Transcription

Vital StatisticsThis document provides the findings of a recent analysis of your infrastructure. The document represents a summary of thesefindings and presents a set of recommendations for addressing the detected events. The analysis is based on data collectedusing the characteristics below:Company DetailsCompany Name: Informata CollegeLocation: San Francisco, CA, USIndustry: EducationCompany Size: 1,000-2,499 employeesTest DetailsTest Start Date: Feb 14, 2018Test Duration: 4 Day(s)FortiGate Model: FG-300DFortiOS Firmware: FortiOS 5.6.2Network Analyzed: Internal LANFunctions Enabled: Firewall SandboxDeployment and MethodologyYour network was monitored with a FG-300D in One Arm Sniffer mode. This is a non-invasive way to intercept traffic as itmoves over your network.During your assessment, network activity was monitored as it passed through your infrastructure. While traffic logs recordmuch of the session information flowing across your network, FortiGates can also monitor more in-depth security logging suchas IPS, anti-virus, web and application control. This assessment was created based on telemetry from all log types and providesan overview of your network's activity. Used in conjunction with FortiAnalyzer, FortiGates can provide additional functions suchas event management (e.g. alerts), FortiView analytics (e.g. investigating specific user activity) and reporting.Cyber Threat Assessment Reportpage 1 of 16

Executive SummaryIPS Attacks Detected: 2,013Malware/Botnets Detected: 7High-Risk Applications Used: 16Malicious Websites Detected: 123Last year, over 2,100 enterprises were breached as a result of poor internal security practices and latent vendor content security.The average cost of a corporate security breach is estimated at 3.5 million USD and is rising at 15% year over year. Intrusions,malware/botnets and malicious applications collectively comprise a massive risk to your enterprise network. These attackmechanisms can give attackers access to your most sensitive files and database information. FortiGuard Labs mitigates theserisks by providing award-winning content security and is consistently rated among industry leaders by objective third partiessuch as NSS Labs, VB 100 and AV Comparatives.Applications Detected: 329Top Used Application: SSLTop Application Category: Network.ServiceWebsites Visited: 69Top Website: cdn.speedshiftmedia.comTop Web Category: AdvertisingUser application usage and browsing habits can not only be indicative of inefficient use of corporate resources, but can alsoindicate a lack of proper enforcement of corporate usage policies. Most enterprises recognize that personal use of corporateresources is acceptable. But there are many grey areas that businesses must keep a close eye on including: use of proxyavoidance/peer to peer applications, inappropriate web browsing, phishing websites, and potentially illegal activity - all of whichexpose your company to undue liability and potential damages. With over 5,800 application control rules and 250 millioncategorized websites, FortiGuard Labs provides telemetry that FortiOS uses to keep your business running effectively.Total Bandwidth: 22.62 GBTop Host by Bandwidth: 172.16.116.100Highest Session Host: 172.18.58.121Average Log Rate/Sec: 11.40Performance effectiveness is an often undervalued aspect of security devices, but firewalls must keep up with the line speedsthat today’s next generation switches operate at. A recent survey by Infonetics indicates that 77% of decision-makers at largeorganizations feel that they must upgrade their network security performance (100 Gbps aggregate throughput) in the comingyear. FortiGates leverage FortiASICs to accelerate CPU intensive functions such as packet forwarding and pattern matching. Thisoffloading typically results in a 5-10X performance increase when measured against competitive solutions.Cyber Threat Assessment Reportpage 2 of 16

