DejaVU – Open Source Deception Framework

0
195
DejaVU – Open Source Deception Framework

Deception methods if deployed nicely will be very efficient for organizations to enhance community protection and could be a helpful arsenal for blue groups to detect assaults at very early stage of cyber kill chain. But the problem now we have seen is deploying, managing and administering decoys throughout giant networks remains to be not straightforward and turns into advanced for defenders to handle this over time. Although there are a whole lot of industrial instruments on this area, we haven’t come throughout open supply instruments which may obtain this.

With this in thoughts, now we have developed DejaVu which is an open supply deception framework which can be utilized to deploys throughout the infrastructure. This may very well be utilized by the defender to deploy a number of interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, consumer aspect – NBNS) strategically throughout their community on totally different VLAN’s. To ease the administration of decoys, now we have constructed an internet primarily based platform which can be utilized to deploy, administer and configure all of the decoys successfully from a centralized console. Logging and alerting dashboard shows detailed details about the alerts generated and will be additional configured on how these alerts must be dealt with. If sure IP’s like in-home vulnerability scanner, SCCM and so on. must be whitelisted, this may be configured which successfully would imply only a few false positives.
Alerts solely happen when an adversary is engaged with the decoy, so now when the attacker touches the decoy throughout reconnaissance or performs authentication makes an attempt this raises a excessive accuracy alert which must be investigated by the protection. Decoys will also be positioned on the consumer VLAN’s to detect consumer aspect assaults reminiscent of responder/LLMNR assaults utilizing consumer aspect decoys. Additionally, widespread assaults which the adversary makes use of to compromise reminiscent of abusing Tomcat/SQL server for preliminary foothold will be deployed as decoys, luring the attacker and enabling detection.

Architecture

  • Host OS: Primary OS internet hosting the DejaVU digital field. Note: Primary
    host will be OS impartial Windows/Linux and will be primarily based on
    company hardening pointers.
  • DejaVu Virtual Box: Debian primarily based picture containing open supply deception framework to deploy a number of interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, consumer aspect – NBNS).
  • Networking
    • Management Interface – An interface to entry net primarily based administration console. (Recommended to be remoted from inner community.)
    • Decoy Interface – Trunk/Access interface for inbound connections from totally different networks in direction of the interactive decoys. (Recommended to dam outbound connections from this interface)
    • Virtual Interfaces – Interfaces bridged with decoy interface to channel site visitors in direction of the decoys.
  • Server Dockers – Docker primarily based service containers – HTTP(Tomcat/Apache), SQL, SMB, FTP, SSH
  • Client Dockers – Docker primarily based consumer container – NBNS consumer
  • Management Console (Web + DB) – A centralized console to deploy, administer and configure all of the decoys successfully together with logging and alerting dashboard to show detailed details about the alerts generated.

Usage Guide
Initial Setup

  1. Configure Username/Password for admin panel
php config.php --username=<present username> --password=<present password> --email=<present e mail>
  1. Default URL to entry admin panel – http://192.168.56.102
  2. Virtualbox community adapter sort must be “PCNet”(full title is one thing like PCnet-FAST III)
  3. Set SMTP configuration on “mailalert.php” to recieve Email alerts

Now whenever you go to the default URL, you’re greeted by the logon immediate:

Add Server Decoy

  1. To add a decoy, we first want so as to add a VLAN on which we wish to later deploy Decoys.
    • Select Decoy Management -> Add VLAN
    • Enter the VLAN ID. Use the “List Available VLANs” choice to record the VLANs tagged on the interface.

  1. To add server decoy :
    • Select Decoy Management ->Add Server Decoy
    • Provide the small print for brand new decoy as proven under. Select the companies (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or present a static IP tackle.

  1. Let’s do some port scan’s + Auth makes an attempt from attacker machine on server VLAN and analyze the alerts

  1. View the alerts triggered when the attacker scanned our decoy and tried to authenticate.
    • Select Log Management -> List Events

Add Client Decoy

  1. To add Client Decoy
    • Select Decoy Management ->Add Client Decoy
    • Provide the small print for brand new decoy as proven under. It’s advisable to put the consumer decoy on consumer VLANs to detect responder/LLMNR assaults.

  1. Let’s run responder from attacker machine on finish consumer VLAN and analyze the alerts

  1. View the alerts triggered when the attacker scanned our decoy and tried to authenticated.
    • Log administration -> List Events

Filter Alerts

  1. Alerts will be configured primarily based on numerous parameters. Example – Don’t ship alerts from IP – 10.1.10.101. If sure IP’s like in-home vulnerability scanner, SCCM and so on. must be whitelisted.

To Do

Authors
Bhadresh Patel (@bhdresh)
Harish Ramadoss (@hramados)

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.