As one of the most valuable tools of EDR, Threat Hunting helps identify bad actors that have otherwise circumvented the first line of defence. It achieves this by proactively identifying threat indicators and vulnerabilities that lurk undetected. FortiEDR’s Threat Hunting is a powerful tool that provides benefits earlier and later in the cyber kill chain. This blog will cover how FortiEDR eliminates attacks before execution. It will cover scanning for metadata, behavior correlation (MITRE ATT&CK), and scheduled queries while a secondary blog will cover post-execution.
While FortiEDR’s pre and post-infection engines offer protection at multiple stages of the cyber kill chain, how can you proactively scan endpoints for Tactics, Techniques and Procedures (TTPs) which could indicate a potential attack? How can you search for threats that may have otherwise slipped through the net?
Figure 1.1 – Cyber Kill Chain
Threat Hunting enables the SOC analyst to proactively scan their environment for metadata that could correspond to a potential attack. FortiEDR collects a plethora of metadata across multiple operating systems which can be queried. A subset of which is illustrated below. It should also be noted that while FortiEDR provides extensive data retention by default, it can be extended even further if necessary.
Figure 1.2 – FortiEDR Threat Hunting Collection Profile
Each of these data points (or a combination) could reflect TTPs. This empowers the SOC analyst to better understand their attack surface and pinpoint potential attack vectors within their organisation – before the Delivery or Exploitation phase(s). If you want to see a practical example of this, our solution brief on threat hunting covers Log4j.
Behavior Correlation – Aligned to MITRE ATT&CK Matrix
With MITRE ATT&CK Matrix alignment, FortiEDR uses sophisticated algorithms to identify behavioural traits in collected metadata and align these to MITRE TTPs. For example: discovery, lateral movement, and reconnaissance.
Figure 1.4 – Threat Hunting Behavioral TTPs – Aligned to MITRE ATT&CK Matrix
This enables the SOC analyst to easily identify suspicious behavior that points to TTPs earlier in the kill chain without having to manually sift through the vast amounts of collected data.
While this capability is undoubtably useful, it still requires the SOC analyst to manually search for said behaviors. What if the desire is to be more proactive?
Scheduled Queries are used to automatically run pre-defined Threat Hunting searches at recurring intervals. For example: scan all endpoints for reconnaissance behavior, every 15 minutes. If this behavior is identified, generate a “Suspicious” event and notify the SOC team.
When fully utilized, these features enable SOC teams to identify potential attacks earlier in the kill chain and greatly reduce the Mean-Time-To-Detect (MTTD). What about post-attack? How does Threat Hunting help with incident investigation and reducing Mean-Time-To-Respond (MTTR)?
While traditional endpoint security solutions have operated from the mindset of “lay in wait”, Threat Hunting enables a new way of thinking to reduce MTTD and identify threats earlier in the kill chain. It enables SOC teams to be proactive, rather than reactive, and ensures that even if something slips through the net, they have the necessary tools to protect the organization.
FortiEDR’s Threat Hunting delivers a non-compromising solution combining comprehensive data collection for multiple operating systems with automation and intuitive workflows. It ensures SOC teams do not become overwhelmed, thanks to behavioral analysis aligned to the MITRE ATT&CK Matrix and scheduled queries enabling proactive notification of suspicious behavior.
While Threat Hunting is a powerful tool for SOC analysts, what if your organization doesn’t have a SOC team? Thankfully, Fortinet’s Managed EDR service – FortiResponder, includes Managed Threat Hunting. You can find out more here.
To see how FortiEDR eliminates malware later in the kill chain, read our next blog.
For more information on FortiEDR’s threat hunting capabilities, please read this solution brief.