Role of a Threat Hunter:

A threat hunter proactively searches for cyber threats that have evaded traditional security defenses.

This role is crucial in identifying sophisticated and stealthy adversaries that bypass automated

detection systems.

Key Responsibilities:

Proactive Threat Identification:

Threat hunters use advanced tools and techniques to identify hidden threats within the network.

This includes analyzing anomalies, investigating unusual behaviors, and utilizing threat intelligence.

Reference: SANS Institute, "Threat Hunting: Open Season on the Adversary" SANS Threat Hunting

Understanding the Threat Landscape:

They need a deep understanding of the threat landscape, including common and emerging tactics,

techniques, and procedures (TTPs) used by threat actors.

Reference: MITRE ATT&CK Framework MITRE ATT&CK

Advanced Analytical Skills:

Utilizing advanced analytical skills and tools, threat hunters analyze logs, network traffic, and

endpoint data to uncover signs of compromise.

Reference: Cybersecurity and Infrastructure Security Agency (CISA) Threat Hunting Guide CISA Threat

Hunting

Distinguishing from Other Roles:

Investigate and Respond to Incidents (A):

This is typically the role of an Incident Responder who reacts to reported incidents, collects evidence,

and determines the impact.

Reference: NIST Special Publication 800-61, "Computer Security Incident Handling Guide" NIST

Incident Handling

Collect Evidence and Determine Impact (B):

This is often the role of a Digital Forensics Analyst who focuses on evidence collection and impact

assessment post-incident.

Monitor Network Logs (D):

This falls under the responsibilities of a SOC Analyst who monitors logs and alerts for anomalous

behavior and initial detection.

Conclusion:

Threat hunters are essential in a SOC for uncovering sophisticated threats that automated systems

may miss. Their proactive approach is key to enhancing the organization's security posture.

Reference:

SANS Institute, "Threat Hunting: Open Season on the Adversary"

MITRE ATT&CK Framework

CISA Threat Hunting Guide

NIST Special Publication 800-61, "Computer Security Incident Handling Guide"

By searching for hidden threats that elude detection, threat hunters play a crucial role in maintaining

the security and integrity of an organization's network.

Understanding the Playbook and its Components:

The exhibit shows the status of a playbook named "DOS attack" and its associated tasks.

The playbook is designed to execute a series of tasks upon detecting a DoS attack event.

Analysis of Playbook Tasks:

Attach_Data_To_Incident: Task ID placeholder_8fab0102, status is "upstream_failed," meaning it did

not execute properly due to a previous task's failure.

Get Events: Task ID placeholder_fa2a573c, status is "success."

Create SMTP Enumeration incident: Task ID placeholder_3db75c0a, status is "failed."

Reviewing Raw Logs:

The error log shows a ValueError: invalid literal for int() with base 10: '10.200.200.100'.

This error indicates that the task attempted to convert a string (the IP address '10.200.200.100') to an

integer, which is not possible.

Identifying the Source of the Error:

The error occurs in the file "incident_operator.py," specifically in the execute method.

This suggests that the task "Create SMTP Enumeration incident" is the one causing the issue because

it failed to process the data type correctly.

Conclusion:

The failure of the playbook is due to the "Create SMTP Enumeration incident" task receiving a string

value (an IP address) when it expects an integer value. This mismatch in data types leads to the error.

Reference:

Fortinet Documentation on Playbook and Task Configuration.

Python error handling documentation for understanding ValueError.

Understanding FortiAnalyzer Fabric Topology:

The FortiAnalyzer Fabric topology is designed to centralize logging and analysis across multiple

devices in a network.

It involves a hierarchy where the supervisor node manages and coordinates with other Fabric

members.

Analyzing the Options:

Option A: Downstream collectors forwarding logs to Fabric members is not a typical configuration.

Instead, logs are usually centralized to the supervisor.

Option B: For effective management and log centralization, logging devices must be registered to the

supervisor. This ensures proper log collection and coordination.

