Deception methods if deployed nicely will be very efficient for organizations to enhance community protection and could be a helpful arsenal for blue groups to detect assaults at very early stage of cyber kill chain. But the problem now we have seen is deploying, managing and administering decoys throughout giant networks remains to be not straightforward and turns into advanced for defenders to handle this over time. Although there are a whole lot of industrial instruments on this area, we haven’t come throughout open supply instruments which may obtain this.
- Host OS: Primary OS internet hosting the DejaVU digital field. Note: Primary
host will be OS impartial Windows/Linux and will be primarily based on
company hardening pointers.
- DejaVu Virtual Box: Debian primarily based picture containing open supply deception framework to deploy a number of interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, consumer aspect – NBNS).
- Management Interface – An interface to entry net primarily based administration console. (Recommended to be remoted from inner community.)
- Decoy Interface – Trunk/Access interface for inbound connections from totally different networks in direction of the interactive decoys. (Recommended to dam outbound connections from this interface)
- Virtual Interfaces – Interfaces bridged with decoy interface to channel site visitors in direction of the decoys.
- Server Dockers – Docker primarily based service containers – HTTP(Tomcat/Apache), SQL, SMB, FTP, SSH
- Client Dockers – Docker primarily based consumer container – NBNS consumer
- Management Console (Web + DB) – A centralized console to deploy, administer and configure all of the decoys successfully together with logging and alerting dashboard to show detailed details about the alerts generated.
- Configure Username/Password for admin panel
php config.php --username=<present username> --password=<present password> --email=<present e mail>
- Default URL to entry admin panel – http://192.168.56.102
- Virtualbox community adapter sort must be “PCNet”(full title is one thing like PCnet-FAST III)
- Set SMTP configuration on “mailalert.php” to recieve Email alerts
Now whenever you go to the default URL, you’re greeted by the logon immediate:
Add Server Decoy
- To add a decoy, we first want so as to add a VLAN on which we wish to later deploy Decoys.
- Select Decoy Management -> Add VLAN
- Enter the VLAN ID. Use the “List Available VLANs” choice to record the VLANs tagged on the interface.
- To add server decoy :
- Select Decoy Management ->Add Server Decoy
- Provide the small print for brand new decoy as proven under. Select the companies (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or present a static IP tackle.
- Let’s do some port scan’s + Auth makes an attempt from attacker machine on server VLAN and analyze the alerts
- View the alerts triggered when the attacker scanned our decoy and tried to authenticate.
- Select Log Management -> List Events
Add Client Decoy
- To add Client Decoy
- Select Decoy Management ->Add Client Decoy
- Provide the small print for brand new decoy as proven under. It’s advisable to put the consumer decoy on consumer VLANs to detect responder/LLMNR assaults.
- Let’s run responder from attacker machine on finish consumer VLAN and analyze the alerts
- View the alerts triggered when the attacker scanned our decoy and tried to authenticated.
- Log administration -> List Events
- Alerts will be configured primarily based on numerous parameters. Example – Don’t ship alerts from IP – 10.1.10.101. If sure IP’s like in-home vulnerability scanner, SCCM and so on. must be whitelisted.
Bhadresh Patel (@bhdresh)
Harish Ramadoss (@hramados)