FortiGuard Labs Perspectives
Good information is a critical element of protecting against cyber threats, as cybersecurity defenses are only as good as the threat intelligence which feeds them. FortiGuard Labs is the global threat intelligence and research organization at Fortinet. To give some perspective about the global team and also how the organization has been instrumental in developing the concepts of threat sharing and collaboration in the threat intelligence industry over the years, my teammates Derek Manky and Aamir Lakhani share their thoughts with me digitally.
Q: Derek as our team lead, why FortiGuard Labs? Can you give us a short overview about the threat intelligence team?
Derek – When asked this by partners or CISOs I meet, I often reply with talking about how FortiGuard Labs has brought together some of the brightest and most knowledgeable threat hunters, researchers, analysts, tool developers, and data scientists in the industry, located in research labs around the world. But that’s just the start. FortiGuard Labs has also designed, trained, and delivered one of the most advanced artificial intelligence and machine learning platforms in the industry to augment the efforts of the FortiGuard Labs team. Combined, our primary mission is to provide Fortinet customers with the industry’s best threat intelligence designed to protect them from malicious cyberattacks.
Q: From a threat landscape and research point of view, what should be known about FortiGuard Labs?
Aamir – One of the most important items is that our telemetry is gathered from Fortinet’s millions of sensors which helps the FortiGuard Labs team identify the real-world threats our customers face. These include threats discovered on network, endpoint, and IoT devices, as well as those embedded in emails, applications, and on the web. But there is more. FortiGuard Labs also has a successful zero-day detection and research operation. Our researchers study threat actors and cybercriminals in order to understand their motives, techniques, and patterns and use that knowledge to help protect our customers. Researchers are involved in studying breaches and attacks within organizations to determine how the attackers exploited systems and applications in order to understand their attack patterns.
Jonas – Great points, I speak to many of these as well. I have to say, your points highlight well combining seasoned security professionals with cutting edge technology is a requirement in a connected world. where every device that communicates with the Internet is a target, to stay ahead of the curve and secure your environments. Let’s dive a bit deeper into relationships with other security companies and law enforcement.
Q: Partnerships seem to be a big part of threat intelligence today, how is FortiGuard Labs leading in this important area?
Derek – This is a huge focus to go beyond our own research to lead, interact, share, and foster the sharing of actionable threat intelligence. For example, Fortinet co-founded the Cyber Threat Alliance (CTA). Today, the CTA organization has grown from four Founding Members to actively bring threat researchers, security vendors and alliance partners together to share threat information and improve defenses against advanced cyber adversaries across member organizations and their customers. Fortinet is also a founding member of and is supporting multiple initiatives for the WEF Centre for Cybersecurity holding one of only two permanent seats on this international council. The Centre for Cybersecurity was designed to shape the future of cybersecurity and digital trust around the world, to safeguard innovation, to protect institutions, businesses, and individuals, and to secure our growing reliance on the digital economy. Fortinet is actively engaged with, and has bi-directional threat intelligence feed relationships with more than 200 partners. These partnerships are key to providing increased visibility to FortiGuard Labs operations and include threat intelligence peers, national CERT/CSIRT teams, government agencies, international law enforcement organizations including NATO and Interpol, and critical partners such as KISA, OASIS and MITRE.
Q: Can you share an example of how some of these relationships work in action?
Derek – We belong to INTERPOL ICGEG (Global Expert Group), and we regularly work with organizations such as NATO and the FBI to help counter cybercrime and cyber-terrorism. For example, Fortinet was one of several private sector companies that provided support to an INTERPOL-led operation targeting cybercrime across the ASEAN region, resulting in the identification of nearly 9,000 command-and-control (C2) servers as well as hundreds of compromised websites, including government portals. We also assisted a cyber investigation coordinated by INTERPOL, providing threat intelligence and analysis to help uncover a group of online fraudsters behind a BEC (business email compromise) scam totaling more than $60 million in thefts and involving hundreds of victims worldwide.
Q: What impact do these relationships and this information sharing have on threat intelligence?
Aamir – Today there are a massive amount of security challenges researchers need to be aware of and proficient in to protect against attacks. Different threat actors specialize in network attacks, software attacks, cloud-based attacks, container-based attacks, attacks against critical infrastructure, IoT devices, and many other types of threats. Attackers need to only be proficient in one type of threat, while defenders need to understand a large variety of attack surfaces. Effectively defending against cyberattacks today requires security teams to work smarter rather than harder.
Security teams need a combination of knowledge, experience, tools, strategy, automation, and skilled professionals to monitor the entire attack chain and automate as much of the process as possible so that human resources can be focused on higher order analysis and response. Threat Intelligence sharing gives researchers and defenders an opportunity to better understand the entire length of the attack chain and how vulnerabilities in each of its links can compromise the security of your network.
Jonas – Something I would add is that security is everyone’s job, not just the CISO and the security team. All employees inside a company need to be aware of ongoing threats and why everyone needs to be cautious. Non-security professionals sometimes see security as an inhibitor when thinking about security. Raising awareness and educating people can be a crucial differentiator of how people think about security. Prioritizing it from the beginning is important.