Option C: The supervisor does not primarily use an API to store logs, incidents, and events locally.

Logs are stored directly in the FortiAnalyzer database.

Option D: For the Fabric topology to function correctly, all Fabric members need to be in analyzer

mode. This mode allows them to collect, analyze, and forward logs appropriately within the

topology.

Conclusion:

The correct statements regarding the FortiAnalyzer Fabric topology are that logging devices must be

registered to the supervisor and that Fabric members must be in analyzer mode.

Reference:

Fortinet Documentation on FortiAnalyzer Fabric Topology.

Best Practices for Configuring FortiAnalyzer in a Fabric Environment.

Understanding the Playbook Configuration:

The playbook "FortiMail Sender Blocklist" is designed to manually input email addresses or IP

addresses and add them to the FortiMail block list.

The playbook uses a FortiMail connector with the action ADD_SENDER_TO_BLOCKLIST.

Analyzing the Playbook Execution:

The configuration and actions provided show that the playbook is straightforward, starting with an

ON_DEMAND STARTER and proceeding to the ADD_SENDER_TO_BLOCKLIST action.

The action description indicates it is intended to block senders based on email addresses or domains.

Evaluating the Options:

Option A: Using GET_EMAIL_STATISTICS is not required for the task of adding senders to a block list.

This action retrieves email statistics and is unrelated to the block list configuration.

Option B: The primary reason for failure could be the requirement for a fully qualified domain name

(FQDN). FortiMail typically expects precise information to ensure the correct entries are added to the

block list.

Option C: The trust level of the client-side browser with FortiAnalyzer's self-signed certificate does

not impact the execution of the playbook on FortiMail.

Option D: Incorrect connector credentials would result in an authentication error, but the problem

described is more likely related to the format of the input data.

Conclusion:

The FortiMail Sender Blocklist playbook execution is failing because FortiMail is expecting a fully

qualified domain name (FQDN).

Reference:

Fortinet Documentation on FortiMail Connector Actions.

Best Practices for Configuring FortiMail Block Lists.

Understanding the Issue:

The custom event handler for detecting SMTP reconnaissance activities is generating a large number

of events.

This high volume of events is overwhelming the notification system, leading to potential alert fatigue

and inefficiency in incident response.

Event Handler Configuration:

Event handlers are configured to trigger alerts based on specific criteria.

The frequency and volume of these alerts can be controlled by adjusting the trigger conditions.

Possible Solutions:

A . Increase the trigger count so that it identifies and reduces the count triggered by a particular

group:

By increasing the trigger count, you ensure that the event handler only generates alerts after a

higher threshold of activity is detected.

This reduces the number of events generated and helps prevent overwhelming the notification

system.

Selected as it effectively manages the volume of generated events.

B . Disable the custom event handler because it is not working as expected:

Disabling the event handler is not a practical solution as it would completely stop monitoring for

SMTP reconnaissance activities.

Not selected as it does not address the issue of fine-tuning the event generation.

C . Decrease the time range that the custom event handler covers during the attack:

Reducing the time range might help in some cases, but it could also lead to missing important

activities if the attack spans a longer period.

Not selected as it could lead to underreporting of significant events.

D . Increase the log field value so that it looks for more unique field values when it creates the event:

Adjusting the log field value might refine the event criteria, but it does not directly control the

volume of alerts.

Not selected as it is not the most effective way to manage event volume.

Implementation Steps:

Step 1: Access the event handler configuration in FortiAnalyzer.

Step 2: Locate the trigger count setting within the custom event handler for SMTP reconnaissance.

Step 3: Increase the trigger count to a higher value that balances alert sensitivity and volume.

Step 4: Save the configuration and monitor the event generation to ensure it aligns with expected

levels.

Conclusion:

By increasing the trigger count, you can effectively reduce the number of events generated by the

custom event handler, preventing the notification system from being overwhelmed.

