Fortinet white logo
Fortinet white logo

Administration Guide

Appendix E - How risk rating is determined to be suspicious and evaluated

Appendix E - How risk rating is determined to be suspicious and evaluated

A job is created for each scanned file and URL. A job is determined to be either clean or suspicious based on a score. A suspicious job is assigned one of the risk ratings where its score is comprised of a collection of attributes (static) or behavioral (dynamic). Understanding each risk rating and recommendation is important when choosing the proper security policies to balance the effectiveness and operational needs.

Rating

Description

Recommendation

High Risk

A job is assigned a High Risk level when there is an immediate and substantial threat of harmful actions or features.

These file jobs pose a significant threat to the system security and integrity, potentially leading to major data breaches or system failures.

These URL jobs have strong evidence of being a malware, phishing or command-and-control site.

The organization’s SOC team should take swift and decisive action to protect the system and data. Immediately move the file(s) to a secure, isolated location. If the file is associated with a network or external device, disconnect it to prevent further damage. Check the file’s dynamic scan behavior if it is available to look for signs of unauthorized access, data exfiltration, or suspicious activities.

On files and URLs, a block action in the security policy is highly recommended to mitigate the risks posed by high-risk files.

Medium Risk

A job is assigned a Medium Risk level when there is a reasonable likelihood of it carrying or initiating malicious activity.

The potential damage posed by such file jobs are considered moderate. It may cause some disruptions or minor system compromises, but not to a severe degree.

These URL jobs have evidence of being associated with a malware, phishing or command-and-control site whether recently or in the past.

The organization's SOC team should evaluate the file seriously, including understanding the specific context in which it will be used, the system it will run on, the data it will access, and its potential impact on system integrity and data security.

On files, a block action in the security policy is typically recommended to prevent its download, especially when the job is potentially used in attack campaigns (e.g., executable files, files with URLs inside, .scr files or archive files).

On URLs, a block action in the security policy is recommended to avoid visiting or downloading contents from these URLs.

Low Risk

A job is assigned a Low Risk level when only a minimal number of anomalies and indicators are detected in the job's attribute or behavior.

This implies that while the file or URL job is not entirely typical, any potential threat it might pose to the system integrity or data security is negligible.

The organization's SOC team should evaluate the context in which the file will be used, the system it will run on and the data it will access.

On files, we recommend a review of the indicators to determine whether the minimal anomalies detected pose any significant risk. If the impact is negligible, use caution when proceeding with the file.

On URLs, caution and tighter security is preferred. Temporarily blocking these URLS and allowing the SOC team to review and take actions accordingly is recommended. However, this may incur operational overhead.

Appendix E - How risk rating is determined to be suspicious and evaluated

Appendix E - How risk rating is determined to be suspicious and evaluated

A job is created for each scanned file and URL. A job is determined to be either clean or suspicious based on a score. A suspicious job is assigned one of the risk ratings where its score is comprised of a collection of attributes (static) or behavioral (dynamic). Understanding each risk rating and recommendation is important when choosing the proper security policies to balance the effectiveness and operational needs.

Rating

Description

Recommendation

High Risk

A job is assigned a High Risk level when there is an immediate and substantial threat of harmful actions or features.

These file jobs pose a significant threat to the system security and integrity, potentially leading to major data breaches or system failures.

These URL jobs have strong evidence of being a malware, phishing or command-and-control site.

The organization’s SOC team should take swift and decisive action to protect the system and data. Immediately move the file(s) to a secure, isolated location. If the file is associated with a network or external device, disconnect it to prevent further damage. Check the file’s dynamic scan behavior if it is available to look for signs of unauthorized access, data exfiltration, or suspicious activities.

On files and URLs, a block action in the security policy is highly recommended to mitigate the risks posed by high-risk files.

Medium Risk

A job is assigned a Medium Risk level when there is a reasonable likelihood of it carrying or initiating malicious activity.

The potential damage posed by such file jobs are considered moderate. It may cause some disruptions or minor system compromises, but not to a severe degree.

These URL jobs have evidence of being associated with a malware, phishing or command-and-control site whether recently or in the past.

The organization's SOC team should evaluate the file seriously, including understanding the specific context in which it will be used, the system it will run on, the data it will access, and its potential impact on system integrity and data security.

On files, a block action in the security policy is typically recommended to prevent its download, especially when the job is potentially used in attack campaigns (e.g., executable files, files with URLs inside, .scr files or archive files).

On URLs, a block action in the security policy is recommended to avoid visiting or downloading contents from these URLs.

Low Risk

A job is assigned a Low Risk level when only a minimal number of anomalies and indicators are detected in the job's attribute or behavior.

This implies that while the file or URL job is not entirely typical, any potential threat it might pose to the system integrity or data security is negligible.

The organization's SOC team should evaluate the context in which the file will be used, the system it will run on and the data it will access.

On files, we recommend a review of the indicators to determine whether the minimal anomalies detected pose any significant risk. If the impact is negligible, use caution when proceeding with the file.

On URLs, caution and tighter security is preferred. Temporarily blocking these URLS and allowing the SOC team to review and take actions accordingly is recommended. However, this may incur operational overhead.