Fortinet white logo
Fortinet white logo
24.4.0

Incident Response types

Incident Response types

The following types of Incident Response options are available for request:

Service Description

Points

Incident Response Support Incident Response for assistance in case of a security incident. The FortiGuard Incident Response team will set up a scoping call leading to definition and delivery of a plan of action associated to number of a service points.

1

Incident Response Readiness Assessment

This Incident Response Option is a custom-tailored evaluation of an organization’s current security posture and incident response plan. The Fortinet Incident Response Readiness Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The assessment is organized into six domains that each incorporate people, processes, and technology. The assessment will incorporate a mixture of document review and stakeholder input through workshops that will help to identify additional areas of improvement.

  • Event and Incident Response (IR): Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.

  • Asset Management: Manage the organization’s information technology (IT) and operations technology (OT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives.

  • Identify and Access Management: Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.

  • Threat and Vulnerability Management: Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (e.g., critical, IT, operational) and organizational objectives.

  • Continuity of Operations (COOP)/Disaster Recovery (DR): Ability of an organization to establish and maintain plans, procedures, and technologies to sustain operations and quickly recover from a cybersecurity incident, commensurate to business risks and defined organizational objectives.

  • Network Security: Ability of an organization to diagnose, configure, and maintain Network Security technologies to sustain operations throughout a cybersecurity incident, commensurate to critical infrastructure risks and defined organizational objectives.

10

Incident Response Playbook Development

This Incident Response Option provides assistance to the Customer in the development of a step-by-step playbook to be used in the event of an impactful cybersecurity incident on its network based on the most likely incidents. This playbook is meant to help Customer’s security analysts to handle a security incident from detection through eradication and recovery and may be part of an organization’s larger incident response plan.

Some of the current probable events may include:

  • A ransomware attack.

  • Phishing email messages.

  • A compromised user’s credentials.

The plan of action and associate number of Service Points are based on a scoping call.

1

Cyber Security Tabletop Exercise

This Service Option assists the Customer in testing its incident response plan and identifying security gaps in tools or processes. The Cyber Security Tabletop Exercises are designed and delivered by the Fortinet Incident Response Team and leverages their experience and expertise handling Incident Response engagements such as:

  • A ransomware attack.

  • Phishing email messages.

  • A compromised user’s credentials.

Cyber Security Tabletop Exercises are then separated into several incident scenarios and then verbally discussed during a roundtable discussion to enhance the Customer’s understanding of actions to be taken, and by whom they are performed under its incident response plan. At the end of this exercise, a report will be provided that includes policy recommendations based on the discuss held during the exercise. The plan of action and associate number of Service Points are based on a scoping call.

1

Security Operations Center (SOC) Assessment

This Service Option is a custom-tailored evaluation of an organization’s current security operations center. The Fortinet Security Operations Center Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The SOC Assessment is organized in four areas of focus that each incorporate people, processes, and technology. The assessment will incorporate a mixture of document review and stakeholder input via workshops that will help to identify additional areas of improvement.

Focus Areas:

  • Organization: This focus area addresses the coherence of structures outside and inside the SOC Topics covered include the alignment of SOC with the business, the organization of the SOC itself, and how it fits in the Incident Response Plan (IRP).

  • Visibility: This area baselines and uncovers gaps in the SOC’s ability to detect malicious activity. To do so, practices assess the maturity of use cases, logging, SIEM, and the use of threat intelligence.

  • Response: All the visibility in the world doesn’t matter if the SOC response is not timely and thorough. The topics in this area cover triage, playbooks, workflows and data sharing, digital forensics, and communications planning.

  • Evolution: A SOC that achieves a certain maturity and then freezes in time will quickly lose its value as attackers evolve every day. The Evolution focus area explores the activities that sustain the SOC’s continued improvement and responsiveness to new threat landscapes over time. The subjects include the SOC Strategic Plan, metrics, staff training, exercises, and the processes of security tool assessment and acquisition.

20

Ransomware Readiness Assessment

This Incident Response Option is designed to help organizations gain greater visibility and understanding of their current risks to a ransomware attack. The Fortinet Ransomware Readiness Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The assessment focuses on the implementation and management of incident response cybersecurity practices specific to known ransomware attacks. This includes the TTPs of known ransomware as well as common issues and forensic evidence from across ransomware incidents investigated by the FortiGuard Incident Response team. Each assessment provides guidance on the approach to cybersecurity incident response maturity.

Focus Areas:

  • Identity: The mix of IT and business-critical assets, threat intelligence, and vulnerabilities that determine an organization’s ransomware attack surface.

