SecOps - Threat Prevention & Detection with FortiDeceptor

you all right good morning all hope everyone is doing well my name is Matt Costner and I am one of the four internet SCS in the South Carolina Territory I'm actually located in the Greenville South Carolina area Simpsonville to be exact and I've been with four net for a little over three years so before we get started I would be remiss if I did not introduce the rest of the four Dannette field and support teams for South Carolina depending on your company's line of business you will align with an account team represented on this slide as the special thanks to the marketing and channel teams for making this event happen some of you may remember that for net sponsored the post

conference festivities at sparetime last year since we were unable to recreate this activity in the current climate we have another offering that I will announce at the end of the demonstration

today I wanted to take some time to talk about a new technology segment that is often overlooked security operations is achieved through multiple products working in tandem today we are going to concentrate on just one of those it's a product that we've coined for two deceptor so first a little bit of background according to punim ins 2019 study they found the global average total cost of a data breach was three point nine two million dollars for the US alone the average total cost of a data breach was eight point two million dollars this is a huge impact to any organization of any size to dig deeper on the contributing factors to a breach we learn from

Verizon's 2019 data breach report that of all breaches that organizations faced two-thirds can be attributed to organized crime that are motivated financially in launching attacks against organizations while the remaining one-third are from the organization's sysadmin or end-user community these are the often overlooked insider threats and what continues to be a trend is that it only takes minutes for an initial compromise of an asset and subsequent exfiltration of data once the breach is successful in 56 percent of organizations took months to discover the breach and then additional time was needed to take appropriate remediation steps so why is it a challenge for organizations to discover these threats earlier due to the continued shortage of InfoSec talent

overburden staff can't effectively respond to thousands of alerts received per day which is paralyzing the response to actual threats way too much noise is happening inside of the sock in the management of 30-plus different security products or solutions in a security architecture that may not naturally share threat intelligence creates an obstacle to a timely overall response strategy to a breach for Dannette addresses these challenges by offering security solutions for endpoints access points network elements the data center applications and the cloud these components are designed to work together as a cohesive security fabric that can be integrated analyzed and managed to provide end-to-end protection for your network we are going to focus on security operation solutions the

Fortinet security operations solutions deliver advanced threat intelligence and technologies to prevent detect and respond to traditional and advanced threats they also aid with compliance and can help raise overall security awareness

most security operations are tasked with for general Golz prevent cyberattacks detect advanced threats respond to incidents and demonstrate compliance with the tools listed we can increase security by keeping pace with the evolving threat landscape consolidate the tools necessary to minimize missed events and enrich our threat intelligence with aaaahhhhh driven threat feeds of malicious files IP addresses and more for Donets 40 deceptor technology provides best-in-class defense and protection with security tripwires which trigger automated responses against malware and unauthorized users looking to access and exploit network resources prevention and detection are not the only components to having good security posture responding and containing an incident is still a top priority for CISOs in 2020 however response time is detecting at detecting

breaches is still taking companies around 200 days using the security fabric security operations can gain the ability to respond to incidents across Fortinet and non fortinet components with automated actions through flexible workflows and advanced triggers and all through a single pane of glass management console to break down how security solutions deal with threats it is common to find there is a set of products or solutions that deal with insider threats and another for external threats it would be optimal if there was a solution that could protect against both external and internal threats at the same time for DES deceptor combines the notion of a honey pot with threat analytics and threat mitigation into one specifically

for the deceptor creates decoys to lure attackers and inspects their behavior to generate accurate threat intelligence and to block both external and internal attacks Fortinet is the first major security vendor to offer deception technology and the offering is available as an appliance as well as a virtual form factor furthermore for two deceptor is integrated with the FortiGate firewall as part of the automated threat response process and with for two sim and for two analyzer for broader visibility

normally the first endpoint an attacker compromises is only used to gain access to the organization's network once compromised and controlled the attacker uses this host to explore the network find their next target and move from host to host as they search for the data and assets that they are after for their attack campaigns as part of this lateral movement for two deceptor redirects attacks to decoy and real devices equipped with lures that appear indistinguishable from real IT and OT assets these decode these decoys are highly interactive this allows organizations to detect they have been compromised before the attacker has a chance to achieve their goal one key advantage of 40 deceptor is that it allows organizations to centrally manage

and automate the deployment of pre-built or custom decoy VMs and lures which results in a rapid deployment usually within a single day to eliminate the initial compromised and breach well dwell time and also the challenge with too many alerts that create noise for to deceptor acts as an early warning system that exposes an attackers malicious intent that translates to immediate alerts sent to the security teams or sim for review and validation for to deceptor applies analytics to a consolidated set of security events then correlates and attributes them to the threat actor along with a timeline of activities which helps bring to the surface the larger threat campaign in a single pane of glass

