Professional Documents
Culture Documents
0
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
In this Fast Track, we will explore controlling endpoints using Fortinet Advanced Endpoint
Protection tools in mixed Windows & Linux environments and see first-hand how these
solutions integrate with the Fortinet Security Fabric to protect your company’s critical assets.
Note: For all objectives, click Continue then select the next available objective from the list to
proceed.
Index: 1.0 (a)
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Welcome
to the
Advanced Endpoint Workshop
Network Topology
Index: 1.0 (b)
Use Case: Proactive Advanced Endpoint Protection, Visibility and Control for Critical Assets
Objective Title: Agenda
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
FortiClient EMS
Topic Time
Lab 2.0: FortiClient EMS & Fortinet Security Fabric 15 Minutes
Lab 2.1: Customizing the FortiClient Installer 15 Minutes
Lab 2.2: Dynamic Access Control with Endpoint Tagging 30 Minutes
FortiEDR
Topic Time
Lab 3.1: EDR Architecture and Deployment 10 Minutes
Lab 3.2 EDR Advanced Protection 25 Minutes
Lab 3.3 EDR Events, Forensics, and Reporting 25 Minutes
Index: 2.0
Use Case: FortiClient EMS & Security Fabric
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Endpoint Protection provides security measures that prevent threat, mitigate risks, reduce
exposure, and ensure endpoint compliance. An additional key function of FortiClient EMS is to
strengthen the Security Fabric by providing information about the endpoints to the FortiGates.
The FortiClient EMS can pull machine and user information from Active Directory, which can
then be used by the FortiGate policies.
In the following objectives of this use case, you will establish the communication between EMS,
Active Directory, and Security Fabric.
Objectives
• Connect FortiClientEMS to Active Directory.
Time to Complete
Estimated: 10 minutes
Index: 2.0 (a)
Use Case: FortiClient EMS & Security Fabric
Objective Title: Integrating FortiClient EMS with Active Directory
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Add Domain
1. From the Lab Activity: Endpoint tab, access FortiClient EMS using the HTTPS option.
Note: Unless otherwise indicated, all username and passwords for various admin consoles
are:
Username: admin Password: Fortinet1!
2. Navigate to Endpoints > Domains > Add a domain.
3. Use the following information:
• IP address/Hostname: 172.16.100.10
• Port: 389
• Username: admin
• Password: Fortinet1!
Note: The common practice is to observe the distinguished name (DN) of a domain
when there is more than one forest in the network. In the above, it was possible to
obtain the value automatically as there is only one domain but in case of manual
entry is required, the DN is acmecorp.net
4. Click Test
5. Click Save once the successful message appears.
Note: While the domain information is being synced in EMS, it may take up to a minute to
complete. Wait for the synchronization process to complete. You may need to reload
Manage Domains page by clicking on Refresh on the top right if acmecorp.net does not
appear in Endpoints > Domains.
• alice
• bob
• carol
• david
Note: EMS provides granular control in assigning endpoint policies to specific AD
users/user groups.
7. In the Telemetry Server List field, Select FortiGate-Edge from the drop-down menu.
8. Click Save.
Hint: 1 Points: 2
Hint Text:
Hint 1:
FortiGate was the only device to manage FortiClient until EMS became available.
Answer: radio
Answer Text:
Answer
False
FortiGate provides the required telemetry service to extend visibility and control vulnerability
and quarantine compromised endpoint.
Answer Key:
✘ 1. True
✔ 2. False
Index: 2.0 (b)
Use Case: FortiClient EMS & Security Fabric
Objective Title: Integrating FortiClient EMS with Security Fabric
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
• Name: FortiClient-EMS
• IP/Domain: 172.16.100.125
6. Click OK
Note: FortiClient EMS Fabric Connector should have a successful up connection status.
Authorize FortiGate-ISFW Fabric Device on EMS Server
1. From the web browser, access the FortiClient EMS using the web console.
2. A Fabric Device Authorization Requests window for FortiGate-ISFW should pop up. Click
Authorize
CAUTION: Click F5 to refresh browser window and wait for a few seconds in case the Fabric
Device Authorization Requests window doesn’t show up.
To facilitate the installation of FortiClient on the endpoints, EMS allows the creation of custom
FortiClient deployment packages with pre-configured parameters needed for an endpoint to
register with EMS and connect to FortiGate as part of the Security Fabric group. These
installation packages however, are only for Windows and Mac OS operating systems.
You can install FortiClient (Linux) on Ubuntu, CentOS, and RedHat operating systems. In the
interest of time the FortiClient(Linux) has already been installed for you on the Ubuntu
workstation.
In this exercise, you will create an installation package and install FortiClient on the Windows
workstation.
Objectives
• Create a deployment package.
