A Non-Intrusive, Agentless Deception Solution to Detect and Stop Active In-Network Attacks

FortiDeceptor is Fortinet's non-intrusive, agentless deception platform that puts the power back into the hand of defenders, with the ability to deceive attackers into engaging with fake assets and ultimately revealing themselves.

A force multiplier to current security defenses, FortiDeceptor combines the concept of honeypot with threat analytics and threat mitigation capabilities. This is achieved by distributing a layer of deception assets across the network-decoys and tokens, such as fake keys and files on endpoints and servers-and creating a system of traps that look and operate like any other real asset across IT, OT, and IoT networks, intended to deceive, detect, and isolate known and unknown human and automated attacks.

With FortiDeceptor, instead of waiting for the threat actor to make a mistake and then detect their presence, you can now embrace an active defense approach where any step the attacker takes-whether they try to escalate privileges or run malware-becomes an opportunity for you to detect them.

Early Threat Detection, Minimal Network Impact

FortiDeceptor works by deploying and running decoys from the FortiDeceptor console using available IP addresses. As decoys leverage unused IP addresses across the different network segments, they do not impact network availability and, to the attacker, they seem like an integral part on your network. These IP addresses do not correspond to any real host or device on the network.

The FortiDeceptor platform consists of several deception components that together provide an authentic and scalable layer of deception assets that are identical to other assets across your network. These decoys are fake assets, such as industrial control systems, medical devices, ATMs, tank gauges, POS devices, IoT devices, network infrastructure, and more, that run real operating systems and services and generate fake but limited traffic to lure attackers to them, diverting them away from sensitive assets. FortiDeceptor provides an extensive inventory of decoys. You can also 'bring your own decoys' and upload your own golden images.

To expand the deception layer event further, FortiDeceptor places breadcrumbs (or tokens) on real endpoints and servers. These are fake documents, files, or fake credentials, that attackers look to leverage to move laterally or encrypt. The breadcrumbs, which are indistinguishable from real files and credentials, are designed to deceive the attacker or malware to laterally move to the decoy. FortiDeceptor immediately detects any use of fake credentials, generates alerts, and automatically isolates the endpoint using built-in endpoint isolation capabilities or security orchestration, automation, and response (SOAR) playbooks.

Accelerated Incident Response

The solution generates high-fidelity, zero false-positive alerts, providing security teams with a unique advantage over malicious activity, and unparalleled visibility to detect and stop attacks, credential thefts, lateral movement, and malware activity. It also provides compensating security control when patching or when other security controls aren't an option. A good example of this is in OT environments where patches aren't available; even when patches are available, the time and effort required for maintenance is arduous.

A Non-Intrusive, Agentless Deception Solution to Detect and Stop Active In-Network Attacks

FortiDeceptor is Fortinet's non-intrusive, agentless deception platform that puts the power back into the hand of defenders, with the ability to deceive attackers into engaging with fake assets and ultimately revealing themselves.

A force multiplier to current security defenses, FortiDeceptor combines the concept of honeypot with threat analytics and threat mitigation capabilities. This is achieved by distributing a layer of deception assets across the network-decoys and tokens, such as fake keys and files on endpoints and servers-and creating a system of traps that look and operate like any other real asset across IT, OT, and IoT networks, intended to deceive, detect, and isolate known and unknown human and automated attacks.

With FortiDeceptor, instead of waiting for the threat actor to make a mistake and then detect their presence, you can now embrace an active defense approach where any step the attacker takes-whether they try to escalate privileges or run malware-becomes an opportunity for you to detect them.

Early Threat Detection, Minimal Network Impact

FortiDeceptor works by deploying and running decoys from the FortiDeceptor console using available IP addresses. As decoys leverage unused IP addresses across the different network segments, they do not impact network availability and, to the attacker, they seem like an integral part on your network. These IP addresses do not correspond to any real host or device on the network.

The FortiDeceptor platform consists of several deception components that together provide an authentic and scalable layer of deception assets that are identical to other assets across your network. These decoys are fake assets, such as industrial control systems, medical devices, ATMs, tank gauges, POS devices, IoT devices, network infrastructure, and more, that run real operating systems and services and generate fake but limited traffic to lure attackers to them, diverting them away from sensitive assets. FortiDeceptor provides an extensive inventory of decoys. You can also 'bring your own decoys' and upload your own golden images.

To expand the deception layer event further, FortiDeceptor places breadcrumbs (or tokens) on real endpoints and servers. These are fake documents, files, or fake credentials, that attackers look to leverage to move laterally or encrypt. The breadcrumbs, which are indistinguishable from real files and credentials, are designed to deceive the attacker or malware to laterally move to the decoy. FortiDeceptor immediately detects any use of fake credentials, generates alerts, and automatically isolates the endpoint using built-in endpoint isolation capabilities or security orchestration, automation, and response (SOAR) playbooks.

Accelerated Incident Response

The solution generates high-fidelity, zero false-positive alerts, providing security teams with a unique advantage over malicious activity, and unparalleled visibility to detect and stop attacks, credential thefts, lateral movement, and malware activity. It also provides compensating security control when patching or when other security controls aren't an option. A good example of this is in OT environments where patches aren't available; even when patches are available, the time and effort required for maintenance is arduous.