to help the lien InfoSec team scale and create a seamless consolidated threat response for two deceptor allows security analysts to manually investigate and apply manual remediation or automatically block these attacks based on severity before actual damage occurs via an integration with the FortiGate firewall to provide for contextual intelligence for the attackers activity for the deceptor uses an anti reconnaissance and an anti exploit service that comprised of three detection engines that are powered by four two guard labs the AI enable anti-malware service the AI enabled web filtering service and lastly IPS detection these services allow the detection of malware malicious URLs exploits and network based attacks observed within the decoys it allows the security team to drill down to a threat

campaign core latest activities and accelerate analysis of the threat integration with the FortiGate devices allows for an automated mitigation of that threaten for DES deceptor is very flexible allowing organizations to deploy the solution either as an appliance or a virtual form factor on-premise all the while the network of decoys can cover the entire organization from branch locations to the campus data center public cloud and even the operational technology networks the deception vm's offered today simulate Windows Linux industrial control systems and other SCADA devices so in summary organizations have to deal with breaches like an originator from external or internal threats for de deceptor helps with this redirecting with redirecting these attacks and by analyzing the attackers behavior which

provides sauk teams actionable intelligence to respond to these threats through the security fabric security teams can share intelligence with a sim for broader visibility and inline security controls can block both external and internal actors automatically before any damage is done for two deceptor is a holistic solution covering the entire organization for both IT and OT segments alright so from here I want to run a couple scenarios in a lab environment gonna show you how the product works let me share my screen here so if really everyone can see my screen so let me kind of set the stage we're gonna go through both I'm gonna clean the offense and a defense in this scenario the scenario is that we have

already compromised a machine inside of a company's DMZ we've done some research as well we know this company uses the syntax of first initial last name for usernames so we're gonna use that to our advantage and we're going to run through kind of an escalation of or a stair-step of attacks own a box that's going to be our pivot point inside of the DMZ but first I want to jump into the four to deceptor console and kind of show you how easy it is to deploy some of these decoy beams into the network and we'll start here with a dashboard which I call kind of your 30,000 foot view from here you can actually see all the different

events and incidents that are actually we actually were able to detect so all of your events are going to be an inner circle and then all the incidents that comprise of all the events will be on the outer circle and you can see the different severity levels here critical medium low and high then we want to look at the different lures or applications or services that are actually deployed as part of these decoy beams out in the environment so you see some some ones that you're actually probably familiar with SMB RDP SSH and then some stuff that's actually associated with ot networks so back net and and Modbus so if you're not as familiar with ot you

may man it may not be as familiar with those protocols we get some good information here and these are actually configurable widgets so we can change the timeline associated with a lot of these I think we have three options here 24 hours or seven days and four weeks so we keep the analytics for a good period of time we're also handing this off to a sim or for to analyzer as well for long-term storage but you can see I've got a lot and actually have to preface this actually before I put this up for the b-sides demo actually opened up a couple boxes to the outside to generate some traffic so there was a Windows box

that had RDP enabled there was a Bunty box that had SSH enable and they're all going to be using simple username password combinations so that's why you're seeing all this information here so these are the incidents in the last seven days and of course here are the events that actually make up those incidents a lot from China right kind of surprised so much from France but you can actually look at it on a geographical map here so we've got China having 918 incidence Russia and the 5,000 and surprisingly for some reason a lot of surprises me but France is actually the leader here with over 20,000 incidents the good guys in Canada don't seem to be wanting to attack me

for some reason distribution of services like I said before RDP SSH we can do TCP listeners on specific ports and I'll get into that a little bit later and then just your overall incidents over time again we can change the the time value for this so let's look and see what actually goes into building out this deception Network so here are the options we have from an OS standpoint so we can actually pull a 48 firewall image down and that's the only one I haven't pulled down here and then beside this you can see which lures are associated with which images so the FortiGate would be associated with a VPN connection we would set it out on the

edge we would have simple username and password on it and hoping someone could actually compromise the box and then start to pivot and that's pretty much the case for all of these we want them to compromise the box we want to see what they're doing what the next steps are what tools are trying to download so we can prepare to how to mitigate that threat so we got some skater devices here and this skater device is actually in a bun tube box that actually has some some code on it that simulates a SCADA or an ICS device and again we can see the lures that are available for this box as well and then we've got an a

bunch of Linux box and a couple flavors of Windows Windows 7 Windows 10 SSH for a bun - RDP for remote management access for these Windows boxes and SMB and Samba as well as any TCP listeners that you wanted to set so once we download these images you can see these are initialized and this one's still outstanding but once we have these downloaded all we have to do is build out a deployment network typically port number 1 is going to be reserved for management so it's going to be on the safe side of the network or that trusted side usually on a network management VLAN anything any other port can be used for deploying of decoys into the