Time to Complete
Estimated: 15 minutes
Index: 2.3 (a)
Use Case: Customizing the FortiClient Installer
Objective Title: Creating Deployment Package
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
1. From the web browser, access the FortiClient EMS using the web console.
2. Click Manage Installers > Deployment Packages.
3. Click + Add.
4. Under Version section, select Installer Type as Choose an official release.
5. Leave the release and patch at 6.4 and 6.4.0 respectively.
7. Click Next.
8. Under General section, type the Name as FCT-Installer
Note: Make sure the name is typed in the exact same manner as shown below in the
screenshot.
9. Click Next.
10. Under Advanced section, tick the checkbox:
Hint: 1 Points: 4
Hint Text:
Hint 1:
You can configure a FortiClient installer with an installer ID, then deploy this installer to the
desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient
EMS places them in the desired group. For example, consider you want all endpoints located in
your company's headquarters to be placed in the same endpoint group.
Answer: radio
Answer Text:
Answer
True
Answer Key:
✔ 1. True
✘ 2. False
Index: 2.3 (b)
Use Case: Customizing the FortiClient Installer
Objective Title: Installing FortiClient
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Install FortiClient
In most companies, new machines connect to the corporate network on a regular basis. In this
exercise, we have a Windows machine that was recently joined to the domain and requires
further steps to meet the company’s compliance policy. To that end, we will install FortiClient
on this workstation via the install package we created in the previous objective.
1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.
Username: ACMECORP/alice Password: Fortinet1!
1. Open a web browser on the desktop and using the FCT-Installer bookmark, browse to
https://172.16.100.125:10443/installers/FCT-Installer
2. Click Continue to this website (not recommended) to get past the certificate warning page.
3. The installer folder should be displayed. Select FortiClientSetup_6.4.0_x64.exe
4. Pay attention to the bottom right corner of the browser, to see that the file is being
downloaded.
Note: Click keep and allow the download if you see a browser pop-up warning that the file
might be harmful.
6. When you get confirmation that the file has been downloaded, the installer should be saved
in the Downloads folder. Go ahead and start the installer.
7. Once the Installer starts, go ahead and close (or minimize) the browser.
8. Follow the wizard process by ticking the checkbox Yes, I have read and accept the License
Agreement.
9. Click Next.
10. Leave the default directory specified and click Next.
11. Click Install and wait for a few moments while the installation completes.
12. When the installer wizard is done, click Finish.
Note: Pay attention to FortiClient notification on the taskbar. FortiClient will attempt to
register to EMS and connect to the Security Fabric as per the pre-configuration settings
customized in the package. It will continue to obtain and update all required signatures and
may take a few minutes. The process to update the signatures will be required for an
upcoming exercise.
13. Open the FortiClient console by double clicking the FortiClient icon on the Desktop.
Note: Wait for a few minutes to allow FortiClient to be fully synchronized with EMS. The
endpoint should be now compliant and the console should look like the following:
Verify Endpoint Registration
1. From the web browser, access FortiClient EMS using the web console.
3. For more details, go ahead and click on the number inside the bubble to observe additional
information about these endpoints. Hover the mouse on the green icons to view the status
of EMS management synchronization and FortiTelemetry connection status.
Note: Alice’s avatar may not be visible but will eventually sync up on the next sync cycle.
Index: 2.4
Use Case: Dynamic Endpoint Grouping/Tagging
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
As part of the Security Fabric, you can now configure categorization rules on EMS to
dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint
groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint
groups when host compliance or other events happen. You can combine the endpoint groups
with FortiGate firewall policies to provide dynamic access control based on endpoint status.
You can dynamically group endpoints by OS type, OS version, certificate, logged in domain,
files, running applications/processes, registry keys, and more. When a FortiClient endpoint
registers to EMS, EMS dynamically groups the endpoint based on the compliance verification
rules.
You can selectively block, allow, or captive portal display endpoint groups based on their
real-time compliance statuses.
In this use case, you will create verification rules to apply tags to the endpoints, and then pull
those tags into the FortiGate via an EMS connector. You will then apply the tags to the firewalls
and demonstrate the changes in access as the tags on the endpoint change.
Objectives
• Create Compliance Verification Rules and Tags
Time to Complete
Estimated: 25 minutes
Index: 2.4.1
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
A feature that was introduced in the 6.2 version of EMS, is the ability to tag endpoints based on
Active Directory user group membership of the logged in user. EMS considers the endpoint as
satisfying the rule if the logged in user belongs to the selected AD group. You can also use the
NOT option to indicate that the rule requires that the logged in user certain does not belong to
certain AD groups.
As these conditions change, EMS updates the tags on the Endpoints and passes that
information on to the FortiGates, which can then dynamically control access to the endpoints
via the firewall policies.
In this use case, you will create verification rules to apply tags to the endpoints, and then pull
those tags into the FortiGate via an EMS connector. You will then apply the tags to the firewalls
and demonstrate the changes in access as the tags on the endpoint change.
Objectives
• Create Compliance Verification Rules and Tags
Time to Complete
Estimated: 15 minutes
Index: 2.4.1 (a)
Use Case: Dynamic Access Control (AD Group Membership)
Objective Title: Creating Compliance Verification Rules and Tags
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
EMS tags the endpoints based on Compliance Verification Rules. Let’s have a look at an existing
rule, and then create a few more.
