FortiDeceptor – Deploy Decoy VM

Deploy Decoy VM

Use the Deception pages allows you to deploy Decoy VMs on your network. When a hacker gains unauthorized access to Decoy VMs, their movements can be monitored to understand how they attack the network.

Apart from the default decoy Windows, Linux, or SCADA OS images, FortiDeceptor supports custom OS images with a purchased subscription service. You can upload your custom ISO images and install the FortiDeceptor Toolkit on the image. For instructions, click the Help icon in the toolbar and select Customization.

To use FortiDeceptor to monitor the network:

  • Go to Deception > Deception OS to check the Deception OS available. See View available Deception OS on page
  1. 9. l Go to Deception > Deployment Network to auto-detect or specify the network where the Decoy VMs are deployed.
  • Go to Deception > Deployment Wizard to deploy the Decoy VM on the network.
  • Go to Deception > Decoy & Lure Status to start or stop deployed Decoy VMs, or download the FortiDeceptor Token Package to manually install on computers. l Go to Deception > Decoy Map to see the network of Decoy VMs.
  • Go to Deception > Whitelist to specify the network that is to be considered safe. This is useful if the administrator wants to log into the deployment network and not be flagged as an attacker.

View available Deception OS

The Deception > Deception OS page lists the deception OSes available for creating Decoy VMs.

Column   Description
Delete   Delete a custom OS that you have applied.
Status   Status of the Deception OS.
Name   Name of the Deception OS.
OS Type   Operating System type.
VM Type   VM type of the Deception OS endpoint.
Lures   Lures used by the Decoy VM such as SSH, SAMBA, SMB, RDP, HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GuardianAST, or IEC104.

Set up the Deployment Network

Use the Deception > Deployment Network page to set up a monitoring interface into a VLAN or a subnet.

To add a VLAN or subnet to FortiDeceptor:

  1. Go to Deception > Deployment Network.
  2. Enable Auto VLAN Detection to automatically detect the VLANs on your network.

Auto VLAN detection allows FortiDeceptor to detect the available VLANs on the deployment network interface and display them in the GUI. You can select and add the VLANs for the deployment of Decoys later.

  1. Select the Detection Interface and click OK.

You can select multiple ports.

  1. Click Add New VLAN/Subnet to manually add a VLAN or a subnet. Configure the following settings:
Interface The port that connects to the VLAN or subnet.
VLAN ID The VLAN’s unique integer ID.
Deploy Network IP/Mask The IP address to monitor. This is useful to mask the actual IP address.
Ref The number of objects referring to this object.
Status Status of the IP address, such as if it is initialized.
Action Click Edit to edit the VLAN or subnet entry. The Edit button is visible only after the entry is saved.
  1. Click Save.

The network IP/mask must be an IP address and not a subnet.

You must use the following guidelines to set the network IP/mask:

  • Interface name and VLAN ID must be unique among all network IP/masks.
  • If VLAN ID is 0, the network IP/mask must be unique among all the network IP/masks without VLAN and all system interfaces.
  • If VLAN is not 0, the network IP/mask must be unique among all subnets in the same VLAN.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:
Name Specify the name of the deployment profile. Maximum 15 characters using A-Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Available Deception OSes Select a Deception OS.
Selected Services Displays the selected services. You cannot edit this field.
  1. For an Ubuntu VM, turn on SSH or SAMBA. For Windows, turn on RDP or SMB.

For SCADA, turn on HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIANAST, or IEC104.

  1. Click Add Lure for the service and configure the following:
Username Specify the username for the decoy. Maximum 19 characters using A-Z, a-z, or 0-9.

Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

Password Specify the password for the decoy in 1-14 non-unicode characters.
Sharename This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using A-Z, a-z, or 0-9.
Update or Cancel Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.
  1. To launch the decoy VM immediately, enable Launch Immediately.
  2. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  3. Click Next.
  4. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  5. Click Add Interface.
  6. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network on page 10
  7. Configure the following settings in the Add Interface forDecoy pane:
Addressing Mode Select Static or DHCP.

Static allows you to configure the IP address for all the decoys.

DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

Network Mask This field is set automatically.
Gateway Specify the gateway.
IP Count Specify the number of IP addresses to be assigned, up to 16.