  • Project: The defenses in place prevent ransomware vectors or, if an initial compromise is successful, halt further action (lateral movement, credential misuse) by the attacker.

  • Detect: Visibility to ransomware attackers as they enter and scout an environment before they fully strike.

  • Evolution: Reactions to ransomware that require a solid game plan with an understanding of the technical options, communication needs, and business impacts.

  • Recover: Clean, protected backups to restore systems quickly and large-scale mitigation planning to minimize a ransomware incident.

10

Compromise Assessment

This Incident Response Option is designed to identify hidden but active cyber threats in our customers’ enterprise environment. It provides detailed threat hunting in Client infrastructure to discover the anomalies that could be signs of a past or ongoing compromise. This allows to identify past breach attempts and incidents, ongoing and/or undetected attack activities, including threat removal and provides advice and prevention plans to avoid future incidents. The Compromise Assessment ('CA') is conducted by the Fortinet Incident Response Proactive Team and can be combined with automated detection tools and further threat intelligence to create a clear view of the actual threats in the network and what needs to be done to ensure attacks are not repeated. The CA provides organizations with a clear and decisive answer to the question, “are we breached?”. It provides all the information needed in case there is a compromise.

What makes FortiGuard IR team powerful is the independent of other third-party tools, especially on the collection phase. 99% of the used software are developed by Fortinet. The below list mentions the products that may be used during a CA engagement:

  • FortiEDR/FortiXDR

  • FortiNDR

  • FortiSandbox

  • FortiRecon/FortiGuard

  • FortiDeceptor

The plan of action and associate number of Service Points are based on a scoping call.

1

Active Directory Security Assessment

This Incident Response Option provides a third-party, objective, review of the security posture of an Active Directory ('AD') installation. It helps to identify critical issues and areas of the highest concern. It also provides the organization a means for tracking the continuing improvement and maturity of the Active Directory security posture.

The Service is organized in five areas of focus that each incorporate people, processes, and technology. Each of the areas consists of a number of maturity practices that are used to assess the AD installations security and fit for purpose within the larger business mission, current threats, and capacity to evolve efficiently over time.

Focus Areas:

  • Policy and procedures: this area starts with governance and basic procedures that are derived from the goals and objectives of the governance policies. The focus will be ensuring that your AD installation has proper executive backing and resources, as well as basic procedures that ensure the environment is ready for adverse events and incident response.

  • Account Management: This area addresses account management policies, procedures, and security settings which are derived from various standards bodies and Microsoft publications. Many issues addressed in this section are considered to be critical to the security of AD and your IAM program.

  • Network and Host Configuration: AD hosts are high value targets for threat actors and need to be hardened. In addition, based on its utility and design, AD is frequently deployed redundantly and to multiple locations within the organization. This section addresses both network and host security configuration issues.

  • Audit Configuration: In order to ensure visibility for auditing and investigation, default audit configurations need to be verified, and specific audit flags may need to be set. If proper auditing is not enabled then information will not be collected, and critical questions about access and activities may not be able to be answered. This section covers the most important audit settings based on both Microsoft and standards bodies recommendations.

  • Monitoring: Because AD and Administrator accounts are high value targets for threat actors, continuous monitoring of some critical AD events needs to be implemented. This section reviews the most critical events which should be monitored and reviewed for legitimacy and authorization.

The plan of action and associate number of Service Points are based on a scoping call.

1

Vulnerability Assessments

This Service is designed to identify known vulnerabilities within information systems or services. With this assessment, you’ll understand the known vulnerabilities within your organization’s internal and external networks and applications. Our experts use various automated tools and manual techniques to systematically examine your environment to determine the effectiveness of your current security measures, identify security gaps, and provide data to help you predict how impactful the safeguards you have in place today will be in the future. After the technical phases of the assessment are completed, our team prepares a report, sharing the potential issues found during the assessment along with recommended remediation procedures. As a result, it’s easy for your team to prioritize remediation efforts according to identified severity levels of Critical, High, Medium, or Low—following the Common Vulnerability Scoring System (CVSS) standard—and the overall risk each vulnerability represents to the organization.

  • Internal Network: Our team is equipped to conduct internal network vulnerability assessments to evaluate your organization’s internal network and devices. These assessments are scoped based on the number of IP addresses included.

  • External Network: The external network vulnerability assessment focuses on the external or internet-facing systems you make available, including web servers, database servers, network devices, and other network-based equipment. These assessments are scoped based on the number of IP addresses included.

