Fortinet black logo

Administration Guide

Deception token best practices

Copy Link
Copy Doc ID d90909a9-1ca9-11ec-8c53-00505692583a:636657
Download PDF

Deception token best practices

Deception effectiveness requires deployment across all managed endpoints and servers.

This topic provides deception deployment best practices for the deception token layer. For token deployment over AD logon script, see appendix A.

Example of deception tokens on Windows, MAC, or Linux endpoint segment (VLAN)
RDP token
  • Set up several Windows server decoys that support RDP access.
  • Set up appropriate decoy hostnames like Terminal-XX, VDI-XX, and so on. This increases the level of authenticity when you add the Windows server decoys to the company domain.
  • Follow company username and password policy.
  • Generate 2-3 deception lures and deploy them over several different AD user groups.
SMB token

For Windows endpoints, use either SMB token or SAMBA token. Do not use both.

  • Set up at least two Windows server decoys that support two fake network share access.
  • Generate at least two tokens with two different share names.
  • Use a share name similar to the company structure.
  • Set up appropriate hostnames like FileSRV-XX, File-Server, and so on. This increases the level of authenticity when you add the Windows server decoy to the company domain.
  • Follow company username and password policy.
  • Generate a single deception token package and deploy it over all the network endpoints.
SAMBA token

For Windows endpoints, use either SMB lure or SAMBA token. Do not use both.

  • Set up at least two Linux server decoys that support network share access.
  • Set up appropriate hostnames like Storage-XX, Backup-Server, and so on.
  • Generate at least two tokens with two different share names.
  • Use a share name similar to the company structure.
  • Follow company username and password policy.
  • Generate a single deception token package and deploy it over all the network endpoints.
SSH lure
  • Set up several Linux server decoys that support SSH access.
  • Set up appropriate hostnames like JumpHost-XX, Control-XX, Cloud-XXX, and so on.
  • Use a complicated password. This gives the attacker the impression that this is a critical server.
  • Generate 2-3 deception tokens and deploy them over the IT endpoints group only. Attackers do not expect to see SSH clients on a regular desktop.

Deception token best practices

Deception effectiveness requires deployment across all managed endpoints and servers.

This topic provides deception deployment best practices for the deception token layer. For token deployment over AD logon script, see appendix A.

Example of deception tokens on Windows, MAC, or Linux endpoint segment (VLAN)
RDP token
  • Set up several Windows server decoys that support RDP access.
  • Set up appropriate decoy hostnames like Terminal-XX, VDI-XX, and so on. This increases the level of authenticity when you add the Windows server decoys to the company domain.
  • Follow company username and password policy.
  • Generate 2-3 deception lures and deploy them over several different AD user groups.
SMB token

For Windows endpoints, use either SMB token or SAMBA token. Do not use both.

  • Set up at least two Windows server decoys that support two fake network share access.
  • Generate at least two tokens with two different share names.
  • Use a share name similar to the company structure.
  • Set up appropriate hostnames like FileSRV-XX, File-Server, and so on. This increases the level of authenticity when you add the Windows server decoy to the company domain.
  • Follow company username and password policy.
  • Generate a single deception token package and deploy it over all the network endpoints.
SAMBA token

For Windows endpoints, use either SMB lure or SAMBA token. Do not use both.

  • Set up at least two Linux server decoys that support network share access.
  • Set up appropriate hostnames like Storage-XX, Backup-Server, and so on.
  • Generate at least two tokens with two different share names.
  • Use a share name similar to the company structure.
  • Follow company username and password policy.
  • Generate a single deception token package and deploy it over all the network endpoints.
SSH lure
  • Set up several Linux server decoys that support SSH access.
  • Set up appropriate hostnames like JumpHost-XX, Control-XX, Cloud-XXX, and so on.
  • Use a complicated password. This gives the attacker the impression that this is a critical server.
  • Generate 2-3 deception tokens and deploy them over the IT endpoints group only. Attackers do not expect to see SSH clients on a regular desktop.