If Addressing Mode is DHCP, IP Count is automatically set to 1.

Min The minimum IP address in the IP range.
Max The maximum IP address in the IP range.
IP Ranges Specify the IP range between Min and Max.
  1. Click Done.
  2. To deploy the decoys on the network, click Deploy.
  3. To save this as a template in Deception > Deployment Wizard, click Template.

Deploy the FortiDeceptor Token Package

Use a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

To download a FortiDeceptor Token Package:

  1. Go to Deception > Decoy & Lure Status.
  2. Select the Decoy VM by clicking its checkbox.
  3. To download the FortiDeceptor Token Package, click Download Package.

You can only download packages with valid IP addresses. A package must have a status of Initialized, Stopped, Running, or Failed.

To deploy or uninstall a FortiDeceptor Token Package on an existing endpoint:

  1. Copy the downloaded FortiDeceptor Token Package to an endpoint such as a Windows or Linux endpoint.
  2. Unzip the FortiDeceptor Token Package.
  3. In the folder for the OS, such as windows or ubuntu, follow the instructions in txt to install or uninstall the Token Package.

l For Windows, open the windows folder, right-click windows_token.exe and select Run as administrator. l For Ubuntu, open Terminal and run python ./ubuntu_token.py.

When the FortiDeceptor Token Package is installed on a real Windows or Ubuntu endpoint, it increases the deception surface and lures the attacker to a Decoy VM.

Monitor Decoy & Lure Status

The Deception > Decoy & Lure Status page shows the status of the Decoys on your network.

We recommend operating Decoy VMs with the same status for expected behavior.

To view the Deception Status:

  1. Go to Deception > Decoy & Lure Status.
Action Click View detail to see the decoy’s configuration details.

Click Copy to Template to duplicate the decoy as a template.

Click Start or Stop to start or stop the decoy. Click Delete to delete the decoy.

Click Download to download the FortiDeceptor Token Package.

Click VNC to open a VNC of the decoy.

Status The status of the decoy can be Initializing, Running, Stopped, or Cannot Start. If the Decoy VM cannot start, hover over the VM to see the reason.
Decoy Name Name of the decoy.
OS Operating system of the decoy.
VM The name of the Decoy VM.
Enabled Services The number of decoy services enabled on this VM.
IP The IP address of the Decoy VM.
Services List of services enabled. Hover over an icon to see a text list.
Network Type Shows if the IP address is Static or DHCP.
DNS DNS of the Decoy VM.
Gateway Gateway of the Decoy VM.

To delete one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Click Delete beside the Decoy VM.
  3. Click OK.

To start one or more Decoy VM:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are stopped.
  3. Click Start.

To stop one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are running.
  3. Click Stop.

Decoy Map

Deception > Decoy Map is a visual representation of the entire network showing real endpoints and Decoy VMs. You can apply filters to focus on specific decoys.

To work with the Decoy Map:

  1. Go to Deception > Decoy Map. l To change the display, drag items to another location. l Scroll to zoom in or out.

l Click a node to see its information.

  1. Click Click to begin filtering to select a filter type and type values. Filter types include Decoy Name, Decoy IP, and Lure Type.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Configure a Whitelist

Use the Deception > Whitelist page to add an IP address for an administrator to log into the network. User actions from a whitelisted IP address are recorded as an Event or Incident.

To add a new whitelist IP address:

  1. Go to Deception > Whitelist.
  2. Click Add New Whitelist IP and configure its settings:
IP Address   Specify the IP address from where the connection originates.
Source Ports   Specify the source ports from where the connection originates.
Destination Ports   Specify the destination ports on the network where the connection terminates.
Description   Specify a description. For example, you can name it as Safe_Network.
Services   Select the name of the services used to connect to the network.
Status   Select Enabled or Disabled.
Action   Click Update or Cancel.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

  • When DMZ mode is enabled, the banner displays DMZ-MODE.
  • In Deception > Deployment Network, Deception MonitorIP/Mask is hidden. See Set up the Deployment Network on page 10.
  • In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
  • Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard on page 10.

To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI: dmz-mode -d

 

This entry was posted in Administration Guides, FortiDeceptor on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.