Industry Trends

Providing Threat Intelligence at Machine Speed With FortiGuard Labs

By Aamir Lakhani and Derek Manky | June 29, 2020

FortiGuard Labs Perspectives

Threat Intelligence at Machine Speed with FortiGuard Labs

FortiGuard Labs is the global threat intelligence and research organization at Fortinet. Its mission is to provide customers the industry’s best threat intelligence to protect them from malicious cyberattacks. With an expanding digital attack surface, a growing cyber skills gap, and ever-increasing sophisticated threats, actionable threat intelligence is as important as ever for organizations today. To discuss the evolving threat landscape and the world of threat intelligence in more detail, we sat down digitally with FortiGuard Labs’ Derek Manky and Aamir Lakhani.

Can you sum up the landscape that organizations face today in terms of cybersecurity? Why is actionable threat intelligence more important than ever?

Derek: Cybercriminals are becoming more sophisticated, using tools such as machine learning and AI to take advantage of 
the expanding attack surface and bypass traditional safeguards. Faced with endless alerts and a flood of data being collected from endpoints, network and IoT devices, cloud environments, and other areas, organizations are struggling to keep pace, let alone stay ahead of threats. Going the “last mile” to make threat intelligence actionable typically involves human interaction, where it doesn’t necessarily need to. This means that intelligence is sometimes not applied to security controls as quickly as it could be when cybercriminals are moving at an even faster pace, exposing further risk in systems. 

Aamir: Cybercriminals are becoming more sophisticated. In addition, COVID-19 and remote work have given attackers the opportunity to try more generalized attacks targeting the masses. Attackers are mostly taking advantage of people’s emotions by using phishing techniques centered around the subject of healthcare, political issues, government assistance, and human rights. From a cyber perspective, these attacks are normally easier to defend against than targeted attacks. However, when social engineering techniques are used, and victims allow access to malware, there is a high probability the malware will further succeed in bypassing defensive perimeters.  

You have both followed threat trends for years, what are some of the big takeaways you have seen over the years?

Derek: In the cyber arms race, unfortunately the criminal community has often had a distinct advantage due to their ability to take advantage of the cyberskills gap, the expanding digital attack surface, and especially by leveraging the element of surprise with tactics such as social engineering to take advantage of unsuspecting individuals. Perhaps, even more concerning specifically on the threat side is the increased use of offensive tactics, techniques, and procedures (TTPs) and the rapid ease of deploying cyberattacks with the crime-as-a-service capabilities of the cybercriminal community of today.  Weaponization of tools and technology, specifically automation and machine learning/artificial intelligence is a rising and very concerning trend that cybercriminals are beginning to leverage. This means that attacks are moving faster than they have ever before, with more precision. 

Aamir: Some of the fundamentals of cybersecurity still apply today as they did years ago, hygiene and training for example, but what I have seen in recent years is an increase in sophistication from cybercriminals. Attackers are starting off with enumeration techniques, attempting to establish persistence, escalating privileges, and injecting additional systems within an organization as their basic attack. Some recent ransomware attacks have had significant reconnaissance involved. Other attacks have had complex anti-analysis techniques built into them from the start. These are not ordinary or average attacks. It is important to also callout that even if some attacks are sophisticated, not all are of course. As we have seen during the COVID-19 pandemic, some of the recent attacks have been fairly mundane in terms of techniques used.

What makes FortiGuard Labs, Fortinet’s global threat intelligence and research team unique?

Derek: FortiGuard Labs, the global threat intelligence and research team of Fortinet, has brought together some of the most knowledgeable threat hunters, researchers, analysts, tool developers, and data scientists in the industry, located in research labs around the world. But that’s just the start. FortiGuard Labs has been around for two decades building a unique network of threat intelligence which is key to following real time movements of attackers, across the entire attack surface world wide. Over the past decade, FortiGuard Labs has also designed, trained, and delivered one of the most advanced artificial intelligence and machine learning platforms in the industry to augment the efforts of the FortiGuard Labs team. Combined, our primary mission is to provide Fortinet customers with the industry’s best threat intelligence designed to protect them from malicious cyber-attacks. 

Aamir: To add to that, through the continuous gathering of threat information, including 5.6M+ sensors deployed worldwide, and an extensive intelligence-sharing partner community, FortiGuard Labs has access to one of the broadest sets of threat data resources in the industry.  This is an important point when you are tracking the amount of threats that are out there on a daily basis. You cannot block 64 million phishing attempts per day or thwart 19 million botnet C&C attempts per minute without it. Another important point is the personal aspect that defenders bring to the organization. Many of us have been affected by cyberattacks in some way. We have seen systems that have been compromised, malware that has propagrated within organizations, or have known someone who has experienced ransomware. We know the frustrations, fear, and annoyance that is felt when you have been attacked. With hundreds of like-minded individuals on the team, the drive to find and stop attacks multiplies as the entire team gets motivated into finding and stopping attacks. 

What’s one thing someone reading this might not know about FortiGuard Labs?

Derek: Starting in 2006 as a white hat ethical hacking approach, FortiGuard Labs built our “zero day” research organization to harden security for everyone, not just Fortinet, by discovering zero-day vulnerabilities in software/hardware flaws before black hat attackers. We have been very humble about this over the years. We use this program to build virtual patches for customers, strengthen relationships with vendors as we work to harden their products and close gaps, making it more expensive for cybercriminals to operate. 

Aamir: One point that I think is important is the collaboration aspect. The FortiGuard Labs team is tightly integrated into Fortinet to enable protections in real-time for customers. We are not just tracking research and threats because it is fun and interesting. Our main goal is protections for our customers as well as our threat information sharing partners. With that foundation, our processes and operations match that goal. I will add, I think people are also surprised by the diverse backgrounds we have in technology disciplines. FortiGuard Labs is not just about hiring smart red teamers. We have people who understand offense, defense, data science, and machine learning for example. We have over 100 billion individual events and IOCs that we are exposed to on a daily basis. Figuring out how to store, categorize, tag, and search that information is just as much of an art as it is science, even before we examine the data.

What do you think organizations need to keep in mind when thinking about their cybersecurity threat intelligence defense strategy?

Derek: The threats of today, require a new way of thinking about cyber defense that combines the latest in AI and machine learning, threat intelligence, and technology that is more integrated like a system. That means integrated platforms that leverage the power and resources of AI-driven threat intelligence and more detailed items like playbooks to enable protection and visibility across the digital infrastructure. This is why we focused so heavily on building out our AI engine. 

Aamir: It really comes down to this, to get out ahead of the cycle of increasingly sophisticated and automated threats, organizations no matter the size, need to use the same sorts of strategies to defend their networks that cybercriminals are using to attack them. Critical to that effectiveness is the need for timely, accurate, and actionable threat intelligence. 

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.