Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Introduction

FortiDeceptor creates a network of Decoy VMs to lure attackers and monitor their activities on the network. Once attackers attack Decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

  • Deception OS: Windows, Linux or Scada OS images are available to create Decoy VMs

  • Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor.
  • Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
  • FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Tokens are used to influence attacker’s lateral movements and activities. For example, cached credentials, database connections, network share, data files, or configuration files can be used in a token.
  • Monitor the hacker's actions: Monitor Incidents, Events, and Campaign.
    • An Event represents a single action, for example, a login-logout on a victim host.
    • An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
    • A Campaign represents the hacker's lateral movement. All Incidents that are co-related are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
  • Log Events: Log all FortiDeceptor system events.

Introduction

FortiDeceptor creates a network of Decoy VMs to lure attackers and monitor their activities on the network. Once attackers attack Decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

  • Deception OS: Windows, Linux or Scada OS images are available to create Decoy VMs

  • Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor.
  • Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
  • FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Tokens are used to influence attacker’s lateral movements and activities. For example, cached credentials, database connections, network share, data files, or configuration files can be used in a token.
  • Monitor the hacker's actions: Monitor Incidents, Events, and Campaign.
    • An Event represents a single action, for example, a login-logout on a victim host.
    • An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
    • A Campaign represents the hacker's lateral movement. All Incidents that are co-related are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
  • Log Events: Log all FortiDeceptor system events.