Blogs

How FortiEDR Hunts for Threats Later in the Kill Chain

By Nathaniel posted Mar 14, 2022 10:39 AM

  

Our previous blog covered how FortiEDR eliminates malware and attacks early in the cyber kill chain and the benefits of proactive security. We know nothing in this life is guaranteed and no form of security is perfect. As stated before, Threat Hunting helps identify what circumvented the first line of defence. This blog will cover post-attack threat hunting.

Post-attack, Threat Hunting can assist in ‘following the breadcrumbs’ and identifying patient zero, peering back days, weeks or even months. While FortiEDR’s Forensics suite provides much of the answer with patented code-tracing technology, Threat Hunting is also an essential component.

While investigating an event, FortiEDR provides an intuitive experience with contextualised Threat Hunting hyperlinks enabling the SOC analyst to quickly retrieve the information required.

Figure 1.1 – Contextualized Threat Hunting – Events View

Figure 1.2 – Contextualized Threat Hunting – Forensics View

 

It is also possible to scan all (or selected) endpoints for specific traces of an attack – detonated samples, encryption activity, Command & Control (C2) communication etc. These can all be used to trace back to the point of origin – patient zero.

In the example below, an identified threat has been traced back to the use of Mimikatz – a tool commonly used by threat actors to steal credentials and elevate privileges. Using Threat Hunting, all uses of Mimikatz can be queried while sorting by date & time.

In this case the first use of mimikatz.exe is quickly identified with a “File Create” activity. This search also indicates the machine and user originally compromised.

Figure 1.3 – Using Threat Hunting to Find Patient Zero

 

Upon stumbling across a suspicious file it is also possible to either remediate (delete) or retrieve it for further analysis offline.

Shifting focus from file activity to network activity, FortiEDR’s Threat Hunting can be used to search for potentially malicious network communication, including C2.

While it is possible to perform searches using contextual GUI-driven workflows, some prefer to construct queries using the flexible Lucene syntax. In this example, it is used to identify all network connections to known bad IPs associated with Kinsing crypto mining.

Figure 1.4 – Using Threat Hunting Lucene Syntax

 

While this query can be conducted as a one-off search to identify historical indicators, the same query can be scheduled so that notifications are generated upon future occurrences.

The flexibility and breadth of these Threat Hunting features mean that performing post-attack investigations with FortiEDR enables organisations to respond to incidents more effectively and reduce MTTR.


Summary

FortiEDR threat hunting enables SOC teams to be proactive and ensures that even if something slips through the net, they have the necessary tools to find where it came from, where it went, and how to remove it. Ultimately the focus is to reduce MTTR when an attack has already occurred.

While Threat Hunting is a powerful tool for SOC analysts, what if your organisation doesn’t have a SOC team? Thankfully, Fortinet’s Managed EDR service – FortiResponder, includes Managed Threat Hunting. You can find out more here.

For more information on FortiEDR’s threat hunting capabilities, please read this solution brief

Permalink