environment so from here I've actually just created two networks two different DM Z's and then I can deploy two decoys out this is a VM that I'm running right here for for two deceptor we could I could pull a trunk into VMware and actually set up out of VLAN detection or manually set VLAN IDs these IP addresses are mainly to be used for proxy purposes into the beams and I'll show you that shortly but that's pretty much once you download the image files you set up the networks and the last step is just to deploy the the actual decoy VMs so I've got a template here I'll jump into that I'll name it test just to be simple but you can see

the services that are enabled here RDP like I said my username and password if I wanted an SMB share same thing and then I can give it a creative you know enticing name like banking or private something like that and then a TCP listener I've got it set up as port 80 but I see a lot of times this comes in handy too where if you had a custom application well not really a custom application but an application that you were hosting internally that maybe had a an odd port number that you wanted to advertise and see if someone could pick it up as that service and start sending exploits towards that this is where that

TCP listener would be handy here so once we do this we just click Next and this is where you actually add that interface from the deployment network step earlier right into here so much like port 2 I can select DHCP so I'm just gonna grab a regular DHCP address from here your DHCP server I can set it statically if you want to no big deal there and then that's it you just click deploy once you click deploy all of your decoys will show up here you can see I've got a couple at bunty boxes a couple one seven I got a SCADA device sitting out there and then it's just typical controls if I wanted to see how this box is configured

I can click on it and see exactly what's configured user names password that kind of stuff right and if I want to jump into a box I can easily just B&C directly into here we're using that proxy IP that we set up earlier in order to do this so we're still on the safe side of the network and the same thing for the window side I can open up an RDP session directly from here so we have access to the VM via proxy so everything's safe and you can see the services that I've got listed here so SMB Samba SMB here for Windows a TCP listener here on port 80 so we're gonna actually hit these boxes as part

of this demonstration the decoy map is gonna be more of what's out there what do we have running same thing here's our decoys anything that's read it's critical we can click on any of this stuff view incidents it's not typically what I use I usually just go to the analysis engine here inside of porta deceptor but we'll get to that here in just a moment so let's go ahead and jump over to our kali linux box so this is going to be the box that i stated that we compromised i know we're not going to compromise a kali linux box and real life we're just gonna have to make believe here just a little bit so i'm

gonna go ahead and start off with just running a simple in map scan against one of these decoy beams and then we're gonna look and see flip back and forth will go offensive then will flip over to for data scepter see what we can see from a defensive standpoint and see if the the analytics makes sense so i'm going to pull up a couple of command line scripts that i've got here and we're just gonna quickly run them so dot 48 that's the abun two box that decoy that we looked at earlier so we'll let this run just a minute and we'll see what we get back

all right so we got a response after a little while so we can see the ports that are actually open on this decoy box of course we don't know it's a decoy we're inside of a customers or customer company's Network and we're trying to pivot at this point so we see SSH 80s listening we got NetBIOS we've got SMB running so let's let's go back to the defensive side and let's see if we can see any of this stuff so let me go to analysis and we're gonna see on this side there's actually a couple of events that happened right because we're scanning multiple ports so port 22 139 443 so these are lining up with exactly what

the results that we got from the nmap scan and we can see all the source ports that we used in order to do this we actually can pull down the pcap for this transaction if you wanted to so we did we were able to capture that the nmap scan still not as concerning right you know in maps concerning scans are concerning inside your network more so right but not as big of a deal it's not going to create a campaign out of it yet so let's go back and let's let's dig a little bit deeper so the next thing I want to do is I told you before that I've done my research I know that the

syntax for username passwords inside of this company is first initial last name I know there's a John Smith so we're going to go after John Smith and we're going to use Hydra and do a brute force password attack using a word list from Metasploit so let's go ahead and copy and paste that in right quick so the attack is started

I apologize i quarantine myself this is something I was going to show you earlier I thought I'd turn this off but I did quarantine myself so we'll go ahead and talk about that while I've got so we do have the integration with the FortiGate firewall where I can actually hit the API on an upstream FortiGate firewall and quarantine devices so what that means is we're going to show up in quarantine here which you see we got two minutes left before this guy has fallen off of the quarantine ban I've got it set for five minutes you can set it upwards - I think multiple days to quarantine this so once your quarantine we can actually go upstream to the

