With almost one in every two firewalls being a Fortinet product, the company knows what the bad guys are up to, and has a serious mission to keep them out.
FortiGuard Labs ANZ Director threat intelligence Glenn Maiden spoke to iTWire about the challenges FortiGuard Labs, the research arm of Fortinet, faces, along with the victories it enjoys.
Maiden explains that Fortinet products make nearly half of all firewall devices around the world - "in every industry vertical, in every country," he says. It means FortiGuard Labs has unrivalled samples of the attacks hitting every organisation every day.
This information is incredibly valuable in aiding the organisation in its mission to prevent these attacks from landing. Cybersecurity is a war, and Maiden likens his work to Sun Tzu's saying, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
{loadposition david08}
On the other side of the cybersecurity divide are the "bad guys" - the malicious actors, sometimes state-sponsored, who are trying to breach defences, whether to steal secrets, to hold data to ransom, for political activism, or for other reasons. And they're increasingly targetting newly discovered vulnerabilities. FortiGuard Labs has seen an increase in the weaponisation of vulnerabilities, Maiden said. In the first half of 2023 the time from when a vulnerability is disclosed - whether by a vendor or a conference paper - to when it is actively used against victims has dropped to a mere eight days.
Yet, for a lot of businesses, the mean time to detection is still measured in months, if not years.
Then, Maiden says, it dropped again by another 43% with newly disclosed vulnerabilities now being weaponised in an average of 4.7 days. Part of this is AI - not ChatGPT but specialised GPTs with names such as FraudGPT and LearnGPT. These lack the guardrails OpenAI has put in place on their tools.
While the conventional wisdom is to keep systems patched - and rightly so - it's not always so simple for the beleaguered, cautious systems administrator who has to download a patch, test it, roll it out to production, all in a couple of days. With multitudes of systems and applications, this can be an aggressive timeline at best. And not all vulnerabilities have a resolution anyway; "some n-day vulnerabilities remain unpatched for over 15 years," he said.
Here's where FortiGuard Labs comes in; "Through our software lifecycle we're always rigorously looking for vulnerabilities, testing, finding them ourselves," Maiden said. "We'll work proactively with customers and partners to ensure we know patches are coming out before they're publicly known."
Fortinet has over 50 products and its systems can intelligently alert users to problem traffic, or block it outright.
"Attackers will use n-day vulnerabilities aggressively within 4.5 days to compromise a victim," Maiden explains. It's a different story once they're inside. FortiGuard Labs observes the attackers being more subtle, quieter, to move sideways through the network probing servers, seeking to exploit different kinds of vulnerabilities as they perform reconnaisance and gain privileges throughout.
"What this tells me is some interesting intelligence in terms of prioritisation," Maiden said. "Internet-facing systems cannot wait; you can't waste time to patch them."
Additionally, "from a security viewpoint, we're looking out for reconnaissance activities" [on the internal network traffic]. "We're detecting this much more comprehensively these days."
An ongoing challenge, Maiden explained, is when an IT admin is compromised. "We call it 'living off the land'," he said. This is when the bad guys "use legitimate mechanisms needed for systems administration and use the same tools and processes to move around the network. It's harder to tell if someone connecting to the corporate LDAP server, using RDP, opening shares is a service account or sysadmin vs. a bad guy."
Another insight from FortiGuard Labs is that while you might think "Australia down in our corner of the world is removed from conflict in Ukraine or the Middle East, or politics in the Northern Hemisphere," Maiden said, "we saw 38 state-sponsored groups active here. When it comes to cyber espionage we're right in the firing line."
Whether it is cyber criminals or nation states, they're not limited by geography. "They can attack us as much as the United States or Europe. We're absolutely part of it."
Whatever the nature, whatever the motivation, "it's vitally important where we see advanced persistent threats we bake all the behaviours, the signatures, the indicators into our rules and push these out."
"We bake them into our fabric and ecosystem, and share them with Interpol, Europol, and the Australian cybersecurity centre."
This coordination and communication extend to other firewall and security product vendors too. "In the back end, we all work in good faith collaboratively. Nobody wants to see anyone compromised."
Nevertheless, it's a picture of a world under constant threat - or so one might think, with attackers getting increasingly sophisticated. Yet, the reality, Maiden said, is "as defenders, we're getting more sophisticated too. There's FUD (fear, uncertainty, and doubt) created in the industry by the emergence of AI and deep fakes. Things are changing rapidly, but we're baking AI into a lot of tools to make them easier to use."
For example, he explained, FortiGuard Labs has been leveraging AI and ML for over a decade to gain a better understanding of what's a threat and what's not. And, "with nearly one in two firewalls being a Fortinet we have a good understanding of finding - and finding at scale, then baking tools and techniques into our products and getting better all the time."
Detection is one thing; "we're pushing harder for breaking the network into little bits to make sure we have visibility in the ingress and egress points at each segment, then push into a SIEM and normalise all the logs. When we see something not usual we can push an alert to an analyst."
Further, "we can push into orchestration, again, all supported by AI, so, for example, if we see something in Glenn's box we can make sure it's a bad guy then isolate that machine from the Internet and not let it back on until it's cleaned up," he said.
One thing's for certain; no matter how much the malicious actors may be rising to breach systems, FortiGuard Labs is watching, learning, gathering data, and continually feeding this data back into its products to be your first point of defence.
"We're getting much better with smart products to help humans," Maiden said.