Fortinet black logo

Release Notes

Home FortiDeceptor 4.2.0 Release Notes
4.2.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.3.3
3.3.2
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.1
3.1.0
3.0.2
3.0.1
3.0.0
2.1.0
2.0.0
1.1.0
1.0.1

What’s new in FortiDeceptor 4.2.0

What’s new in FortiDeceptor 4.2.0

The following is a list of new features and enhancements in 4.2.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

Network Asset Discovery Module:

The new asset discovery generates the network asset inventory using passive network sniffing for network threat visibility and decoy deployment automation.

The network asset discovery supports both IT and IoT/OT networks.

Incident Alerts Reporting:

FortiDeceptor incident alert menu allows you to generate a new security report in PDF format from the incident alerts.

The PDF report style is similar to the FortiDeceptor report in FortiAnalyzer.

New Infrastructure Decoys:

FortiDeceptor expands the virtual appliance offering and now supports Hyper-V infrastructure.

New IT & Services Decoys:

IT Sensitive applications are always targets for threat actors and APT. Deception application Decoys are a key component for detecting attacks against critical applications. The following new Application Decoys were added:

  • ESXi Decoy:
    • As part of the last attacks against VMware platform has a new ESXi Decoy.
    • The ESXi decoy is based on FortiDeceptor emulation technology
  • ELK (elastic search) Decoy:
    • ELK has become one of the most popular data lake platform and also a target for data exfiltration attacks.
    • The ELK (elastic search) decoy is based on FortiDeceptor emulation technology.
  • New FTP service for windows & Linux Decoys:
    • FTP service in enterprise network are used to host organization files.
    • The new FTP lure allows full customization of the service including anonymous access enablement, FTP credentials and FTP banner.
New Medical IoT Decoys:
  • New Medical IoT decoys:
    • Expands the Medical decoy and adds Braun Infusomat pump.
    • Many vulnerabilities discovered in the Braun Infusomat pump product that exits widely in healthcare organization and become a target for threat actors.
New Deception Tokens Module:

The deception token package allows you to add breadcrumbs on real endpoints and deceive an attacker into a network Decoy. Deception Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface

The new Deception token module allows you to generate a custom token campaigns from several decoys.

The new token campaigns support 2 deployment modes:

  • Online mode:
    • The online deployment mode push the deception token dynamically based on the server side configuration.
    • The deception token package runs without token configuration and each token deployment. The endpoint retrieves the latest token configuration from the FDC manager.
    • This method allows the security team to change the deception campaign strategy dynamically and be more proactive against dynamic threats.
    • This method also allows the endpoint to report deployment status to the FortiDeceptor manager and provide real time visibility on the deception token deployment coverage.
  • Offline mode:
    • The offline deployment mode generates a full deception token package with the token configuration embedded.
New Fabric Integrations:
  • MS ATP EDR: Adds integration between FortiDeceptor and MS ATP EDR, allowing a threat mitigation response automation to isolate an infected machine from the network.
  • CrowdStrike EDR: Adds integration between FortiDeceptor and CrowdStrike EDR, allowing a threat mitigation response automation to isolate an infected machine from the network.
  • Cuckoo Sandbox: The integration between FortiDeceptor and Cuckoo Sandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.
  • FDC integration connector works with FortiSIEM to update the “watch list” with deception credentials that were deployed in real time. The integration also automatically identify if a threat actor uses them across the network by checking the FSM logs in real time
Layer 2 Attacks:

MITM attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers.

FortiDeceptor expands the layer2 attacks detection by detecting ARP poising attack against real assets inside the same network VLANs where decoys are deployed.

Threat Intelligence Sharing:

The IOC Export page allows you to export the IOC file in CSV format and we have expanded it to allow pushing it automatically using STIX/TAXII protocol for a specified period.

The IOC file contains the Timestamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events.

You can also include MD5 checksums, WCF category, and reconnaissance alerts allowing Third-party Threat Intelligence Platforms to process the IOC data.

