FortiGuard Outbreak Alert: Version 4.0

Pwalia · ‎05-14-2024

What is an Outbreak Alert?

An Outbreak Alert provides a comprehensive report on critical and emerging cybersecurity threats that may compromise sensitive data, disrupt operations, and pose significant risks to the organization’s security.

Each report can assist customers in understanding the background of the attack, the timeline of events, affected technologies, and related threat intelligence such as Indicators of Compromise (IoCs), Tactics, Techniques, and Procedures (TTPs), and Attack sequence used by the advisories.

Across the attack surface, there are a significant number of attack vectors. At the same time, many products and services are available in the market which can make it confusing to gain assurance of being fully protected. The FortiGuard Outbreak Alerts address that challenge by providing the context around the entire attack surface and to help clarify which Fortinet product or service can aid in the Protection, Detection, Response, Recovery, and Identification of the threat.

What is the scope of Outbreak Alerts?

FortiGuard Outbreak Alert covers the latest and emerging cybersecurity threats, security incidents, newly discovered vulnerabilities, malware and/or ransomware.

FortiGuard Outbreak Alerts provides end-to-end security products or services that can help mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

Outbreak reports provide technical information relevant to the individual outbreak, and do not provide unrelated product/service information. Outbreaks also do not provide hearsay or gossip associated with the outbreak or the victims. 

What’s new in the Outbreak Alerts 4.0 Solution?

The new report format of the FortiGuard Outbreak Alerts uses a comprehensive structure to assist CISO and Security Operations (SOC) teams in checking their environment for reporting to InfoSec or other stakeholders. 

In this new 4.0 format, the report has been broken down into five different sections to easily navigate through the outbreak. These are Overview, Analysis, Solutions, Threat Intelligence, and References.

The report includes the following well-defined frameworks and solutions:

    1. NIST Cyber Security Framework (CSF) - The top-level solution section of the report is structured around the NIST CSF lifecycle components of Identify, Protect, Detect, Respond, and Recover. This helps to understand the available mitigations for security threats and vulnerabilities by leveraging the range of FortiGuard products and services. The Outbreak leads with the Protect as initial protection coverage of the cyberattack.

    2. MITRE ATT&CK - Each outbreak is analyzed by FortiGuard Labs to provide a comprehensive view of threat actors’ tactics, techniques, and procedures (TTPs), and to provide more detailed information for SOC analysts. These details are provided together with the outbreak alert as supplementary information when appropriate. 

    3. Threat Radar – The new threat radar combines both FortiGuard telemetries and external threat landscape. This combination provides a holistic rating of the cyber threat. Learn more about Threat Radar below.

    4. Attack sequence - A simple diagram of the cyber-attack and its components deployed to compromise a target system or network and the steps involved.

How does Threat Radar supplement the Outbreak Alert?

Users may use the Threat Radar values in conjunction with other vulnerability management processes to make informed decisions about patching, mitigation, and defense strategies. A higher value suggests a higher priority for remediation efforts and actionable Intelligence as they represent a more immediate or severe threat.

The Threat Radar combines ratings from five different sources:

CVSS v3.0

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat. Scores are calculated based on a formula that depends on several metrics that approximate the ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe.

Below is the conversion:

CVSS Range	Level
9.8-10.00	5
9.0-9.7	4
7.0-8.9	3
4.0-6.9	2
0-3.9	1

Exploit Prediction Score

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The higher the value means the greater likelihood of exploitation. https://www.first.org/epss/

Below is the conversion:

EPSS Range	Level
80.00-100	5
40.00-79.99	4
20.00-39.99	3
10.00-19.99	2
1-9.99	1
0	0

FortiRecon
Score

FortiRecon provides visibility into the external threat landscape. Fortinet experts monitor the dark web, Pastebin, forums, markets, OSINT, and more, to get ahead of hard-to-find potential threats.

Below is the conversion:

FortiRecon Score	Level
90-100	5
70-89	4
40-69	3
29-39	2
1-28	1

Known Exploited Vulnerability

CISA KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. https://www.cisa.gov/known-exploited-vulnerabilities

Below is the conversion:

Known Exploited	Level
Yes & widely used vendors (e.g. Microsoft, Apache)	5
Added to KEV	3
Not added to KEV	0

FortiGuard Telemetry

FortiGuard tracks the attempted exploitation attacks on the number of unique IPS devices in the last 30 days. The higher the number means the more widespread the attack is.

Below is the conversion:

CVSS Range	Level
50,000+	5
10,001-49,000	4
1001-10,000	3
101-1000	2
1-100	1

When an outbreak has multiple CVEs, we use the highest possible value from each CVE when creating Threat Radar. This is to anticipate the Outbreak Threat level as compared to each related CVEs.

How can you improve and optimize your Security Operations with limited resources?

If you have a FortiGate, with the FortiGuard IPS service you are able to protect your network and block adversaries from getting inside the perimeter. However, it becomes crucial to identify gaps in current programs and processes as there are multiple attack vectors and advanced threats that could take advantage of it. FortiGate customers can use FortiAnalyzer to streamline threat intelligence, and security automation to detect Outbreak traces in their network. This lightweight deployment delivers essential SecOps capabilities, transforming raw data into actionable insights reducing complexity and cost, while elevating efficiency and effectiveness.

Which products support automated Outbreak Detection Services?

Customers using FortiAnalyzer may subscribe to the Outbreak Detection Service, which delivers the outbreak reports plus real-time updated event handlers and reports to check the customer environment (logs) for any triggers associated with the outbreak.

FortiAnalyzer can then raise incidents and generate reports for customer SOC teams to further investigate or take remediation action.

Other products also support automated Outbreak Detection Services, including pre-built decoys for FortiDeceptor, automated security rating packages for FortiGate, targeted threat hunting for FortiSIEM, endpoint tagging rules for FortiClient, and playbook response packages for FortiSOAR.  

Learn more: Outbreak Detection Service

How can you get Outbreak alerts delivered directly to your inbox?

Anyone can subscribe to receive the FortiGuard Outbreak Alert report using the link below and signing up using your email address. https://www.fortinet.com/fortiguard/labs