Fortinet Advanced Threat Protection Framework

This article describes the ultimate solution to protect against modern threats, the so-called Fortinet ATP (Advanced Threat Protection) Framework, is positioned as a complete modular solution for cybersecurity. The following is an overview of the solution for automated identification, prevention, suppression of malware and protection of the entire ecosystem.




Advanced malware can do great harm to organizations, from data theft through compromised identities to the termination of important operations. Cybercriminal attacks are complex, constantly evolving developments aimed at creating new and insidious methods of penetration and attack.

Partly due to the ever-increasing frequency of public attacks, most organizations have recognized the need to improve IT security infrastructure. According to ESG's research, 37% of organizations surveyed ranked improvements in cybersecurity to first place among the priorities for the development of IT infrastructure for 2016.

Organizations should evaluate both the ability to identify threats to their IT infrastructure and their ability to withstand them. Most of the advanced malware is hidden or zero-day software. Hidden threats are designed to penetrate systems undetected, sometimes stored in the system in an inactive state for a certain period of time. Zero-day threats are attacks that exploit previously unknown vulnerabilities in a network, operating system, or application, making it difficult to combat them.

Traditionally, security has been implemented based on the perimeter firewall in conjunction with endpoint scanners (workstations). Perimeter firewalls blocked simple types of attacks, prevented unauthorized access to internal systems while the antivirus on endpoints scanned user devices according to signatures of previously known or suspected malware. Next-generation firewalls and endpoint protection software increase the depth of inspection both on the perimeter and on the end device, but they still rely on the search for known attacks. They are simply not designed to detect the latest, previously unknown attacks. Too often, organizations are unaware of such threats until then, until significant damage is done.

Fortinet framework for preventing advanced threats

Fortinet has developed its own framework for protecting against advanced threats to ensure comprehensive visibility of all activities on the network, using existing and new methods, using a modular approach to integrate its security products for the network, applications, endpoints and cloud services .



The advanced threat protection framework includes:

• FortiGate - the next generation firewall that provides in-depth packet inspection and application definition for network security and threat protection.
• FortiWeb - a firewall for Web applications designed to protect applications accessible from the Internet. Two-way protection against advanced threats including denial of service, SQL injection, XSS, buffer overflows, cookie poisoning and a large number of other attacks.
• FortiMail - a mail security gateway that protects email users from incoming threats using anti-spam, anti-phishing and malware prevention techniques. Outgoing mail protection includes Information Leakage Prevention (DLP), Identity Based Encryption (IBE), and Message Archiving.
• FortiClient - protection for end devices of Windows, Mac, IOS and Android, including, but not limited to: malware protection, application monitoring, web filter, vulnerability management, two-factor authentication and remote access.
• FortiSandbox - centralized analysis and detection of potential threats using code emulation and execution of this code in a virtual secure environment. Checks activity in addition to attributes to determine unwanted behavior. Dynamically takes action to respond to incidents and update protection.
• FortiGuard - Fortinet researchers use information from global sources to research threats and attacks, and also maintain a cloud-based knowledge base on researching threats and ways to prevent them.

FortiGate, FortiWeb and FortiMail are the most common solutions, presented both in hardware and software, in conjunction with the FortiClient application that is used on end devices to satisfy the needs of organizations of all sizes. Each ATP Framework product can act as a standalone solution or can be combined with other products for enhanced protection through compatibility. In a fully integrated Framework, network and endpoint protection products send potentially dangerous data to FortiSandbox for analysis, which in turn sends instructions on how to deal with data back to these products, as well as to FortiGuard laboratory for distribution among Fortinet products.

Fortinet describes the three phases of its products to provide coordinated protection: prevention, detection, and mitigation.
• Prevention - to prevent attacks from many well-known and highly suspicious threats.
• Detection - identify previously unknown threats and disseminate information about the threat for an accelerated response.
• Mitigation - research and analyze new data; create a signature and turn the unknown into the known for prevention in the future.