Industry ComparablesIndustry: EducationAs ever-increasing numbers of devices are brought to campuses by students, faculty and administrators, schools need to scaletheir networks for access while providing additional security to protect sensitive information, as well as to meet compliancestandards like CIPA, FERPA, and COPPA. Educational institutions need the latest in network security and access technologies;however, limited budgets often force IT organizations to make hard choices between the two.In the charts below, the term "company" refers to your organization. This activity gives you an idea of where you stand relative toother organizations in your specific industry. By using similar organizations as a baseline, some progressive companiescontinually optimize their network to target "above industry average" security practices.IPS Attacks per Day# EntityEvasive Apps per DayCount# Entity1 Company503Count1 Company02 Industry20,8072 Industry23 Overall18,8593 Overall1Top Malware (Company)Top Malware (Industry)# Malware NameTypeApplication# Malware NameTypeApplication1 W32/Generic.AC.3396208VirusHTTP1 H-worm.BotnetBotnet C&CH-worm.Botnet2 Adware/StartSurfAdwareHTTP2 Zeroaccess.BotnetBotnet C&CZeroaccess.Botnet3 W32/Agent.WCT!tr.bdrVirusHTTP3 Andromeda.BotnetBotnet C&CAndromeda.Botnet4 W32/InstallCore ACY.GENVirusHTTP4 Expiro.BotnetBotnet C&CExpiro.Botnet5 W32/KeyLogger.AUVU!trVirusHTTP5 Conficker.BotnetBotnet C&CConficker.BotnetHTTPS vs. HTTP Usage# EntityCloud Usage (IaaS SaaS Apps)Percentage1 Company# Entity112.48%1 CompanyCount512 Industry108%2 Industry50,4653 Overall106%3 Overall295,046Cyber Threat Assessment Reportpage 3 of 16

Sandbox AnalysisToday’s increasingly sophisticated threats can mask their maliciousness and bypass traditional antimalware security.Conventional antimalware engines are, in the time afforded and to the certainty required, often unable to classify certainpayloads as either good or bad; in fact, their intent is unknown. Sandboxing helps solve this problem – it entices unknown files toexecute in a protected environment, observes its resultant behavior and classifies its risk based on that behavior. With thisfunctionality enabled for your assessment, we have taken a closer look at files traversing your network.Results of Sandbox AnalysisTotal Files Analyzed ( 8,190 )After a standard anti-malware check on the FortiGate, select files were sent to the sandbox for further inspection. The numberhere represents the total number of files that were executed in a protected environment while individual behaviors wereobserved (such as registry updates, file deletions, or attempts to communicate with external websites).The results of behavioral analysis are usually categorized inone of three ways: clean, suspicious, or malicious. Adesignation of clean means that no abnormal behaviors wereobserved and the file can be considered safe. Suspiciousactivities are potentially dangerous and may warrant furtherattention – for instance, a high suspicion file may try toreplicate itself whereas a low suspicion file may only createabnormal registry settings. A malicious designation should beconsidered a legitimate threat to your network and requiresimmediate attention. The chart rendered here showsmalicious and suspicious files (e.g. it does not include filesdesignated as clean).#FilenameServiceRiskMalicious and Suspicious Files63.89% Low (23 )19.44% Malicious (7 )11.11% Medium (4 )5.56% High (2 )Suspicious BehaviorsCount1 1D26B266.vXEHTTPMaliciousThreat IntelligenceThe executable tries to inject a PE image to other processessExecutable deleted itself after executionExecutable dropped a copy of itselfThis file checked registry for anti-virtualization or anti-debugThis file checked devices for anti-virtualization or anti-debug12 1D28E4E7.vscHTTPMaliciousThreat Intelligence13 1D43634F.vscHTTPMaliciousThis file checked registry for anti-virtualization or anti-debugThis file checked devices for anti-virtualization or anti-debug14 1D45FCB7.vscHTTPMaliciousExecutable deleted itself after executionExecutable dropped a copy of itselfThreat Intelligence15 1D46A1FA.vscHTTPMaliciousThe executable tries to inject a PE image to other processess1Cyber Threat Assessment Reportpage 4 of 16

