Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 6.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiDeceptor 6.0.0 Release Notes
    6.0.0
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.1
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    What’s new in FortiDeceptor 6.0.0

    What’s new in FortiDeceptor 6.0.0

    The following is a list of new features and enhancements in 6.0.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

    New IT Decoys & Capabilities:

    • TrueNAS server

      TrueNAS server is a free and open-source network-attached storage (NAS) operating system produced by iXsystems. This platform is always a target for threat actors and APTs looking to access network data, while Deception decoys are a key component for detecting attacks against critical systems hosting network data.

    • We improved the support of the Decoy customization feature for RedHat RHEL7.9, RHEL8.8, RHEL8.10, and RHEL9.4.
    • We expanded the Outbreak vulnerability and added the following vulnerabilities:
      • Nice Linear eMerge Command Injection Vulnerability (already published)
      • Sunhillo SureLine Command Injection Attack
      • C-Data Web Mgmt RCE Attack (already published)
      • PAN-OS GlobalProtect Command Injection Vulnerability (already published)
    • D-link Multiple Devices Attack
    • Deception Lure expands the attack surface and maximizes the deception coverage. Adversaries target file servers to access sensitive files, and to increase the engagement between the Adversaries and the fake file servers. We added a new Deception Lure, Clone Directories, that will mimic the current customer environment by cloning the file server directory structure tree and naming into the file server decoy.
    • One of the most prevalent uses of PowerShell in cyber attacks is to execute malicious scripts. PowerShell allows hackers to write and execute scripts that can perform a wide range of activities, from stealing credentials and exfiltrating data to deploying ransomware or other forms of malware. We added the ability to capture the commands in an interactive Powershell window or a Powershell script and add it to the incident event.
    • A threat actor that compromises a decoy can use the decoy as a jump box to move laterally. To prevent this, we added an option to disallow (block) all outgoing connections from the decoy to the network and block the lateral movement early in the process.

    New Virtual Appliance:

    • A new FortiDeceptor Edge virtual appliance (FDCVME) allows you to deploy a remote lightweight appliance and run decoys directly from the FortiDeceptor central manager over a proprietary Layer2 tunnel. This new technology simplifies remote site deployment that does not require a massive deception deployment.
    • We improved the OVF configuration zip structure to support both FDCVMS and FDCVME appliances because each requires different HW requirements.

    OT decoys:

    • We expanded the passive OS fingerprint with more OT protocols and added the following new protocols:
      • Tridium/Niagara Fox

    New IoT decoys:

    • We expanded the IoT decoys offering by adding a Netgear MR60 decoy. This device is common and exposed to many cyber attacks while acting as an internet router.

      Using a Netgear MR60 decoy can provide an early breach detection to any cyber attack using known/unknown exploits.

    General:

    • The FortiDeceptor license for the VM unit is bound with management port1 IP; however, due to privacy guidelines, we added the option to bind the license with the VM unique UUID that is generated automatically.
    • FortiDeceptor provides a built-in mitigation connector for infected machine isolation. We added support for Linux endpoint isolation using SSH based on credentials or certificates.
    • FortiDeceptor provides a safe list mechanism that allows adding an IP address considered legitimate so that it does not generate an Event or Incident when accessing decoys. We expanded this feature and the option to block the entire decoy response access, meaning the decoy will not respond to these network connections and will not appear and be visible in the IT tools.
    • We expanded the Lure Resources and added centralized management for lure certificates allowing the user to upload PKCS12/PEM format key/certificates with or without a pass-phrase. In the Decoy wizard page, the end user can select a certificate from the dropdown list for any services requiring a certificate.
    • FortiDeceptor UI migration to the Neutrino framework also covers the Custom Decoy menu.
    • The custom decoy configuration will allow for the specification of HDD sizes above 50G maximum.
    • The FortiDeceptor integration with FortiGate using the Rest-API has been improved.
    • The Fabric CheckPoint has been improved and supports using a custom policy package name, not just the default one.
    Previous
    Next

    What’s new in FortiDeceptor 6.0.0

    What’s new in FortiDeceptor 6.0.0

    The following is a list of new features and enhancements in 6.0.0. For details, see the FortiDeceptor Administration Guide in the Fortinet Document Library.