Identification

The main approach of the Fortinet Framework to identify advanced threats is to identify unknown threats and redirect them to FortiSandbox to reveal the behavior, tactics, techniques and procedures that are used in cyber attacks. FortiSandbox uses virtual machines as tools to evaluate potential threats from executable files, compressed files (zip files), application data such as Adobe Flash, Adobe PDF and JavaScript, etc. However, executing each suspicious file in a virtual machine can be resource intensive and take some time. This can limit the total number of suspicious files that can be evaluated, with a significant impact on performance.

Fortinet uses many different techniques to increase efficiency. Prior to execution in the sandbox, suspicious files can be pre-filtered, including selection by the anti-virus engine, requests to the FortiGuard cloud service, an OS-independent simulation, which is possible thanks to Fortinet's patented compact pattern recognition language (CPRL). CPRL is a system for deep code inspection and pattern recognition, which allows you to significantly expand the capabilities of advanced threat protection (APT) and advanced detection techniques (AET) that are possible with traditional signature analysis.

Each threat identified on Sandbox includes information about the method used to identify:
• AV scan - the threat was detected by matching the file with the known FortiClient signatures (FortiGate / FortiMail) and compliance was confirmed.
• Cloud Query - if the file signature is not known by FortiClient (FortiGate / FortiMail), then it can be compared with the signatures of FortiGuard, a Fortinet cloud service with a knowledge base of advanced threats.
• Sandboxing - the threat was detected when FortiSandbox evaluated the behavior of the file.

In addition to identification methods, a risk rating (clean, low risk, high risk or malicious) is also indicated. The test results include many details about the code and its rating, including a summary assessment of behavior, screenshots of the malicious program, and the ability to download additional information in the form of a log.

For example, the behavior leading to a high risk rating includes:
• The executable file tried to connect to a remote C&C botnet server.
• The executable file deleted the files.
• An executable file spawned processes.
• Users infected with the executable file will notice a “http” connection to specific URL / IP addresses.
• Users infected with the executable file will notice “DNS queries” with specific domain names.
FortiSandbox can retrieve objects for analysis directly from network traffic or receive from other Fortinet products that already inspect traffic. Configuring the Fortinet Framework ATP core products (FortiGate, FortiWeb and FortiMail) for integration with FortiSandbox is very simple, just enter the FortiSandbox IP address in the sandbox configuration module for the administrator. The next and final step is to authorize the Fortinet product connection in the FortiSandbox interface.



FortiSandbox is also an extension for FortiClient. Administrators can manually configure FortiClient or they can configure the endpoint security profile centrally on FortiGate or FortiClient EMS. This profile will be applied to the endpoint group in the current environment.



Why is it important: it is clear that a single approach that combines several methods for detecting and evaluating threats, in which it is possible to redirect files to the sandbox for additional analysis, can provide an important additional layer of protection and eliminate gaps that are easily exploited by new and previously unknown threats.

Mitigation

Fortinet's unified defense approach is designed to mitigate previously unknown threats and attacks detected by FortiSandbox. In the context of cybersecurity, mitigation is defined as reducing the likelihood of adverse events and / or reducing the impact and consequences. All Fortinet products that can work with FortiSandbox send objects for analysis and use the data received from FortiSandbox to accelerate the reaction and mitigate the identified threats.

For example, a screenshot of the FortiSandbox interface with a report on five facts of suspicious behavior. The snapshot shows that malware behaves like a rootkit, creates copies of itself and deletes itself after execution. Since this behavior can be quite destructive, it is highlighted in red.





The Files Created section shows all files that were created by malware with their MD5 check amounts. Potentially dangerous activities, such as creating a copy of yourself, are highlighted in red.

The results tab also allows the administrator to download a copy of the original file from FortiSandbox, in addition to this, a log with a detailed description of all the activities of the analyzed file, screenshots and all intercepted packets from traffic initiated by malware.