  • Web Application: The FortiGuard Web Application Vulnerability Assessment focuses on one or more web applications to identify known or unknown vulnerabilities within the application. The vulnerability assessment also identifies areas where confidentiality, availability, or systems data integrity compromises exist. These assessments are scoped based on the number of your organization’s web applications.

  • Mobile Application: The FortiGuard Mobile Application Vulnerability Assessment focuses on one or more mobile applications to identify known or unknown vulnerabilities. The vulnerability assessment also identifies areas where confidentiality, availability, or systems data integrity compromises exist. These assessments are scoped based on your organization’s number of mobile applications.

1

Penetration Test

This Service is a specialized assessment our team conducts on networks, systems, and applications to identify unknown vulnerabilities that an adversary could exploit. Penetration testing mimics real-world attacks to pinpoint potential ways that threat actors might impact the confidentiality, integrity, or availability of your networks, systems, and applications. When conducting a penetration test, our team of experts uses various tools and techniques commonly utilized by attackers to detect vulnerabilities and test the resilience of your organization’s network.

  • Internal Networks: Our team is equipped to conduct internal network penetration testing to evaluate threats to your organization’s internal network and devices. These assessments are scoped based on the number of IP addresses included.

  • External Networks: External network penetration testing focuses on the external, or internet-facing, systems your organization makes available, including web servers, database servers, network devices, and other network-based equipment. These assessments are scoped based on the number of IP addresses included.

  • Web Applications: The FortiGuard Web Application Vulnerability Penetration Test focuses on one or more web applications with the goal of identifying known and previously unknown vulnerabilities within the application. The test also evaluates the ability to use discovered vulnerabilities to further penetrate the organization. It looks for areas where somebody could compromise the confidentiality, availability, or integrity of systems or data. These assessments are scoped based on the number of your organization’s web applications.

  • Mobile Applications: The FortiGuard Mobile Application Penetration Test focuses on one or more mobile applications with the goal of identifying either known or unknown vulnerabilities within the application. The test also evaluates the ability to use discovered vulnerabilities to further penetrate the organization. It looks for areas where somebody could compromise the confidentiality, availability, or integrity of systems or data. These assessments are scoped based on the number of your organization’s mobile applications.

1

More information about each Incident Response option is available in the Service Points description available in the Customer Service portal at https://support.fortinet.com/Information/DocumentList.aspx.

Incident Response types

Incident Response types

The following types of Incident Response options are available for request:

Service Description

Points

Incident Response Support Incident Response for assistance in case of a security incident. The FortiGuard Incident Response team will set up a scoping call leading to definition and delivery of a plan of action associated to number of a service points.

1

Incident Response Readiness Assessment

This Incident Response Option is a custom-tailored evaluation of an organization’s current security posture and incident response plan. The Fortinet Incident Response Readiness Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The assessment is organized into six domains that each incorporate people, processes, and technology. The assessment will incorporate a mixture of document review and stakeholder input through workshops that will help to identify additional areas of improvement.

  • Event and Incident Response (IR): Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.

  • Asset Management: Manage the organization’s information technology (IT) and operations technology (OT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives.

  • Identify and Access Management: Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.

  • Threat and Vulnerability Management: Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (e.g., critical, IT, operational) and organizational objectives.

  • Continuity of Operations (COOP)/Disaster Recovery (DR): Ability of an organization to establish and maintain plans, procedures, and technologies to sustain operations and quickly recover from a cybersecurity incident, commensurate to business risks and defined organizational objectives.

  • Network Security: Ability of an organization to diagnose, configure, and maintain Network Security technologies to sustain operations throughout a cybersecurity incident, commensurate to critical infrastructure risks and defined organizational objectives.

10

Incident Response Playbook Development

This Incident Response Option provides assistance to the Customer in the development of a step-by-step playbook to be used in the event of an impactful cybersecurity incident on its network based on the most likely incidents. This playbook is meant to help Customer’s security analysts to handle a security incident from detection through eradication and recovery and may be part of an organization’s larger incident response plan.

Some of the current probable events may include:

  • A ransomware attack.

  • Phishing email messages.

  • A compromised user’s credentials.

The plan of action and associate number of Service Points are based on a scoping call.

1

Cyber Security Tabletop Exercise

This Service Option assists the Customer in testing its incident response plan and identifying security gaps in tools or processes. The Cyber Security Tabletop Exercises are designed and delivered by the Fortinet Incident Response Team and leverages their experience and expertise handling Incident Response engagements such as:

  • A ransomware attack.

  • Phishing email messages.

  • A compromised user’s credentials.

