Home  >  Enterprise  >  Participants  >  Fortinet  > Carbanak+FIN7 Configuration


Fortinet Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

FortiEDR v4.6/5.0
License: Predict, Protect and Response

Product Description

FortiEDR delivers advanced, real-time threat protection for endpoints both pre and post infection. It proactively reduces the attack surface, prevents malware infection, detects and defuses potential threats in real time, and can automate response and remediation procedures with customizable playbooks. FortiEDR helps organizations stop breaches in real-time automatically and efficiently, without overwhelming security teams with a slew of false alarms or disrupting business operations.

FortiEDR provides both comprehensive machine-learning anti-malware execution and real-time post-infection protection from day one. It automatically detects and defuses potential threats in real time even on already infected hosts. The defusing post-infection protection layer controls outbound communications and file systems modifications to prevent data exfiltration, lateral movement and C2 communications, as well as file tampering and ransomwares.

With automated EDR functions for threat hunting and incident response, FortiEDR eliminates the breach response time gap, dwell time, and alert fatigue. Additionally, it protects systems and supports broad OS coverage workstations, servers, and virtual machines, including legacy operating and embedded systems.

FortiEDR platform includes the following capabilities:

  • Reduce the Attack Surface
    • Discover and control rogue devices (e.g. unprotected or unmanaged devices) and IoT devices
    • Track applications and ratings
    • Discover and mitigate system and application vulnerabilities with virtual patching
    • Reduce the attack surface with risk-based proactive policies
    • USB device control
  • Real Time Prevention
    • Machine learning, Kernel-based Next Generation AV
    • Feeds from a continuously updated cloud database
    • Real-time automated prevention of ransomware encryption
    • Protect disconnected endpoints with offline protection
  • Detection and Containment
    • Automated post-infection detection and blocking
    • OS-centric technology
    • Analysis of entire log history
    • Surgical containment
  • Incident Response
    • Automated event classification
    • Standardize incident response procedures with playbook automation
    • Automated remediation (notify users, isolate device, remediate device, open ticket)
    • Automated investigation with minimal interruption for user
  • Investigation and Hunt

Product Configuration

Detection Test

  • Communication Control Policies set to Simulation
  • USB Device Control Policy set to Disabled
  • Execution Prevention Policy set to Simulation
  • Exfiltration Prevention Policy set to Simulation
  • Ransomware Prevention Policy set to Simulation
  • eXtended Detection Policy set to Simulation

Prevention Test

  • Communication Control Policies set to Simulation
  • USB Device Control Policy set to Disabled
  • Execution Prevention Policy set to Prevention
  • Exfiltration Prevention Policy set to Prevention
  • Ransomware Prevention Policy set to Prevention
  • eXtended Detection Policy set to Simulation