Fortinet, Inc.
LEVERAGING NETWORK SECURITY SCANNING TO OBTAIN ENHANCED INFORMATION REGARDING AN ATTACK CHAIN INVOLVING A DECOY FILE

Abstract:

Systems and methods for identifying a source of an attack chain based on network security scanning events triggered by movement of a decoy file are provided. A decoy file is stored on a deception host deployed by a deception-based intrusion detection system (IDS) within a private network. The decoy file contains therein a traceable object that is detectable by network security scanning performed by multiple network security devices protecting the private network. Information regarding an attack chain associated with an access to the decoy file or a transmission of the decoy file through the one or more network security devices is received by the deception-based IDS from the one or more network security devices. The information is created responsive to detection of a security incident by the network security scanning. Finally, an Internet Protocol (IP) address of a computer system that originated the attack chain is determined.