Fortinet Deception Technology and Cyber Attacker Workflow

Jul 26, 2024

Fortinet Deception Technology and Cyber Attacker Workflow

Introduction

  • Speaker: Alex Pavlock, Systems Engineer with Fortinet
  • Topic: Overview and demonstration of Fortinet's 40 Deceptor product
  • Product Features: Deception product that spins up fake virtual machines (honeypots) to identify and quarantine attackers on a network
  • Goals: Leverage 40 Deceptor for insights on attackers and understand their behavior for better network security

40 Deceptor Overview

  • Decoy VMs: Fake virtual machines that imitate real assets
  • Purpose: Lure attackers to fake assets to identify malicious activities and quarantine threats
  • Example Decoy: PAX decoy running an HTTP server
    • Context: Used in the medical field for storing sensitive patient information
    • Function: Emulates a real medical device to monitor and quarantine attackers

Deception Mechanism

  • Decoys: Virtual machines with auto-generated usernames and passwords
  • Lures: Usernames and passwords generated to attract attackers
  • Incident Monitoring: Deceptor flags interactions with decoys as potential malicious activities

Understanding the Attacker's Workflow

Scanning the Network

  • Tools Used: nmap (network scanning application)
  • Scan Objectives: Identify devices, open ports, and running services on the network
  • Potential Actions: Gather operating system information and identify vulnerable services
    • Commands: nmap -O -A -p- IP_ADDRESS (scan full network and identify OS)

Attack Techniques

  • Service Enumeration: Identify open ports and services (e.g., FTP, Telnet, HTTP)
  • Vulnerability Search: Look for exploits related to identified services (e.g., Apache version vulnerabilities)
  • Common Services Targeted: FTP (anonymous login), Telnet (unencrypted), HTTP (outdated versions)

Exploitation Tools

  • Metasploit: Widely used for exploit development and execution
    • Capabilities: Scan systems, enumerate vulnerabilities, launch payloads
    • Modules: Specific modules for services (e.g., Apache, HTTP login brute force)
  • Directory Buster: Tool for discovering directories on a web server
  • Burpsuite: Intercept and manipulate web traffic for brute force attacks
    • Use Case: Curate and inject username and password guesses

Case Study: HTTP Attack Simulation

  • Setup: Using a Kali Linux instance to demonstrate attacker workflow
  • Activities: Simulate nmap scan, directory busting, and attempting login brute force
  • Validation: Verify vulnerability of the server (Apache version 2.4.18)

Operational Use of 40 Deceptor

Interaction and Quarantine

  • Interaction Monitoring: Flags connections and interactions with decoys
  • Quarantine: Integration with Fortinet FortiGate to quarantine identified attackers
    • Setup: Fabric integration, setting severity levels, and quarantine duration
    • Execution: Testing quarantine by interactions flagged from decoys

Detailed Reporting and Analysis

  • Logs: Detailed logs of attacker activities (HTTP requests, port numbers)
  • Mitre Techniques: Identified methods and techniques used by attackers
  • Pcap Files: Downloadable packet capture files for further analysis

Conclusion

  • Purpose: Understanding the behavior of attackers using deception technology

  • Benefit: Enhance security by pre-emptively identifying and quarantining threats

  • Next Steps: Apply these insights in practical network defense strategies

  • Q&A: Open to questions from audience in the comments section