A new FortiGuard Outbreak Detection Service is now available through FortiSOAR™'s Outbreak Response Framework Solution Pack. This solution pack is designed to investigate Outbreak Alerts, providing detailed information on vulnerabilities, their background, announcements, latest developments, CVE lists, and Indicators of Compromise (IOCs). Two specific vulnerabilities, the Log4j vulnerability (CVE-2021-44228) and a SQL injection vulnerability in the MOVEit Transfer web application, are mentioned as examples.
For more see https://github.com/fortinet-fortisoar/solution-pack-outbreak-response-framework/tree/release/1.0.0
Log4j vulnerability (Log4Shell) in Apache Log4j 2 library enables attackers to use it as a shell for arbitrary code execution. The solution pack integrates Threat Hunt Rules for proactive identification and investigation of potential Indicators of Compromise (IOCs) across FortiSIEM, FortiAnalyzer, QRadar, Splunk, and Azure Log Analytics environments. For more see: https://github.com/fortinet-fortisoar/solution-pack-outbreak-response-log4j-vulnerability/blob/relea...
The second vulnerability involves a SQL injection vulnerability in the MOVEit Transfer web application. This vulnerability could potentially allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used, the attacker may be able to gather information about the database's structure and contents and execute SQL statements to change or delete database elements. Similar to the Log4j vulnerability, the solution pack works with Threat Hunt Rules to identify and investigate potential IOCs associated with this vulnerability in various operational environments.
For more see: https://fortisoar.contenthub.fortinet.com//detail.html?entity=outbreakResponse-ProgressMOVEitTransfe...
Overall, the Outbreak Response Framework, aims to provide timely information about ongoing cyber threats and help organizations take proactive measures to secure their systems. The framework includes tools, alerts, and rules to detect and respond to cybersecurity outbreaks:
Outbreak Alerts: FortiGuard, offers alerts about emerging threats like malware and phishing. These alerts provide details about the threat, its impact, and recommended actions. This solution investigates outbreak alerts and provides information about the attack, its timeline, affected technologies, and measures taken to prevent vulnerabilities. It includes a list of indicators of compromise (IoCs) to identify the threat.
Outbreak Dashboard: A visual overview of outbreak information to help understand and respond to threats more effectively.
Threat Hunt Rules: These rules are used to investigate outbreak alerts. They include Fortinet Fabric Rules, Sigma Rules, and YARA Rules.
•Fortinet Fabric Rules: Used by security devices like FortiAnalyzer and FortiSIEM to collect, analyze, and report on security events.
•Sigma Rules: These rules are written in a standard language for different security platforms, promoting consistency, rapid development, and community collaboration.
•YARA Rules: These rules use pattern-matching to detect malware based on specific characteristics, providing flexibility, scalability, and integration with security systems.
The Outbreak Response Framework Solution Pack also addresses the critical challenge of zero-day exploits. With its early threat detection capabilities, the solution pack is particularly effective in identifying and mitigating risks associated with zero-day vulnerabilities. Also, since Sigma rules are written in a standard language for different security platforms, this promotes consistency, rapid development, and community collaboration, thereby strengthening cybersecurity posture.
