Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Deception lure best practices

Deception effectiveness requires deployment across all managed endpoints and servers.

This topic provides deception deployment best practices for the deception lure layer. For lure deployment over AD logon script, see appendix A.

Example of deception lures on Windows, MAC, or Linux endpoint segment (VLAN)
RDP lure
  • Set up several Windows server decoys that support RDP access.
  • Set up appropriate decoy hostnames like Terminal-XX, VDI-XX, and so on. This increases the level of authenticity when you add the Windows server decoys to the company domain.
  • Follow company username and password policy.
  • Generate 2-3 deception lures and deploy them over several different AD user groups.
SMB lure

For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.

  • Set up at least two Windows server decoys that support two fake network share access.
  • Generate at least two lures with two different share names.
  • Use a share name similar to the company structure.
  • Set up appropriate hostnames like FileSRV-XX, File-Server, and so on. This increases the level of authenticity when you add the Windows server decoy to the company domain.
  • Follow company username and password policy.
  • Generate a single deception lures package and deploy it over all the network endpoints.
SAMBA lure

For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.

  • Set up at least two Linux server decoys that support network share access.
  • Set up appropriate hostnames like Storage-XX, Backup-Server, and so on.
  • Generate at least two lures with two different share names.
  • Use a share name similar to the company structure.
  • Follow company username and password policy.
  • Generate a single deception lures package and deploy it over all the network endpoints.
SSH lure
  • Set up several Linux server decoys that support SSH access.
  • Set up appropriate hostnames like JumpHost-XX, Control-XX, Cloud-XXX, and so on.
  • Use a complicated password. This gives the attacker the impression that this is a critical server.
  • Generate 2-3 deception lures and deploy them over the IT endpoints group only. Attackers do not expect to see SSH clients on a regular desktop.

Deception lure best practices

Deception effectiveness requires deployment across all managed endpoints and servers.

This topic provides deception deployment best practices for the deception lure layer. For lure deployment over AD logon script, see appendix A.

Example of deception lures on Windows, MAC, or Linux endpoint segment (VLAN)
RDP lure
  • Set up several Windows server decoys that support RDP access.
  • Set up appropriate decoy hostnames like Terminal-XX, VDI-XX, and so on. This increases the level of authenticity when you add the Windows server decoys to the company domain.
  • Follow company username and password policy.
  • Generate 2-3 deception lures and deploy them over several different AD user groups.
SMB lure

For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.

  • Set up at least two Windows server decoys that support two fake network share access.
  • Generate at least two lures with two different share names.
  • Use a share name similar to the company structure.
  • Set up appropriate hostnames like FileSRV-XX, File-Server, and so on. This increases the level of authenticity when you add the Windows server decoy to the company domain.
  • Follow company username and password policy.
  • Generate a single deception lures package and deploy it over all the network endpoints.
SAMBA lure

For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.

  • Set up at least two Linux server decoys that support network share access.
  • Set up appropriate hostnames like Storage-XX, Backup-Server, and so on.
  • Generate at least two lures with two different share names.
  • Use a share name similar to the company structure.
  • Follow company username and password policy.
  • Generate a single deception lures package and deploy it over all the network endpoints.
SSH lure
  • Set up several Linux server decoys that support SSH access.
  • Set up appropriate hostnames like JumpHost-XX, Control-XX, Cloud-XXX, and so on.
  • Use a complicated password. This gives the attacker the impression that this is a critical server.
  • Generate 2-3 deception lures and deploy them over the IT endpoints group only. Attackers do not expect to see SSH clients on a regular desktop.