Recommended ActionsApplication Vulnerability Attacks Detected ( 15 )Application vulnerabilities (also known as IPS attacks) act as entry points used to bypass security infrastructure and allowattackers a foothold into your organization. These vulnerabilities are often exploited due to an overlooked update or lack ofpatch management process. Identification of any unpatched hosts is the key to protecting against application vulnerabilityattacks.Malware Detected ( 7 )Malware can take many forms: viruses, trojans, spyware/adware, etc. Any instances of malware detected moving laterally acrossthe network could also indicate a threat vector originating from inside the organization, albeit unwittingly. Through acombination of signature and behavioral analysis, malware can usually be prevented from executing and exposing your networkto malicious activity. Augmenting your network with APT/sandboxing technology (e.g. FortiSandbox) can also prevent previouslyunknown malware (zero-day threats) from propagating within your network.Botnet Infections ( 0 )Bots can be used for launching denial-of-service (DoS) attacks, distributing spam, spyware and adware, propagating maliciouscode, and harvesting confidential information which can lead to serious financial and legal consequences. Botnet infections needto be taken seriously and immediate action is required. Identify botnet infected computers and clean them up using antivirussoftware. Fortinet's FortiClient can be used to scan and remove botnets from the infected hosts.Malicious Websites Detected ( 123 )Malicious websites are sites known to host software/malware that is designed to covertly collect information, damage the hostcomputer or otherwise manipulate the target machine without the user's consent. Generally visiting a malicious website is aprecursor to infection and represents the initial stages of the kill chain. Blocking malicious sites and/or instructing employees notto visit/install software from unknown websites is the best form of prevention here.Phishing Websites Detected ( 1 )Similar to malicious websites, phishing websites emulate the webpages of legitimate websites in an effort to collect personal orprivate (logins, passwords, etc.) information from end users. Phishing websites are often linked to within unsolicited emails sentto your employees. A skeptical approach to emails asking for personal information and hovering over links to determine validitycan prevent most phishing attacks.Proxy Applications Detected ( 5 )These applications are used (usually intentionally) to bypass in-place security measures. For instance, users may circumvent thefirewall by disguising or encrypting external communications. In many cases, this can be considered a willful act and a violation ofcorporate use policies.Remote Access Applications Detected ( 5 )Remote access applications are often used to access internal hosts remotely, thus bypassing NAT or providing a secondary accesspath (backdoor) to internal hosts. In the worst case scenario, remote access can be used to facilitate data exfiltration andcorporate espionage activity. Many times, the use of remote access is unrestricted and internal corporate use changes should beput into practice.P2P and Filesharing Applications ( 5 )These applications can be used to bypass existing content controls and lead to unauthorized data transfer and data policyviolations. Policies on appropriate use of these applications need to be implemented.Cyber Threat Assessment Reportpage 5 of 16

Security and Threat PreventionHigh Risk ApplicationsThe FortiGuard research team assigns a risk rating of 1 to 5 to an application based on the application behavioral characteristics.The risk rating can help administrators to identify the high risk applications quickly and make a better decision on the applicationcontrol policy. Applications listed below were assigned a risk rating of 4 or higher.High Risk Applications# yNetwork-Protocol117.10 MB4572Onavo.ProtectProxyClient-Server11.78 KB93Hotspot.ShieldProxyClient-Server2203.99 KB84SkyfireProxyClient-Server327.20 KB35BitTorrent61.55 MB5,0896RDPRemote.AccessClient-Server189.89 MB637TeamViewerRemote.AccessClient-Server211.13 MB378FlashGetP2PPeer-to-Peer3309.78 KB379Thunder.Xunlei.KankanP2PPeer-to-Peer16.04 KB4FileGuriP2PPeer-to-Peer118.46 KB310Application NameCategoryFigure 1: Highest risk applications sorted by risk and sessionsApplication Vulnerability ExploitsApplication vulnerabilities can be exploited to compromise the security of your network. The FortiGuard research team analyzesthese vulnerabilities and then develops signatures to detect them. FortiGuard currently leverages a database of more than 5,800known application threats to detect attacks that evade traditional firewall systems. For more information on applicationvulnerabilities, please refer to FortiGuard at: http://www.fortiguard.com/intrusion.Top Application Vulnerability Exploits Detected# Severity Threat NameTypeVictim Source ionOS Command r ionBuffer ject.Code.ExecutionCode lowBuffer r Errors1117NBSS.ASN1.Bitstring.Heap.OverflowBuffer ation MAP.Unknown.ReplyAnomaly114210Figure 2: Top vulnerabilities identified, sorted by severity and countCyber Threat Assessment Reportpage 6 of 16

Malware, Botnets and Spyware/AdwareThere are numerous channels that cybercriminals u