Blogs
nmoore
Staff
Staff

Our previous blog covered how FortiEDR eliminates malware and attacks early in the cyber kill chain and the benefits of proactive security. We know nothing in this life is guaranteed and no form of security is perfect. As stated before, Threat Hunting helps identify what circumvented the first line of defence. This blog will cover post-attack threat hunting.

Post-attack, Threat Hunting can assist in ‘following the breadcrumbs’ and identifying patient zero, peering back days, weeks or even months. While FortiEDR’s Forensics suite provides much of the answer with patented code-tracing technology, Threat Hunting is also an essential component.

While investigating an event, FortiEDR provides an intuitive experience with contextualised Threat Hunting hyperlinks enabling the SOC analyst to quickly retrieve the information required.

UploadedImages_jFVcuBmfRKG04TwmNgYb_threat-capabilities-1.png

Figure 1.1 – Contextualized Threat Hunting – Events View

UploadedImages_MetvxlmRWShYd8tdzKjY_threat-capabilities-2.png

Figure 1.2 – Contextualized Threat Hunting – Forensics View

 

It is also possible to scan all (or selected) endpoints for specific traces of an attack – detonated samples, encryption activity, Command & Control (C2) communication etc. These can all be used to trace back to the point of origin – patient zero.

In the example below, an identified threat has been traced back to the use of Mimikatz – a tool commonly used by threat actors to steal credentials and elevate privileges. Using Threat Hunting, all uses of Mimikatz can be queried while sorting by date & time.

In this case the first use of mimikatz.exe is quickly identified with a “File Create” activity. This search also indicates the machine and user originally compromised.

UploadedImages_3dvGSTTpT6HdIfu2gdQQ_threat-capabilities-3.png

Figure 1.3 – Using Threat Hunting to Find Patient Zero

 

Upon stumbling across a suspicious file it is also possible to either remediate (delete) or retrieve it for further analysis offline.

Shifting focus from file activity to network activity, FortiEDR’s Threat Hunting can be used to search for potentially malicious network communication, including C2.

While it is possible to perform searches using contextual GUI-driven workflows, some prefer to construct queries using the flexible Lucene syntax. In this example, it is used to identify all network connections to known bad IPs associated with Kinsing crypto mining.

UploadedImages_lABq7JoWQpO4YqXjn2mA_threat-capabilities-4.png

Figure 1.4 – Using Threat Hunting Lucene Syntax

 

While this query can be conducted as a one-off search to identify historical indicators, the same query can be scheduled so that notifications are generated upon future occurrences.

The flexibility and breadth of these Threat Hunting features mean that performing post-attack investigations with FortiEDR enables organisations to respond to incidents more effectively and reduce MTTR.


Summary

FortiEDR threat hunting enables SOC teams to be proactive and ensures that even if something slips through the net, they have the necessary tools to find where it came from, where it went, and how to remove it. Ultimately the focus is to reduce MTTR when an attack has already occurred.

While Threat Hunting is a powerful tool for SOC analysts, what if your organisation doesn’t have a SOC team? Thankfully, Fortinet’s Managed EDR service – FortiResponder, includes Managed Threat Hunting. You can find out more here.

For more information on FortiEDR’s threat hunting capabilities, please read this solution brief
2 Comments
KamaDuba
New Contributor
this is amazing post i am glade to here, Kamagra Oral Jelly is used to cure problems of erectile dysfunction and less libido in males. Its Effects can be observed between 6-8 hours. Kamagra Oral jelly enhances erectile function significantly, also increases testosterone through extending sexual activity, and is also safe for usage. This remedy still has benefits during post-cycle therapy. It may be beneficial for helping at least during PCT.

At least 15-30 twinkles before your sexual intercourse should be consumed orally in the dosage of 1 sachet. Before you utilize Kamagra oral jelly, you should consult your doctor, if you have any issues such as heart problems, angina, and liver dysfunction. If you have these troubles should not consume Kamagra oral jelly unless recommended by a healthcare provider.
Gcsclea
New Contributor

Gcscleaning.ae

Professional Cleaning Services

We provide cleaning services in Dubai for homes and offices. To clean hard-to-reach areas our team ensures to use of the right products. We prefer flexible green cleaning solutions. To make cleaning more enjoyable and effective we prefer concentrated cleaning solutions.

Our customers can easily book our services online. For our customers, we assist in finding experienced cleaners. We are providing both residential and commercial cleaning services. Cleaning services Dubai are available to help you out. Book now our professional technical services at very affordable rates.  To make everything sparkling we use the right cleaning products. Call us to book an appointment for our cleaning services.

  • Our Services

_ Move-in and move-out residential cleaning

_ Post-construction cleaning

_ Residential cleaning includes

_ Carpet, upholstery cleaning services

_ Floor vacuum cleaning

_ Dusting and scrubbing windows

_ Doors, door frames, and decorative items cleaning

_ Disinfection and sanitization of kitchen and bathroom

_ Deep cleaning services Dubai

_ Air-conditioner and ceiling fan cleaning

_ Other Services Includes

_ Commercial Cleaning Services

_ Painting services

_ Home cleaning services

_ Curtain fixing services

We provide high-quality technical services in UAE for home and office cleaning at a very affordable.

 Our expert provides professional carpentry services, installation, and custom-making of all kinds of furniture pieces. We provide professional painting services for interior and exterior home painting, drywall repair, and pressure washing.

  • Contact Us

Contact us through phone call +971504485205,  +971 4 5139088

or send an email to booking@gcscleaning.ae

  • Address:-

Trade Core Business Centre, 2nd Floor, Mankhool, Dubai, United Arab Emirates