Cyber Security Tabletop Exercises are then separated into several incident scenarios and then verbally discussed during a roundtable discussion to enhance the Customer’s understanding of actions to be taken, and by whom they are performed under its incident response plan. At the end of this exercise, a report will be provided that includes policy recommendations based on the discuss held during the exercise. The plan of action and associate number of Service Points are based on a scoping call.

1

Security Operations Center (SOC) Assessment

This Service Option is a custom-tailored evaluation of an organization’s current security operations center. The Fortinet Security Operations Center Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The SOC Assessment is organized in four areas of focus that each incorporate people, processes, and technology. The assessment will incorporate a mixture of document review and stakeholder input via workshops that will help to identify additional areas of improvement.

Focus Areas:

  • Organization: This focus area addresses the coherence of structures outside and inside the SOC Topics covered include the alignment of SOC with the business, the organization of the SOC itself, and how it fits in the Incident Response Plan (IRP).

  • Visibility: This area baselines and uncovers gaps in the SOC’s ability to detect malicious activity. To do so, practices assess the maturity of use cases, logging, SIEM, and the use of threat intelligence.

  • Response: All the visibility in the world doesn’t matter if the SOC response is not timely and thorough. The topics in this area cover triage, playbooks, workflows and data sharing, digital forensics, and communications planning.

  • Evolution: A SOC that achieves a certain maturity and then freezes in time will quickly lose its value as attackers evolve every day. The Evolution focus area explores the activities that sustain the SOC’s continued improvement and responsiveness to new threat landscapes over time. The subjects include the SOC Strategic Plan, metrics, staff training, exercises, and the processes of security tool assessment and acquisition.

20

Ransomware Readiness Assessment

This Incident Response Option is designed to help organizations gain greater visibility and understanding of their current risks to a ransomware attack. The Fortinet Ransomware Readiness Assessment is designed and delivered by the Fortinet Incident Response Proactive Team built using real-world experiences and industry standard best practices. The assessment focuses on the implementation and management of incident response cybersecurity practices specific to known ransomware attacks. This includes the TTPs of known ransomware as well as common issues and forensic evidence from across ransomware incidents investigated by the FortiGuard Incident Response team. Each assessment provides guidance on the approach to cybersecurity incident response maturity.

Focus Areas:

  • Identity: The mix of IT and business-critical assets, threat intelligence, and vulnerabilities that determine an organization’s ransomware attack surface.

  • Project: The defenses in place prevent ransomware vectors or, if an initial compromise is successful, halt further action (lateral movement, credential misuse) by the attacker.

  • Detect: Visibility to ransomware attackers as they enter and scout an environment before they fully strike.

  • Evolution: Reactions to ransomware that require a solid game plan with an understanding of the technical options, communication needs, and business impacts.

  • Recover: Clean, protected backups to restore systems quickly and large-scale mitigation planning to minimize a ransomware incident.

10

Compromise Assessment

This Incident Response Option is designed to identify hidden but active cyber threats in our customers’ enterprise environment. It provides detailed threat hunting in Client infrastructure to discover the anomalies that could be signs of a past or ongoing compromise. This allows to identify past breach attempts and incidents, ongoing and/or undetected attack activities, including threat removal and provides advice and prevention plans to avoid future incidents. The Compromise Assessment ('CA') is conducted by the Fortinet Incident Response Proactive Team and can be combined with automated detection tools and further threat intelligence to create a clear view of the actual threats in the network and what needs to be done to ensure attacks are not repeated. The CA provides organizations with a clear and decisive answer to the question, “are we breached?”. It provides all the information needed in case there is a compromise.

What makes FortiGuard IR team powerful is the independent of other third-party tools, especially on the collection phase. 99% of the used software are developed by Fortinet. The below list mentions the products that may be used during a CA engagement:

  • FortiEDR/FortiXDR

  • FortiNDR

  • FortiSandbox

  • FortiRecon/FortiGuard

  • FortiDeceptor

The plan of action and associate number of Service Points are based on a scoping call.

1

Active Directory Security Assessment

This Incident Response Option provides a third-party, objective, review of the security posture of an Active Directory ('AD') installation. It helps to identify critical issues and areas of the highest concern. It also provides the organization a means for tracking the continuing improvement and maturity of the Active Directory security posture.

The Service is organized in five areas of focus that each incorporate people, processes, and technology. Each of the areas consists of a number of maturity practices that are used to assess the AD installations security and fit for purpose within the larger business mission, current threats, and capacity to evolve efficiently over time.

Focus Areas:

  • Policy and procedures: this area starts with governance and basic procedures that are derived from the goals and objectives of the governance policies. The focus will be ensuring that your AD installation has proper executive backing and resources, as well as basic procedures that ensure the environment is ready for adverse events and incident response.

