed in the ~/Documents folder on your Linux/MacOS
• Have a look to the symbolic link of the samba lure, notice the username and password configured in the SAMBA
Deception Service

• Either using the Lure shortcut or a SAMBA browser, connect to the SAMBA Deception Service

41
 Decoy Service Access
SAMBA Incident

• Go to Deception>Analysis. Verify the new incident details and its associated events
• Verify the user name recorded in the incident that is used to accessed the shared folder.
42
 Decoy Service Access
Attack Map

• Go to Incident> Attack Map. Have a look to the new attack reported from the new attacker
• NOTE: the attack map can be different from one case to another. The SAMBA attack has been launched from
Different source (IP address) in the screenshot
43
 Deploy Linux Deception VM
Tokens

• Go to Incident>Deception Map. Click on the tokens to have a look to the token details used to trigger the attack.
• EPIP: Endpoint IP address.
• EPNAME: Endpoint Machine Name.
• EPOS: Endpoint OS.
44
Linux Deception VM Labs Complete

• This completes the Linux Deception Labs, please make sure you stop the Linux
Decoy VM before moving on

45
Deploy Windows Deception VM &
Download Windows Lures
Deploy Windows Deception VM
Deploying VM
• Go to Deception>Deploy
Wizard>Click ‘+’ button
• Set the config as:
• Name: windows_rdp_smb
• Available VMs: Win7x86v1
• On RDP: add decoy as:
• Username: ahmad
• Password: fortinet
• Click ‘Update’.
• On SAMBA: add decoy as:
• Username: kash
• Password: fortinet
• Share name: private
• Click ‘update’.

• Click Next

47
Deploy Windows VM
Deploying VM
• On Deploy Wizard, set:
• Hostname: IT_Server
• DNS: 8.8.8.8

• Click ‘+ Add Interface’.

• On Deploy Interface: select port2:subnet
10.1.1.X
• Once selected, set the details as:
• Addressing Mode: Static
• Gateway: 10.1.1.1
• IP Count: 1
• IP Ranges: Your Group Windows-Deception-VM IP

• Click ‘Done’

48
Deploy Windows Deception VM
Deploying VM
• Verify the details of
Deployed VM
• If you want to save the
previous configuration, you
can click on ‘Template’ to
be saved as a template to
be used later on for other
segments/deployments
• Click ‘Deploy’

49
Deploy Windows Deception VM
Monitored Network
• FortiDeceptor will start to deploy the Windows VM with the configured parameters. The status will
be ‘Initializing’.
• Click ‘Refresh’ intermittently until the Status changes to ‘Running’ (this may take a few minutes)

50
Deploy Windows Deception VM
Monitored Network
• After VM Initialization, hover your mouse pointer over the ‘Action’ icons to display the values
• Only click on ‘View Details’

Action Explanation
- View Detail: view the VM configuration. Please see the figure
- Stop: Stop the VM temporarily
- Delete: Delete the VM
- Download: Download tokens package of the VM
- Attack Test: launch an attack against the deception VM to be
available in the alerts
51
Deploy Windows Deception VM
Deploying VM
• Go back to the Dashboard
• Locate the widget “Decoy
Service Distribution”. Make
sure that you have four
decoys right now of SSH,
SAMBA, RDP and SMB
• Locate the widget “Deception
VM Distribution” and make
sure that you have linux
Ubuntu and Windows as
deception VMs

52
Deploy Windows Deception VM
Deception Status

• Go to Deception>Deception Map
• Verify that you have the Windows VM and its Deception Service icons
• Click on each icon to get its details.
• Click on the VM icon to get the VM Configuration.
53
Deploy Windows Deception VM
Lures

• Go to Deception>Deception Status>Select the Windows VM>Click ‘Download Package’

• Save the package and extract the content

54
Deploy Windows Deception VM
Lures

• Verify the content of the package have installers for windows

and Linux OSs.
• Open README.txt for both Ubuntu and Windows and identify where lures would be created.
55
Deploy Linux Deception VM
Optional: Installing Windows Lures

• Open the CLI and run the installer “windows_token.exe”. The output of the installer will be available to
the window so you can have a look where lures have been installed
• Try to find the RDP and SMB Lure files in your computer. Hint: files are hidden
56
RDP Windows Lures
 Deploy Linux Deception VM
Access Lures – RDP - Windows
• If you installed the Lure, access the RDP Deception service by
running the .rdp file in the Hidden
• Alternatively, you can access the RDP Deception Service directly
• Once connected, follow this sequence:
• Open Windows Explorer
• Run calculator
• Run chrome
• Run regedit
• Close the session

58
Deploy Windows Deception VM
Incident

• Go to the Dashboard. Have a look to the ‘Incidents and Events Distribution’ widget
• Verify that you have new incident (total 3) (outer circle) and events (inner) circle with different types
• Notice that new incidents appears in ‘Incidents & Events Count’ widget
59
 Deploy Windows Deception VM
Incident

• Go to Incident-> Attack Map. Verify there is new attack from the same source of attacker (this can be NATTED
IP address. 10.1.1.1– in the diagram).
• Click on the ‘Victim’, on the pop-up window, click on ‘VIEW INCIDENT’. You will be redirected to Incident->Analysis.
60
 Deploy Windows Deception VM
RDP-Incident

• Verify that you see all the actions executed on the deception VM.
• Note that actions are ordered by time. all actions are grouped by single incident.
61
 Deploy Windows Deception VM
RDP-Incident

• In the same page, click on ‘Table’ view.