General:
  • FortiDeceptor deployment wizard allows you to configure 2 DNS server per decoy.
  • FortiDeceptor manager expands the user access authentication and now supports 2 FA authentication for radius. (for example, FortiToken).
Previous
Next

What’s new in FortiDeceptor 4.2.0

The following is a list of new features and enhancements in 4.2.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

Network Asset Discovery Module:

The new asset discovery generates the network asset inventory using passive network sniffing for network threat visibility and decoy deployment automation.

The network asset discovery supports both IT and IoT/OT networks.

Incident Alerts Reporting:

FortiDeceptor incident alert menu allows you to generate a new security report in PDF format from the incident alerts.

The PDF report style is similar to the FortiDeceptor report in FortiAnalyzer.

New Infrastructure Decoys:

FortiDeceptor expands the virtual appliance offering and now supports Hyper-V infrastructure.

New IT & Services Decoys:

IT Sensitive applications are always targets for threat actors and APT. Deception application Decoys are a key component for detecting attacks against critical applications. The following new Application Decoys were added:

  • ESXi Decoy:
    • As part of the last attacks against VMware platform has a new ESXi Decoy.
    • The ESXi decoy is based on FortiDeceptor emulation technology
  • ELK (elastic search) Decoy:
    • ELK has become one of the most popular data lake platform and also a target for data exfiltration attacks.
    • The ELK (elastic search) decoy is based on FortiDeceptor emulation technology.
  • New FTP service for windows & Linux Decoys:
    • FTP service in enterprise network are used to host organization files.
    • The new FTP lure allows full customization of the service including anonymous access enablement, FTP credentials and FTP banner.
New Medical IoT Decoys:
  • New Medical IoT decoys:
    • Expands the Medical decoy and adds Braun Infusomat pump.
    • Many vulnerabilities discovered in the Braun Infusomat pump product that exits widely in healthcare organization and become a target for threat actors.
New Deception Tokens Module:

The deception token package allows you to add breadcrumbs on real endpoints and deceive an attacker into a network Decoy. Deception Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface

The new Deception token module allows you to generate a custom token campaigns from several decoys.

The new token campaigns support 2 deployment modes:

  • Online mode:
    • The online deployment mode push the deception token dynamically based on the server side configuration.
    • The deception token package runs without token configuration and each token deployment. The endpoint retrieves the latest token configuration from the FDC manager.
    • This method allows the security team to change the deception campaign strategy dynamically and be more proactive against dynamic threats.
    • This method also allows the endpoint to report deployment status to the FortiDeceptor manager and provide real time visibility on the deception token deployment coverage.
  • Offline mode:
    • The offline deployment mode generates a full deception token package with the token configuration embedded.
New Fabric Integrations:
  • MS ATP EDR: Adds integration between FortiDeceptor and MS ATP EDR, allowing a threat mitigation response automation to isolate an infected machine from the network.
  • CrowdStrike EDR: Adds integration between FortiDeceptor and CrowdStrike EDR, allowing a threat mitigation response automation to isolate an infected machine from the network.
  • Cuckoo Sandbox: The integration between FortiDeceptor and Cuckoo Sandbox will provide a complete static and dynamic analysis against malicious code captured by the network decoys. The malware analysis report will be available on the FortiDeceptor admin console.
  • FDC integration connector works with FortiSIEM to update the “watch list” with deception credentials that were deployed in real time. The integration also automatically identify if a threat actor uses them across the network by checking the FSM logs in real time
Layer 2 Attacks:

MITM attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers.

FortiDeceptor expands the layer2 attacks detection by detecting ARP poising attack against real assets inside the same network VLANs where decoys are deployed.

Threat Intelligence Sharing:

The IOC Export page allows you to export the IOC file in CSV format and we have expanded it to allow pushing it automatically using STIX/TAXII protocol for a specified period.

The IOC file contains the Timestamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events.

You can also include MD5 checksums, WCF category, and reconnaissance alerts allowing Third-party Threat Intelligence Platforms to process the IOC data.

General:
  • FortiDeceptor deployment wizard allows you to configure 2 DNS server per decoy.
  • FortiDeceptor manager expands the user access authentication and now supports 2 FA authentication for radius. (for example, FortiToken).
Previous
Next