Reference:

Fortinet Documentation on Event Handlers and Configuration FortiAnalyzer Administration Guide

Best Practices for Event Management Fortinet Knowledge Base

By increasing the trigger count in the custom event handler, you can manage the volume of

generated events and prevent the notification system from being overwhelmed.

Understanding the MITRE ATT&CK Framework:

The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by

adversaries to achieve their objectives.

It is widely used for understanding adversary behavior, improving defense strategies, and conducting

security assessments.

Analyzing the Options:

Option A: The framework provides detailed technical descriptions of adversary activities, including

specific techniques and subtechniques.

Option B: The framework includes information about mitigations and detections for each technique

and subtechnique, providing comprehensive guidance.

Option C: MITRE ATT&CK covers a wide range of attack vectors, including those targeting user

endpoints, network devices, and servers.

Option D: Some techniques or subtechniques do indeed fall under multiple tactics, reflecting the

complex nature of adversary activities that can serve different objectives.

Conclusion:

The statement that best describes the MITRE ATT&CK framework is that it contains some techniques

or subtechniques that fall under more than one tactic.

Reference:

MITRE ATT&CK Framework Documentation.

Security Best Practices and Threat Intelligence Reports Utilizing MITRE ATT&CK.

Understanding the Custom Event Handler Configuration:

The event handler is set up to generate events based on specific log data.

The goal is to generate events specifically for spam emails detected by FortiMail.

Analyzing the Issue:

The event handler is currently generating events for both spam emails and clean emails.

This indicates that the rule's filtering criteria are not correctly distinguishing between spam and non-

spam emails.

Evaluating the Options:

Option A: Selecting the "Anti-Spam Log (spam)" in the Log Type field will ensure that only logs

related to spam emails are considered. This is the most straightforward and accurate way to filter for

spam emails.

Option B: Typing type==spam in the Log filter by Text field might help filter the logs, but it is not as

direct and reliable as selecting the correct log type.

Option C: Disabling the rule to use the filter in the data selector to create the event does not address

the issue of filtering for spam logs specifically.

Option D: Selecting "Within a group, the log field Spam Name (snane) has 2 or more unique values"

is not directly relevant to filtering spam logs and could lead to incorrect filtering criteria.

Conclusion:

The correct change to make in the rule is to select "Anti-Spam Log (spam)" in the Log Type field. This

ensures that the event handler only generates events for spam emails.

Reference:

Fortinet Documentation on Event Handlers and Log Types.

Best Practices for Configuring FortiMail Anti-Spam Settings.

Understanding the Event Handler Configuration:

The event handler is set up to detect specific security incidents, such as spearphishing, based on logs

forwarded from other Fortinet products like FortiSandbox.

An event handler includes rules that define the conditions under which an event should be triggered.

Analyzing the Current Configuration:

The current event handler is named "Spearphishing handler" with a rule titled "Spearphishing Rule

1".

The log viewer shows that logs are being forwarded by FortiSandbox but no events are generated by

FortiAnalyzer.

Key Components of Event Handling:

Log Type: Determines which type of logs will trigger the event handler.

Data Selector: Specifies the criteria that logs must meet to trigger an event.

Automation Stitch: Optional actions that can be triggered when an event occurs.

Notifications: Defines how alerts are communicated when an event is detected.

Issue Identification:

Since FortiSandbox logs are correctly forwarded but no event is generated, the issue likely lies in the

data selector configuration or log type matching.

The data selector must be configured to include logs forwarded by FortiSandbox.

Solution:

B . Configure a FortiSandbox data selector and add it to the event handler:

By configuring a data selector specifically for FortiSandbox logs and adding it to the event handler,

FortiAnalyzer can accurately identify and trigger events based on the forwarded logs.

Steps to Implement the Solution:

Step 1: Go to the Event Handler settings in FortiAnalyzer.

Step 2: Add a new data selector that includes criteria matching the logs forwarded by FortiSandbox

(e.g., log subtype, malware detection details).

