Fortinet black logo

Administration Guide

FortiDeceptor lures

Copy Link
Copy Doc ID 5e5f427d-b811-11eb-92d0-00505692583a:727505
Download PDF

FortiDeceptor lures

The role of the FortiDeceptor lure package is to add breadcrumbs on real endpoints and servers, and redirect an attacker to engage with a decoy instead of a real asset. Deception lures are typically distributed within real endpoints and servers on the network to expand the deception surface.

Effective deception lure technology should support the following:

  • Deploy deception lure data and configurations where attackers collect information.
  • Deception lure location must be invisible to end users, and doesn’t affect endpoint functionality.
  • Deception lure is accessible with user level permissions so that attackers can access it early on and get detected. This saves the privileged escalation attack time.

The current FortiDeceptor token packages are:

  • Windows:
    • SMB
    • RDP
    • SSH
  • Linux:
    • SMB (SAMBA)
    • RDP (xfreerdp)
    • SSH
  • MAC:
    • SMB (SAMBA)
    • RDP (xfreerdp)
    • SSH

When the FortiDeceptor token package is installed on a real Windows, Linux, or MAC endpoint, it increases the deception surface and redirects an attacker to engage with a decoy instead of a real asset.

FortiDeceptor lures

The role of the FortiDeceptor lure package is to add breadcrumbs on real endpoints and servers, and redirect an attacker to engage with a decoy instead of a real asset. Deception lures are typically distributed within real endpoints and servers on the network to expand the deception surface.

Effective deception lure technology should support the following:

  • Deploy deception lure data and configurations where attackers collect information.
  • Deception lure location must be invisible to end users, and doesn’t affect endpoint functionality.
  • Deception lure is accessible with user level permissions so that attackers can access it early on and get detected. This saves the privileged escalation attack time.

The current FortiDeceptor token packages are:

  • Windows:
    • SMB
    • RDP
    • SSH
  • Linux:
    • SMB (SAMBA)
    • RDP (xfreerdp)
    • SSH
  • MAC:
    • SMB (SAMBA)
    • RDP (xfreerdp)
    • SSH

When the FortiDeceptor token package is installed on a real Windows, Linux, or MAC endpoint, it increases the deception surface and redirects an attacker to engage with a decoy instead of a real asset.