Home

Awesome

DejaVU - Open Source Deception Platform

DejaVu (part of Camolabs.io) is a deception platform which can be used to deploy decoys on both cloud(for now we support AWS) and internal network.

This is our presentation at Blackhat Europe where we show how we can leverage Deception to detect common adversary tactics and techniques during various stages of attack lifecycle.

Deploying DejaVu on Internal Network

If you are looking deploying DejaVu on your internal network, you can download the platform from Camolabs.io. Use the below guides to help you get started.

Default credentials: administrator:changepassword

Background

We started DejaVu in 2018 and initially presented our work at Blackhat, Defcon, and HITB. Over the last few years we have added various new decoys, breadcrumbs and changed our architecture based on the feedback from organisations using it.

DejaVu can be used by the defender to deploy multiple interactive (Server and Client) decoys strategically across their network on different VLAN’s and on Cloud (AWS). To ease the management of decoys, we have built a web based platform which can be used to deploy, administer and configure all the decoys effectively from a centralized console. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured on how these alerts should be handled. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be discarded, this can be configured which effectively would mean very few false positives.

Alerts only occur when an adversary is engaged with the decoy, so now when the attacker touches the decoy during reconnaissance or performs authentication attempts this raises a high accuracy alert which should be investigated by the defense. Decoys can also be placed on the client VLAN’s to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.

One of the major advantages of DejaVu - Using a single platform you can deploys decoys across different VLANS and manage, monitor them.

Use Cases

Below are few examples attack vectors using DejaVu platform you can detect:

Architecture

Architecture

Decoy Types

Sneak Peek

<img src="https://raw.githubusercontent.com/bhdresh/Dejavu/master/images/1.png" width="45%" height="250 px"> <img src="https://raw.githubusercontent.com/bhdresh/Dejavu/master/images/2.png" width="45%" height="250 px"> <img src="https://raw.githubusercontent.com/bhdresh/Dejavu/master/images/3.png" width="45%" height="250 px"> <img src="https://raw.githubusercontent.com/bhdresh/Dejavu/master/images/4.png" width="45%" height="250 px">

Authors

Credits