    New IT Decoys & Capabilities:

    • TrueNAS server

      TrueNAS server is a free and open-source network-attached storage (NAS) operating system produced by iXsystems. This platform is always a target for threat actors and APTs looking to access network data, while Deception decoys are a key component for detecting attacks against critical systems hosting network data.

    • We improved the support of the Decoy customization feature for RedHat RHEL7.9, RHEL8.8, RHEL8.10, and RHEL9.4.
    • We expanded the Outbreak vulnerability and added the following vulnerabilities:
      • Nice Linear eMerge Command Injection Vulnerability (already published)
      • Sunhillo SureLine Command Injection Attack
      • C-Data Web Mgmt RCE Attack (already published)
      • PAN-OS GlobalProtect Command Injection Vulnerability (already published)
    • D-link Multiple Devices Attack
    • Deception Lure expands the attack surface and maximizes the deception coverage. Adversaries target file servers to access sensitive files, and to increase the engagement between the Adversaries and the fake file servers. We added a new Deception Lure, Clone Directories, that will mimic the current customer environment by cloning the file server directory structure tree and naming into the file server decoy.
    • One of the most prevalent uses of PowerShell in cyber attacks is to execute malicious scripts. PowerShell allows hackers to write and execute scripts that can perform a wide range of activities, from stealing credentials and exfiltrating data to deploying ransomware or other forms of malware. We added the ability to capture the commands in an interactive Powershell window or a Powershell script and add it to the incident event.
    • A threat actor that compromises a decoy can use the decoy as a jump box to move laterally. To prevent this, we added an option to disallow (block) all outgoing connections from the decoy to the network and block the lateral movement early in the process.

    New Virtual Appliance:

    • A new FortiDeceptor Edge virtual appliance (FDCVME) allows you to deploy a remote lightweight appliance and run decoys directly from the FortiDeceptor central manager over a proprietary Layer2 tunnel. This new technology simplifies remote site deployment that does not require a massive deception deployment.
    • We improved the OVF configuration zip structure to support both FDCVMS and FDCVME appliances because each requires different HW requirements.

    OT decoys:

    • We expanded the passive OS fingerprint with more OT protocols and added the following new protocols:
      • Tridium/Niagara Fox

    New IoT decoys:

    • We expanded the IoT decoys offering by adding a Netgear MR60 decoy. This device is common and exposed to many cyber attacks while acting as an internet router.

      Using a Netgear MR60 decoy can provide an early breach detection to any cyber attack using known/unknown exploits.

    General:

    • The FortiDeceptor license for the VM unit is bound with management port1 IP; however, due to privacy guidelines, we added the option to bind the license with the VM unique UUID that is generated automatically.
    • FortiDeceptor provides a built-in mitigation connector for infected machine isolation. We added support for Linux endpoint isolation using SSH based on credentials or certificates.
    • FortiDeceptor provides a safe list mechanism that allows adding an IP address considered legitimate so that it does not generate an Event or Incident when accessing decoys. We expanded this feature and the option to block the entire decoy response access, meaning the decoy will not respond to these network connections and will not appear and be visible in the IT tools.
    • We expanded the Lure Resources and added centralized management for lure certificates allowing the user to upload PKCS12/PEM format key/certificates with or without a pass-phrase. In the Decoy wizard page, the end user can select a certificate from the dropdown list for any services requiring a certificate.
    • FortiDeceptor UI migration to the Neutrino framework also covers the Custom Decoy menu.
    • The custom decoy configuration will allow for the specification of HDD sizes above 50G maximum.
    • The FortiDeceptor integration with FortiGate using the Rest-API has been improved.
    • The Fabric CheckPoint has been improved and supports using a custom policy package name, not just the default one.
    Previous
    Next