Description

FortiGuard Outbreak Alerts provide a comprehensive report about critical and significant security outbreaks.  Each report can assist customers in understanding the background, as well as how to check their environment, ensure they are protected, and plan for augmentation of any gaps. 

Across the attack surface there are a significant number of attack vectors, which translates to a large number of products and services available in the market.  That can be often-times confusing to gain assurance of being fully protected.  One objective of FortiGuard Outbreak Alerts is to provide the context around the entire attack surface, and to help clarify which components can aide in protection, detection and response activities.  

Scope

FortiGuard Outbreak Alerts provide all information surrounding the outbreak itself, the attack surface and the end-to-end security lifecycle.

Outbreak reports provide technical information relevant to the individual outbreak, and do not provide product/service information that is not related.  Outbreaks also do not provide hearsay or gossip associated with the outbreak or the victims. 

Solution

Version 3.0 of the FortiGuard Outbreak Alerts use established frameworks to assist CISO and Security Operations (SOC) teams in checking their environment plus reporting to InfoSec or other stakeholders. 

The frameworks employed include:

    1.  NIST Cyber Security Framework (CSF) - the top-level report is structured around the NIST CSF lifecycle components of Protect, Detect, Respond, Recover and Identify.  

    2.  Cyber Kill Chain - given the huge number of products & services available, the Protect phase of NIST CSF is further broken down using the Cyber Kill Chain stages.  This adds context around which stage of attack each product or service is deployed. 

    3.  NIST Incident Response Framework - the Detect, Respond and Recover phases are guided by the NIST IR framework. 

    4.  MITRE ATT&CK - each Outbreak is analyzed by FortiGuard Labs to provide a comprehensive view of the tactics & techniques employed, in order to provide more detailed information for SOC analysts.  These details are provided together with the outbreak alert as supplementary information when appropriate. 

Additional Information

• Customers using FortiAnalyzer may subscribe to the Outbreak Detection Service, which delivers the outbreak reports plus real-time updated event handlers & report to check the customer environment (logs) for any triggers associated with the outbreak.  FortiAnalyzer can then raise incidents and generate reports for customer SOC teams to further investigate or take action. 
  
  
• Other products also support automated Outbreak Detection Services, including pre-built decoys for FortiDeceptor, automated security rating packages for FortiGate, targeted threat hunting and tagging rules for FortiClient, and more.  
  
  
• The FortiGuard Outbreak Alert shows EPSS of vulnerabilities. The EPSS is provided by FIRST (https://www.first.org/). By their definition, the EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days).
  
  
• On FortiGuard Outbreaks with multiple vulnerabilities, only the highest EPSS score is posted.

• All outbreaks are published on FortiGuard.  The first outbreak updated to Version 3.0 of the report is Log4j2.