Posted in

FortiDeceptor for OT Honeypots

I work with a lot of enterprise manufacturing customers and the common challenge is adequately securing Operational Technology (OT) networks. These SCADA, ICS and PLC devices responsible for building products were never designed with security in mind and are an easy target for attackers. They’re also the lifeblood of any of these organizations, thus placing an even heavier burden to adequately secure them. Following the Purdue Model, the initial step is to segment the IT and OT environments at this major enforcement boundary:

Fortinet Solutions Mapping to Purdue Model (2022)

But to take it a step further (and utilize defense in depth), I’ve recommended placing honeypots in OT networks. These honeypots can detect activity on the same LAN segment that might not trigger be blocked by a firewall. And I have a love of honeypots — I deployed Modern Honey Network at a past job to detect network scanning on the LAN. Setting up Modern Honey Network took a while, but it is open source and free. This time I wanted to try FortiDeceptor, our honeypot solution, and was amazed at how easy it is to setup and build decoys that look like OT devices.

FortiDeceptor Overview

FortiDeceptor comes as an appliance or VM; I deployed the VM version in my home lab on VMware vSphere. I followed the Administration Guide and used port1 for management and port2 to trunk all VLANs to use for decoys. After I changed the admin password (default is no password), assigned an IP address for management, the default gateway and date/time, I was able to login to FortiDeceptor through the web browser. At this point, I uploaded the FortiDeceptor license; FortiDeceptor VM is licensed by VLAN and/or /24 network so that each decoy’s network requires a license (as of this post being published, this could change in the future). There’s also a 20 decoy limit on each FortiDeceptor VM.

Create Decoy Networks

As we deploy honeypot decoys, we’ll first setup the decoy network(s). Since we trunked all VLANs down to FortiDeceptor via port2 when we deployed the OVA file, we’ll tag each of our decoy networks in FortiDeceptor. Go to Deception > Deployment Network > Add New Vlan / Subnet:

Repeat for as many networks that you’d like to deploy decoys on (and are licensed for).

Download Deception OSs

FortiDeceptor contains a variety of OSs that can be used for decoys:

FortiDeceptor 4.2 Deception OS List

For my purposes, I’ve focused on the Scada OSs and downloaded them. You can also upload a custom OS to more accurately mimic your environment.

Deploy Decoys

At this point you’re ready to deploy your decoy(s). Go to Deception > Deployment Wizard > Create a new decoy. Provide a Name and select “scadav3” from the list of available deception OSs. From here you can see the list of available decoys in the scadav3 deception OS:

FortiDeceptor SCADA Decoys

I’ve deployed Siemens S7 and Rockwell PLCs to test against. This will then populate the services associated with that decoy, which you can disable if desired. Decoys can also use Lures — Lures are fake users, fake canary files, etc. that make the decoy more realistic. For any of the SCADA decoys I’ve deployed, I didn’t utilize the Lures though since these SCADA devices are meant to be specific to their task. I did utilize a Lure of fake list of users when I built a Ubuntu decoy in a separate test.

Next you’ll populate information in your decoy to make it appear more realistic to your environment:

Siemens S7 S200 PLC Decoy
Siemens S7 S200 PLC Decoy

Click Next to configure the network of the decoy; this is where you’ll specify the decoy network that you had created earlier and give the decoy an IP address:

Decoy Deployment Network

Finally, click Deploy. It will take a few minutes for the decoy to initialize and start up, but you can view the progress under Deception > Decoy Status:

Decoy Statuses

FortiGate Integration

If you have a FortiGate firewall and would like to integrate it with FortiDeceptor so that the FortiGate automatically quarantines any device accessing the honeypot decoys, you’ll set that integration up under Fabric > Quarantine Integration:

Add Upstream FortiGate Information

Now login to the upstream FortiGate and navigate to Security Fabric > Fabric Connectors > and you should see the unauthorized FortiDeceptor listed. Just click it and click authorize.