Step 3: Link this data selector to the existing spearphishing event handler.

Step 4: Save the configuration and test to ensure events are now being generated.

Conclusion:

The correct configuration of a FortiSandbox data selector within the event handler ensures that

FortiAnalyzer can generate events based on relevant logs.

Reference:

Fortinet Documentation on Event Handlers and Data Selectors FortiAnalyzer Event Handlers

Fortinet Knowledge Base for Configuring Data Selectors FortiAnalyzer Data Selectors

By configuring a FortiSandbox data selector and adding it to the event handler, FortiAnalyzer will be

able to accurately generate events based on the appropriate logs.

Understanding Playbook Triggers:

Playbook triggers are the starting points for automated workflows within FortiAnalyzer or FortiSOAR.

These triggers determine how and when a playbook is executed and can pass relevant information

(trigger variables) to subsequent tasks within the playbook.

Types of Playbook Triggers:

EVENT Trigger:

Initiates the playbook when a specific event occurs.

The event details can be used as variables in later tasks to customize the response.

Selected as it allows using event details as trigger variables.

INCIDENT Trigger:

Activates the playbook when an incident is created or updated.

The incident details are available as variables in subsequent tasks.

Selected as it enables the use of incident details as trigger variables.

ON SCHEDULE Trigger:

Executes the playbook at specified times or intervals.

Does not inherently use trigger events to pass variables to later tasks.

Not selected as it does not involve passing trigger event details.

ON DEMAND Trigger:

Runs the playbook manually or as required.

Does not automatically include trigger event details for use in later tasks.

Not selected as it does not use trigger events for variables.

Implementation Steps:

Step 1: Define the conditions for the EVENT or INCIDENT trigger in the playbook configuration.

Step 2: Use the details from the trigger event or incident in subsequent tasks to customize actions

and responses.

Step 3: Test the playbook to ensure that the trigger variables are correctly passed and utilized.

Conclusion:

EVENT and INCIDENT triggers are specifically designed to initiate playbooks based on specific

occurrences, allowing the use of trigger details in subsequent tasks.

Reference:

Fortinet Documentation on Playbook Configuration FortiSOAR Playbook Guide

By using the EVENT and INCIDENT triggers, you can leverage trigger events in later tasks as variables,

enabling more dynamic and responsive playbook actions.

Understanding the MITRE ATT&CK Tactics:

The MITRE ATT&CK framework categorizes various tactics and techniques used by adversaries to

achieve their objectives.

Tactics represent the objectives of an attack, while techniques represent how those objectives are

achieved.

Analyzing the Incident Report:

Phishing Email Campaign: This tactic is commonly used for gaining initial access to a system.

Malicious Link and RAT Download: Clicking a malicious link and downloading a RAT is indicative of

establishing initial access.

Remote Access Trojan (RAT): Once installed, the RAT allows attackers to maintain access over an

extended period, which is a persistence tactic.

Mapping to MITRE ATT&CK Tactics:

Initial Access:

This tactic covers techniques used to gain an initial foothold within a network.

Techniques include phishing and exploiting external remote services.

The phishing campaign and malicious link click fit this category.

Persistence:

This tactic includes methods that adversaries use to maintain their foothold.

Techniques include installing malware that can survive reboots and persist on the system.

The RAT provides persistent remote access, fitting this tactic.

Exclusions:

Defense Evasion:

This involves techniques to avoid detection and evade defenses.

While potentially relevant in a broader context, the incident report does not specifically describe

actions taken to evade defenses.

Lateral Movement:

This involves moving through the network to other systems.

The report does not indicate actions beyond initial access and maintaining that access.

Conclusion:

The incident report captures the tactics of Initial Access and Persistence.

Reference:

MITRE ATT&CK Framework documentation on Initial Access and Persistence tactics.

Incident analysis and mapping to MITRE ATT&CK tactics.