The Lateral Movement and VPN Breach Response Solution Pack is a security solution that helps protect against attacks where hackers enter a network by first compromising a computer and then secretly moving through the network to avoid detection. Their aim is to gain more control and access important data.
The solution comes with "Investigate Lateral Movement & VPN Breach Detection” playbook. The goal of this playbook is to automate the response to security incidents related to lateral movement and VPN breaches, ensuring a rapid and coordinated response to mitigate potential risks and limit the impact of the breach.
Here is a breakdown of the automated tasks involved in this playbook:
Fetch Asset Details Related to the Malicious IP Address: This task involves retrieving information about assets or devices that may be affected by the malicious IP address. It likely includes gathering details such as the hostname, IP address, device type, user associated with the device, and any recent network activity.
Investigate VPN Breaches and Block Malicious IP: This step involves analyzing the VPN logs and traffic data to identify signs of a breach. Once a malicious IP address is detected, the playbook take actions such as blocking the IP address at the firewall or VPN gateway to prevent further unauthorized access.
Quarantine the Malicious IP Endpoint on FortiClient EMS: FortiClient EMS (Endpoint Management System) is a security solution for managing endpoints. Quarantining the malicious IP endpoint likely means isolating or restricting its network access within the organization's network to prevent potential harm and further lateral movement.
Fetch Compromised Users' Details to Block Them on Microsoft Active Directory: In this step, the playbook gathers information about compromised users who may have been affected by the security incident. Once these users are identified, their accounts are likely disabled or blocked in Microsoft Active Directory to prevent unauthorized access and further compromise.
Key integrations include Fortinet FortiClient EMS, FortiDeceptor, FortiEDR, FortiGate, FortiSIEM, and Microsoft Active Directory. To optimize performance, it's essential to set up a data ingestion process and configure the Syslog connector for actionable alerts in FortiSOAR.
Reference:https://fortisoar.contenthub.fortinet.com//detail.html?entity=lateralMovementAndVPNBreachResponse&ve...
