Fortinet black logo

What’s new in FortiDeceptor 4.0.0

Copy Link
Copy Doc ID 9ddd5dbe-f176-11eb-97f7-00505692583a:47810
Download PDF

What’s new in FortiDeceptor 4.0.0

The following is a list of new features and enhancements in 4.0.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

New IoT/OT Decoys

IoT/OT devices are consistent targets for threat actors and APT. Deception Decoys are a key component for detecting attacks against critical devices and infrastructure.

A new IoT Deception VM has been added and contains a:

  • Cisco router decoy that will allow using a cisco IOS image file to emulate a real cisco router device

  • Network printer decoy will emulate a real HP printer, including the printing protocol and printer web management UI.

  • Network IP camera that will emulate a real IP camera with the ability to custom the fake video stream.

New OT protocols & decoys were added to SCADAV2 Deception VM:

  • Protocol:

    • DNP3 is a communications protocol used in SCADA and remote monitoring. Its primary use is in utilities such as electric and water companies.

    • Triconex protocol is both the name of a Schneider Electric brand that supplies products, systems, and services for safety, critical control, and turbomachinery applications and the name of its hardware devices that utilize its TriStation application software. The Triconex Decoy service will simulate SIS controllers.

  • New Schneider Electric OT Decoys:

    • EcoStruxure B.M.S. Management Server: EcoStruxure Building Management is an integration platform for monitoring, control, and management of energy, lighting, fire safety, security, and HVAC

    • PM5560 Power Meter: PM5560 provides the measurement capabilities needed to allocate energy usage, perform tenant metering and sub-billing, pinpoint energy savings, and perform a high-level assessment of the power quality of the electrical network.

    • SCADAPack 333E (5210): Smart RTU ensures end-to-end reliable and secure control and monitoring of remote assets in critical infrastructure. (mainly used for water system monitoring).

    New Deception Lures

    HoneyDocs (office & PDF files): HoneyDoc creates a "honey" document, including fake passwords or financial data, to look appealing for attackers to open them. It uses pixel technology as the tracking image so that you can see the IPs of who opens the document in your web server logs inside the network decoy.

Network Attacks:
  • Responder Attack Detection: A new module for detecting Responder attacks is included in the Windows Decoys. Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It uses an LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

  • Ransomware Attack Detection: An improvement for the current Ransomware encryption detection module to minimize the detection time.

In-Depth Malware Analysis – Incident Analysis:

FortiSandbox: The integration between FortiDeceptor and FortiSandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

VirusTotal: The integration between FortiDeceptor and the well-known VirusTotal service allows the submission of suspicious files (MD5) for malware analysis. When integrated, VirusTotal detection ratios will be displayed in the incident analysis alert Workflow for relevant events.

Fabric Integration:
  • FGT CSF: The integration between FortiDeceptor and Fortigate over CSF allows FortiDeceptor to automatticlay trigger the isolation of the infected endpoint from the network and prevents the attack from moving laterally. The CSF provides access to more fabric devices for isolations like FortiSwitch through the Fortigate. In addition, we add SAML support between Fortigate WEB-UI to FortiDeceptor to allow SSO login from Fortigate to FortiDeceptor.

  • FortiNAC: The integration between FortiDeceptor and FortiNAC allows FortiDeceptor to automatically isolate the infected endpoint from the network and prevent the attack from moving laterally. (in the previous version of FortiDeceptor, we use the WEB-HOOK connector for the integration, and now we provide an out-of-the-box connector).

System Features
  • Platform Scalability: The platform scalability was improved by adding a Support for 24 IP addresses per Deception VM instead of 16 IP addresses. (FDC Appliance will support up to 128 VLANs)

  • Improved Decoy Network authenticity:

    • STATIC IP: A network Decoy with STATIC IP deployment will generate a single NIC per IP address.

    • DHCP IP: A network Decoy with DHCP IP deployment will allow choosing more than 1 IP address per Decoy.

  • HW requirements benchmark widget: New HW requirements benchmark widget for FortiDeceptor Virtual appliance only will provide the end-user guidelines in real-time regarding the system performance and the need for more vCPU & RAM resources during deployment and ongoing maintenance.

  • Additional improvements to current features such as:

    • Time Zone for each login user based on his location to adjust the incident alerts time and date.

    • Improved CM manager to support firmware image download for different models

    • Improved incidents alerts email content

    FortiDeceptor License Model:
    • New License Model: The new FortiDeceptor license will be a subscription-based model. The new model is based on the number of network VLANs using the FortiDeceptor solution.

    • FortiDeceptor VM: A subscription bundle based on the number of network VLANs that includes all the FortiDeceptor modules and features ( Network Decoys, Deception Lures, Forticare, and ARAE).

    • FortiDeceptor HW: A subscription license based on the number of network VLANs and includes the FortiDeceptor modules and features( Network Decoys, Deception Lures, and ARAE).

    • FortiDeceptor Manager: A subscription license for managing up to 50 devices using a single manager.

    • FortiDeceptor Windows license:

      • Not included under the subscription license and requires a separate SKU.

      • New SKU for 1 X win7 and 1 X win10 to purchase mixed windows decoys under a single SKU.

      • The subscription license allows access to the custom decoy feature, and you can use your corporate windows license for windows decoys.

    • FortiDeceptor License renewal: The perpetual license will be supported for current customers and renewal using the perpetual SKUs and co-term contract.