FortiGate firewall and we can actually monitor that as well so we go into quarantine monitor here we can actually see that the timer's are going to be the same from the API call and we can see the device that's actually the threat from here we can actually do some things as far as create address objects out of it so we can put it on a bad list we can quarantine it all together so there's two different types of quarantine ones AB and quarantine which is gonna be temporary and more nak based and then we can actually quarantine the host all together to where it can't pass traffic we do have some integrations if you used

our secure access switching and wireless - where we can actually do this before it actually gets into the fabric altogether and then we can actually build out some automation as well which is kind of cool so once I built out an automation step for this and I'm not really doing anything but sitting in an email but we can run CLI scripts and we can actually do things to this endpoint in addition to banning the IP address enough for two gate firewall maybe we want to set off a script for something that we can do is from a security operation standpoint in the sock but it depends on the event that you choose and again all I've done is a

looking at an event in that quarantine I'm less than an email and then here's the email address so I'm gonna send it to now just show up in your inbox so that was something I was going to cover a little bit later but since I blocked myself then I figured it might as well use the time wisely here so let's given another 20 seconds and we'll run that again but as you can see that quarantine does work we weren't able to run the the brute-force attack from there so refresh here looks like we're good let's go back to Ford acceptor we refresh here looks like we're good let's go ahead and run that attack again alright so this time it

worked we didn't quarantine ourselves and you can see it takes it took three tries in order to guess the password of password yes we made this really really simple we want these decoys to be compromised we want to see where they're pivoting what tools are using next so let's go back to four to deceptor and let's take a look at the analysis and we should see something new and we do we actually see you see I did some testing earlier but you actually see there was no username before we actually did the brute-force attack so now we actually know the username used in this transaction and we can actually go through showing that an SSH session was established to wrong

passwords were guessed and then we actually were able to guess the password on the third attempt so we see all of that activity so we're good so far so let's go a little bit deeper let's run let's run some commands right so we've got interactive access or we are gonna have in torretta interactive access to the console let's go ahead and log into this box since we know the user name and password now passwords password so now we're on that box that decoy although we don't know as a decoy I'm gonna just run some commands to see what we got we got a loopback address the interface that I came in on it looks like we have another

interface so this box is multihomed that could be interesting for pivoting out let's see if we can see any files hidden files yep we got some files here in the home directory that that we just done a list on I want to look at that history file there I see yep so you could pick up some interesting things there depending on who is in here before so let's let's do something else let's actually let's do something a threat actor would actually do so let's go and grab some tool sets and this is not malicious tools that's right this is just going to emulate that but this is what they would do they would go out grab a tool from a website

and be able to pull the tool down and use it to pivot or move laterally inside the network so we're going to use this site and this is just a simple HTML file so we downloaded that there's the file so let's go back to four to deceptor and see what we can see again from the analysis tab so we've got an interaction here again we got the attack user source port we started the session again we're coming in here and here we go here all the commands that the threat actor actually ran during his session the other thing is let's look at the web filtering events and we can actually drill down to this and see

that there was a here we go there was a malicious website hit so the threat actor actually hit this website if we wanted to go even further I can pull this peek app and I can look at the URI that was actually used what package what toolset did they pull down gives you more visibility into knowing what you're up against when someone's actually inside your network already so I got one more step or more attack that I want to place Ford on this machine and it's gonna be an exploit attack and actually I'm changing machines now but it's going to show you the same thing so I'm gonna do a Windows attack on a Windows machine

this is an old decom attack I've got a I gotta update my sources but let me go ahead and just run this attack on this machine and the attack is actually going to fail this is a more this is an updated version actually this Windows 7 this this exploit was originally built for Windows 2003 server so this is going to fail but we want to look at what we're seeing and for DES deceptor from an analytic standpoint that's the most important thing so we're gonna go and look at IP s events we can actually look at the victim port it's 135 and we can actually see the IPS attack actually happened we can pull again the pcap associated with this and

we can actually see the attack or remote activation request here so a lot of good information so we've covered pretty much scanning we've covered any kind of remote tool sets that are needed to be downloaded any malicious code that's downloaded we've covered any kind of exploits or network based attacks we've been able to see all of that so far so from the offensive side we're done we're gonna go in here and talk about a couple more things one we've already talked about was the integration with the FortiGate because I accidentally quarantine myself in advance but this time I want to look at the actual lures that you can put on legitimate machines so the machines may be inside your

network maybe you've got a finance VLAN maybe in the DMZ we can actually pull tokens from these decoys and what that means is I can pull a token package and install them on legitimate machines and maybe these tokens will lead lead the thread actor to the decoys by hiding cache credentials on those machines for RDP or SSH maybe there's a symbolic link pointing to a share again called banking or private that would entice a threat actor that's already compromised a legitimate machine to start showing themselves by attacking at a decoy elsewhere in the network so there's some cool things that we can actually deploy to legitimate machines to push them over to attack one of the decoys that you've

got sitting out there in the network I think that is about it since we've already covered the FortiGate piece