Authorize FortiDeceptor in FortiGate Security Fabric

Now that the two devices are integrated, we need to create an automated stitch on the FortiGate to quarantine a device once alerted by FortiDeceptor. In the FortiGate, navigate to Security Fabric > Automation > Trigger > Create New > Fabric Connector Event:

FortiGate Automation Trigger

Next, create a new Action for IP Ban:

FortiGate Automation Action

Lastly, create a new Stitch to connect the two together:

FortiGate Automation Stitch

Now when an attacking (or even curious) IP address attempts to perform reconnaissance or interact with a decoy, FortiDeceptor will notify the FortiGate to quarantine the device for the time period specified (defaults to 1 hour) so that you have time to investigate before the quarantine expires.

Testing the Decoys

Now for the fun part (well, up till now has been fun but this is the really fun part): we’ll attack our decoys and observe FortiDeceptor alerting us to the attacks.

Nmap SNMP Poll

From a device with nmap installed (I used Kali Linux), scan the decoy:

sudo nmap -sU -p 161 –script=snmp-info 192.168.9.100

This will return the following information:

Nmap SNMP Scan of Siemens S7 PLC

And in FortiDeceptor, it will show up like this under Incident > Analysis:

FortiDeceptor – Nmap SNMP Scan

Metasploit Modbus Detection

From a device with Metasploit installed (I used Kali Linux again), scan the decoy using the Modbus protocol:

sudo msfconsole

msf6 > search modbus

msf6 > use auxiliary/scanner/scada/modbusdetect

msf6 auxiliary (scanner/scada/modbusdetect) > show options

msf6 auxiliary (scanner/scada/modbusdetect) > set RHOSTS 192.168.9.100

msf6 auxiliary (scanner/scada/modbusdetect) > exploit

Metasploit modbusdetect Exploit

And in FortiDeceptor, it will show up like this under Incident > Analysis:

FortiDeceptor modbusdetect Alerts

Metasploit Modbus Detection

From a device with Metasploit installed (I used Kali Linux again), attempt to change one of the Siemens coils of the decoy using the Modbus protocol:

msf6 > search modbus
msf6 > use auxiliary/scanner/scada/modbusclient
msf6 auxiliary (scanner/scada/modbusclient) > set RHOSTS 192.168.9.100
msf6 auxiliary (scanner/scada/modbusclient) > set DATA_ADDRESS 1
msf6 auxiliary (scanner/scada/modbusclient) > set DATA 1 (this would turn a coil on or off, depending on what state it’s in)
msf6 auxiliary (scanner/scada/modbusclient) > set ACTION WRITE_COIL
msf6 auxiliary (scanner/scada/modbusclient) > exploit

Metasploit modbusclient Exploit

And in FortiDeceptor, it will show up like this under Incident > Analysis:

FortiDeceptor Reporting

We showed earlier the Incident Analysis of each attack. FortiDeceptor classifies each attack as Connection, Interaction, Reconnaissance, IPS event, etc. and assigns a severity to each event. You can use these designations to tune the alerting you receive, especially if a decoy is more publicly reachable.

FortiDeceptor rolls each of the individual incidents into a Campaign, grouped by the attacker’s IP address. This is especially useful if an attacker is targeting multiple decoys, the Campaign dashboard shows the TTPs used by the attacker across your network. In the screenshot below, I can see where the attacker targeted different decoy victim IP addresses:

FortiDeceptor Campaign

FortiDeceptor also illustrates this Campaign in the Attack Map, where I can see which decoys the attacker hit and which individual Incidents map to that attack:

FortiDeceptor Attack Map

Alerts in FortiDeceptor can be exported to syslog or generating email alerts. I will say the email alerts can get quite chatty and I’d recommend sending the logs to a syslog server with alerts setup (did anyone say SIEM and SOAR?). I setup FortiDeceptor to send logs to FortiAnalyzer, which has its own ADOM for FortiDeceptor:

FortiAnalyzer Showing FortiDeceptor Logs

Conclusion

FortiDeceptor is a simple and easy to use tool to monitor APT activity on your network where other tools wouldn’t see. And it’s specifically useful in our customers’ OT environments where you can’t install canary tokens on SCADA, ICS, PLC, etc. devices. It’s worth checking out!

Leave a Reply

Your email address will not be published. Required fields are marked *