    • FortiDeceptor USG license for US Federal customers.

What’s new in FortiDeceptor 4.0.0

The following is a list of new features and enhancements in 4.0.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

New IoT/OT Decoys

IoT/OT devices are consistent targets for threat actors and APT. Deception Decoys are a key component for detecting attacks against critical devices and infrastructure.

A new IoT Deception VM has been added and contains a:

  • Cisco router decoy that will allow using a cisco IOS image file to emulate a real cisco router device

  • Network printer decoy will emulate a real HP printer, including the printing protocol and printer web management UI.

  • Network IP camera that will emulate a real IP camera with the ability to custom the fake video stream.

New OT protocols & decoys were added to SCADAV2 Deception VM:

  • Protocol:

    • DNP3 is a communications protocol used in SCADA and remote monitoring. Its primary use is in utilities such as electric and water companies.

    • Triconex protocol is both the name of a Schneider Electric brand that supplies products, systems, and services for safety, critical control, and turbomachinery applications and the name of its hardware devices that utilize its TriStation application software. The Triconex Decoy service will simulate SIS controllers.

  • New Schneider Electric OT Decoys:

    • EcoStruxure B.M.S. Management Server: EcoStruxure Building Management is an integration platform for monitoring, control, and management of energy, lighting, fire safety, security, and HVAC

    • PM5560 Power Meter: PM5560 provides the measurement capabilities needed to allocate energy usage, perform tenant metering and sub-billing, pinpoint energy savings, and perform a high-level assessment of the power quality of the electrical network.

    • SCADAPack 333E (5210): Smart RTU ensures end-to-end reliable and secure control and monitoring of remote assets in critical infrastructure. (mainly used for water system monitoring).

    New Deception Lures

    HoneyDocs (office & PDF files): HoneyDoc creates a "honey" document, including fake passwords or financial data, to look appealing for attackers to open them. It uses pixel technology as the tracking image so that you can see the IPs of who opens the document in your web server logs inside the network decoy.

Network Attacks:
  • Responder Attack Detection: A new module for detecting Responder attacks is included in the Windows Decoys. Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It uses an LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.

  • Ransomware Attack Detection: An improvement for the current Ransomware encryption detection module to minimize the detection time.

In-Depth Malware Analysis – Incident Analysis:

FortiSandbox: The integration between FortiDeceptor and FortiSandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.

VirusTotal: The integration between FortiDeceptor and the well-known VirusTotal service allows the submission of suspicious files (MD5) for malware analysis. When integrated, VirusTotal detection ratios will be displayed in the incident analysis alert Workflow for relevant events.

Fabric Integration:
  • FGT CSF: The integration between FortiDeceptor and Fortigate over CSF allows FortiDeceptor to automatticlay trigger the isolation of the infected endpoint from the network and prevents the attack from moving laterally. The CSF provides access to more fabric devices for isolations like FortiSwitch through the Fortigate. In addition, we add SAML support between Fortigate WEB-UI to FortiDeceptor to allow SSO login from Fortigate to FortiDeceptor.

  • FortiNAC: The integration between FortiDeceptor and FortiNAC allows FortiDeceptor to automatically isolate the infected endpoint from the network and prevent the attack from moving laterally. (in the previous version of FortiDeceptor, we use the WEB-HOOK connector for the integration, and now we provide an out-of-the-box connector).

System Features
  • Platform Scalability: The platform scalability was improved by adding a Support for 24 IP addresses per Deception VM instead of 16 IP addresses. (FDC Appliance will support up to 128 VLANs)

  • Improved Decoy Network authenticity:

    • STATIC IP: A network Decoy with STATIC IP deployment will generate a single NIC per IP address.

    • DHCP IP: A network Decoy with DHCP IP deployment will allow choosing more than 1 IP address per Decoy.

  • HW requirements benchmark widget: New HW requirements benchmark widget for FortiDeceptor Virtual appliance only will provide the end-user guidelines in real-time regarding the system performance and the need for more vCPU & RAM resources during deployment and ongoing maintenance.

  • Additional improvements to current features such as:

    • Time Zone for each login user based on his location to adjust the incident alerts time and date.

    • Improved CM manager to support firmware image download for different models

    • Improved incidents alerts email content

    FortiDeceptor License Model:
    • New License Model: The new FortiDeceptor license will be a subscription-based model. The new model is based on the number of network VLANs using the FortiDeceptor solution.

    • FortiDeceptor VM: A subscription bundle based on the number of network VLANs that includes all the FortiDeceptor modules and features ( Network Decoys, Deception Lures, Forticare, and ARAE).

    • FortiDeceptor HW: A subscription license based on the number of network VLANs and includes the FortiDeceptor modules and features( Network Decoys, Deception Lures, and ARAE).

    • FortiDeceptor Manager: A subscription license for managing up to 50 devices using a single manager.

    • FortiDeceptor Windows license:

      • Not included under the subscription license and requires a separate SKU.

      • New SKU for 1 X win7 and 1 X win10 to purchase mixed windows decoys under a single SKU.

      • The subscription license allows access to the custom decoy feature, and you can use your corporate windows license for windows decoys.

    • FortiDeceptor License renewal: The perpetual license will be supported for current customers and renewal using the perpetual SKUs and co-term contract.

    • FortiDeceptor USG license for US Federal customers.