  • Account Management: This area addresses account management policies, procedures, and security settings which are derived from various standards bodies and Microsoft publications. Many issues addressed in this section are considered to be critical to the security of AD and your IAM program.

  • Network and Host Configuration: AD hosts are high value targets for threat actors and need to be hardened. In addition, based on its utility and design, AD is frequently deployed redundantly and to multiple locations within the organization. This section addresses both network and host security configuration issues.

  • Audit Configuration: In order to ensure visibility for auditing and investigation, default audit configurations need to be verified, and specific audit flags may need to be set. If proper auditing is not enabled then information will not be collected, and critical questions about access and activities may not be able to be answered. This section covers the most important audit settings based on both Microsoft and standards bodies recommendations.

  • Monitoring: Because AD and Administrator accounts are high value targets for threat actors, continuous monitoring of some critical AD events needs to be implemented. This section reviews the most critical events which should be monitored and reviewed for legitimacy and authorization.

The plan of action and associate number of Service Points are based on a scoping call.

1

Vulnerability Assessments

This Service is designed to identify known vulnerabilities within information systems or services. With this assessment, you’ll understand the known vulnerabilities within your organization’s internal and external networks and applications. Our experts use various automated tools and manual techniques to systematically examine your environment to determine the effectiveness of your current security measures, identify security gaps, and provide data to help you predict how impactful the safeguards you have in place today will be in the future. After the technical phases of the assessment are completed, our team prepares a report, sharing the potential issues found during the assessment along with recommended remediation procedures. As a result, it’s easy for your team to prioritize remediation efforts according to identified severity levels of Critical, High, Medium, or Low—following the Common Vulnerability Scoring System (CVSS) standard—and the overall risk each vulnerability represents to the organization.

  • Internal Network: Our team is equipped to conduct internal network vulnerability assessments to evaluate your organization’s internal network and devices. These assessments are scoped based on the number of IP addresses included.

  • External Network: The external network vulnerability assessment focuses on the external or internet-facing systems you make available, including web servers, database servers, network devices, and other network-based equipment. These assessments are scoped based on the number of IP addresses included.

  • Web Application: The FortiGuard Web Application Vulnerability Assessment focuses on one or more web applications to identify known or unknown vulnerabilities within the application. The vulnerability assessment also identifies areas where confidentiality, availability, or systems data integrity compromises exist. These assessments are scoped based on the number of your organization’s web applications.

  • Mobile Application: The FortiGuard Mobile Application Vulnerability Assessment focuses on one or more mobile applications to identify known or unknown vulnerabilities. The vulnerability assessment also identifies areas where confidentiality, availability, or systems data integrity compromises exist. These assessments are scoped based on your organization’s number of mobile applications.

1

Penetration Test

This Service is a specialized assessment our team conducts on networks, systems, and applications to identify unknown vulnerabilities that an adversary could exploit. Penetration testing mimics real-world attacks to pinpoint potential ways that threat actors might impact the confidentiality, integrity, or availability of your networks, systems, and applications. When conducting a penetration test, our team of experts uses various tools and techniques commonly utilized by attackers to detect vulnerabilities and test the resilience of your organization’s network.

  • Internal Networks: Our team is equipped to conduct internal network penetration testing to evaluate threats to your organization’s internal network and devices. These assessments are scoped based on the number of IP addresses included.

  • External Networks: External network penetration testing focuses on the external, or internet-facing, systems your organization makes available, including web servers, database servers, network devices, and other network-based equipment. These assessments are scoped based on the number of IP addresses included.

  • Web Applications: The FortiGuard Web Application Vulnerability Penetration Test focuses on one or more web applications with the goal of identifying known and previously unknown vulnerabilities within the application. The test also evaluates the ability to use discovered vulnerabilities to further penetrate the organization. It looks for areas where somebody could compromise the confidentiality, availability, or integrity of systems or data. These assessments are scoped based on the number of your organization’s web applications.

  • Mobile Applications: The FortiGuard Mobile Application Penetration Test focuses on one or more mobile applications with the goal of identifying either known or unknown vulnerabilities within the application. The test also evaluates the ability to use discovered vulnerabilities to further penetrate the organization. It looks for areas where somebody could compromise the confidentiality, availability, or integrity of systems or data. These assessments are scoped based on the number of your organization’s mobile applications.

1

More information about each Incident Response option is available in the Service Points description available in the Customer Service portal at https://support.fortinet.com/Information/DocumentList.aspx.