• This view display all actions in Tabular format for summary of commands in sequence.

62
Accessing the SMB Windows
Lures and Decoy Services
 Access Windows Decoy Services
SMB Access
• If you installed the Lure, verify that SMB lure is installed in the
User ’Documents’ folder
• Access the shared folder directly from your OS
• Credentials: kash/fortinet
• Open ‘Private’ folder. Pickup a file and copy it locally then close the Windows

64
Access Windows Decoy Services
Dashboard
• Go to Dashboard. Have a look
to the ‘Incidents and Events
Distribution’ widget
• Verify that you have new
incident (outer circle) and
events (inner) circle with
different types
• Notice that new incidents
appears in ‘Incidents & Events
Count’ widget

65
 Access Windows Decoy Services
SMB Analysis

• Go to deception -> Analysis. Verify the new incident details and its associated events.
• Verify the user name recorded in the incident that is used to accessed the shared folder. Should be ‘kash’.
66
 Access Windows Decoy Services
Attack Map

• Go to Incident-> Attack Map. Have a look to the new attack reported from the new attacker
• NOTE: the attack map can be different from one case to another. The SAMBA attack has been launched from
Different source (IP address) in the figure
67
Campaigns
Campaigns
Summary

• Go to Incident->Campaign.
Have a look to the details of
information provided

• All Incidents that are co-related

are a Campaign

69
Campaigns
Summary

• On the same campaign page, click ‘Export to PDF’

• Click Save File
• Open the pdf file to see the detailed incidents information
70
End of Labs
for any inquiries or suggestions…

kash Valji Ahmad Arafat

kash@Fortinet.com aarafat@Fortinet.com
FortiDeceptor v2
 FortiDeceptor 2.0
FortiGate Security Fabric Integration
What it is?
• Integration with FortiGate security fabric, allows auto
quarantine of attackers’ IPs using FortiGate REST API

• Blocking - configure FortiGate integration settings such as

alias name, IP, login user name, password, expiry time in
seconds (quarantine time) and VDOM

• Fabric Status - view shows the status of attackers

quarantined by integrated FortiGate. (under banned IP)

What is the main Use Case?

• Attackers triggers Decoys and source IP address(es) are
stored in Deceptor, Deceptor notifies FortiGate to
quarantine the IP address for further inspection and stop
further damage / penetration

• Can be applied to insider as well as outsider attacks

73
73
FortiDeceptor 2.0
AntiRecon and Anti-Exploit Service (ARAE)
What it is?

• New services available from FortiGuard that enables IPS, AV

and URL analysis of attackers traffic, in and out of Deception
VMs, i.e. attacker’s traffic

• New Top IPS widget to display attacks

• What is the main use case?

• Track attackers and payload analysis of attacker traffic, files

dropped, URL visited

• Prerequisites:

• New SKU: FortiDeceptor Anti-Reconnaissance & Anti-Exploit

Service (ARAE)

• FC-10-FDC1K-291-02-DD for FDC-1000F

• FCx-10-FDCVM-291-02-DD for FDC-VM

74
74
FortiDeceptor 2.0
ARAE – IPS, AV and URL analysis
Incident Analysis Download of PCAP
file from Incident

- Display IPS and web activities to/from Decoys from attacker

- IPS and URL inspected and can be viewed under Incident >> Analysis

- Ability to download PCAP files for further analysis

75
75
 FortiDeceptor 2.0
Enhanced Attack Map

• With v2.0 the animated attack map was

upgraded to provide following new
functionalities:

• Multiple filter arguments support

• Timeline search support by moving

the timestamp indicator

• Saving snapshot for nodes locations

and filter settings support

• What is the use case for this?

• Demonstrate attacker’s activity

76
76
 FortiDeceptor 2.1
SCADA OT VM

• Siemens S7, Triconex honeypot, and a gaspot simulator

77
77
 FortiDeceptor 2.0
Enhanced Attack Map

• With v2.0 the animated attack map was

upgraded to provide following new
functionalities:

• Multiple filter arguments support

• Timeline search support by moving

the timestamp indicator

• Saving snapshot for nodes locations

and filter settings support

• What is the use case for this?

• Demonstrate attacker’s activity

78
78
FortiDeceptor - Medium to Long Term Roadmap

• V 2.1 (Q3 2019) –

• System - Admin profile granularity
• SCADA / IOT decoys
• Custom OS image for Decoys
• Win 10 support
• FDC-3000F release, new hardware

• Long term (open to feedback)

• FSA integration for payload analysis
• FAZ / SIEM native integration

79
79