As soon as a positive decision is made that the file is malicious, the mitigation action can be automatic or based on policies that can be set at each control point. The following screenshot shows the possible settings for FortiClient.



Mitigation can be applied anywhere in the ecosystem. FortiGate, FortiWeb and FortiMail provide the quarantine option. The following screenshot shows that FortiGate has the ability to isolate both an infected device and the source. FortiWeb has the same options.



Why is it important: Fortinet’s integrated security ecosystem provides consolidated mitigation and recovery of malware activity while the administrator has the ability to automatically respond to incidents that require intervention. The interaction of Fortinet products with FortiSandbox allows you to implement such automation across all threat vectors. Based on information from control points, infected systems are cleaned and isolated.

Prevention

The least problematic attack is the one that was averted. The Fortinet Advanced Threat Protection framework automates and consolidates the analysis of suspicious files at all control points from several potential vectors using techniques including direct traffic inspection and interaction with FortiGate, FortiClient, FortiWeb and FortiMail. When interacting with other Fortinet products, the load on FortiSandbox is reduced and the need for a manual, laborious reaction to prevent attacks is minimized.

In addition to using traditional threat prevention technologies in these products to block known threats and attacks (for example, application control, intrusion prevention, web filtering, antivirus and anti-spam), FortiSandbox plays a very important role in preventing the most advanced and unknown threats.



FortiMail and FortiClient automatically hold unknown files and wait for analysis from FortiSandbox before allowing delivery or installation, bypassing the need to mitigate threats.

FortiGate and FortiClient can be configured to receive signature updates directly from FortiSandbox. This is useful to prevent the spread of targeted attacks and multi-stage attacks whose components are actively deployed by FortiSandbox before they affect end users.



Finally, FortiSandbox has the ability to optionally pass analysis data to FortiGuard, allowing you to distribute signatures across your entire Fortinet portfolio of security products, and not just within a particular ecosystem. This approach strengthens the protection of the entire Fortinet community.



Why is it important: Security breaches are becoming more widespread, while traditional, autonomous solutions fight against targeted attacks and zero-day attacks. Organizations that rely on this type of solution can potentially be vulnerable to attacks with serious financial and operational consequences. Prevention allows organizations to get out of reactive mode and focus on proactive, strategic actions to enhance security. Using FortiSandbox's advanced detection capabilities and in-depth knowledge of attacks from FortiGuard Labs, organizations have the tools they need to prevent attacks before they occur.

Finally

Any computing device in the corporate infrastructure, from smartphones and tablets to laptops, desktops and application services, is vulnerable to security breaches. Attacks affect organizations of all sizes indiscriminately, the consequences can be devastating for operations, company reputation and bank accounts. Costs arising from successful attacks may include not only resuming operations and resolving security issues, but also legal liability and regulatory fines.

Fortinet Advanced Threat Protection Framework is easy to understand and manage. Fortinet's modular approach with stand-alone products that can be combined to implement prevention, detection and mitigation can improve detection and protection against advanced attacks compared to individual third-party security systems. Combining Fortinet products into an entire ecosystem is quite simple in terms of configuration, thanks to an intuitive interface and plenty of public documentation. After tuning, the analysis of unknown files, regardless of how they got into the ecosystem, occurs automatically. The FortiSandbox GUI provides intuitive access to clear and clear information. FortiSandbox makes understanding the current level of security clear and easy to understand.

Fortinet offers functionalities, features and the ability to combine that can solve the entire spectrum of security requirements of an organization, giving security teams the ability to detect, prevent and mitigate threats. The ability to work as stand-alone products or combine into a complete framework provides the flexibility to be implemented in almost any system. Companies looking for more flexible, effective solutions to improve security will be satisfied with the Fortinet Advanced Threat Protection Framework.

---

Distribution of Fortinet solutions in Ukraine , Armenia , Georgia , Kazakhstan , Azerbaijan , Kyrgyzstan , Tajikistan , Turkmenistan , Uzbekistan , CIS countries .

MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service