• Name: Sales_User
• OS: Windows
• AD Group: Sales
Note: Take a moment to explore the different rule types with which you can apply
tags to devices.
3. Click Save.
4. Click Save.
1. From the Lab Activity: Endpoint tab, access FGT-ISFW using the HTTPS option.
2. If you have not logged in automatically, login as the user alice and password Fortinet1!
3. Open the Putty application by double clicking on the Putty shortcut on the Desktop.
4. Select HR from the Saved Sessions area, and click on the Load button.
5. Click Open
Note: The Putty window should open, and you should see the login prompt. This tells you
that the application was able to access the destination host in the HR network and establish
a connection. So Alice has access to the HR network.
Disconnect FortiClient
1. Open the FortiClient console, and click Disconnect.
2. When asked if you are sure you want to disconnect, select Yes.
5. Open Putty from Desktop. Select Sales from the Saved Sessions area, click Load and click
Open
Note: The Putty window should open, and you should see the login prompt. This tells you
that the application was able to access the destination host in the Sales network and
establish a connection. So Alice has access to the Sales network which makes sense as Alice
is in the Sales AD group
Re-Connect FortiClient
4. Click Connect
Index: 2.4.2
Use Case: Identity Compliance
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Identity Compliance
EMS can now dynamically group endpoints based on their user identity. An end user can
provide their user identity in FortiClient for the following social network accounts:
• LinkedIn
• Google
• Salesforce
• User Input
When the end user selects User Input, they can specify personal information, including their
avatar, name, phone number, and email address. If they select another option, FortiClient reads
their avatar, name, phone number, and email address from the corresponding account.
FortiClient displays this information and sends it via Telemetry to EMS. EMS uses this
information to apply applicable host verification tags on endpoints. If the endpoint user doesn't
supply these parameters, it would be considered as non-compliant
In this use case, you will enable user identity settings, create a user identity based tag through a
compliance verification rule. You will then apply the tag to the firewall policy and demonstrate
the changes in access as the tags on the endpoint change.
Objectives
• Enable user identity settings
Time to Complete
Estimated: 10 minutes
Index: 2.4.2 (a)
Use Case: Identity Compliance
Objective Title: Enabling User Identity Settings
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
In this exercise, you will enable user identity settings for the default endpoint profile.
1. From the web browser, access FortiClient EMS using the web console.
EMS tags the endpoints based on Compliance Verification Rules. You will create a user identity
based compliance rule.
Create Rule
5. Click Save.
Index: 2.4.2 (c)
Use Case: Identity Compliance
Objective Title: Submitting User Information
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Let’s verify what level of network access does Alice’s Windows machine has in the network and
how does the user identity based tag modifies it.
1. From the web browser, access Alice machine using the web console.
1. From the web browser, access FortiClient EMS using the web console.
• Name: To Internet
• Incoming Interface: Sales Network (port2)
• Outgoing Interface: EDGE_ISFW Network (port4)
• Source: FCTEMS0000101980_User_Specified_Tag
Note: EMS tags are imported into the FortiGate as firewall address objects. In case
the above EMS tags don’t show up in the source address list, please wait for 1-2
minutes and press F5 to refresh the browser tab.
• Destination: all
• Schedule: always
• Service: ALL
• Action: ACCEPT
4. Click OK
Note: You will find out that Alice’s PC has been granted access to external websites after
you applied the EMS tag to firewall policy.
Hint: 1 Points: 2
Hint Text:
Hint 1:
In the EMS console, click Compliance Verification > Compliance Verification Rules > + Add > +
Add Rule > Rule Type
Answer: checkbox
Answer Text:
Answer:
AntiVirus From the AV Software dropdown list, select the desired conditions. You
• Windows
Software installed and running and that the AV signature is up-to-date. You can a
• macOS endpoint does not have AV software installed or running or that the AV
FortiClient AV and third-party AV software that registers to the Window
• Linux Windows Security Center of the status of its signatures. FortiClient que
third party AV software is installed and if the software reports signature
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Certificate In the Subject CN and Issuer CN fields, enter the certificate subject and
• Windows
that the rule requires that a certain certificate is not present for the endp
• macOS The endpoint must satisfy all conditions to satisfy this rule. For example
certificate B, and NOT certificate C, then the endpoint must have both c
• Linux
OS Version • Windows From the OS Version field, select the OS version. If the rule is configure
as satisfying the rule if it has one of the configured OS versions installe
• macOS
• Linux
• iOS
• Android
Registry In the Registry Key field, enter the registry key or registry data value. E
• Windows
Key to indicate a registry data value. You can also use the NOT option to in
data value is not present on the endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule. F
key A, registry key B, and NOT registry key C, then the endpoint must h
Windows From the Windows Security dropdown list, select the desired conditions
• Windows
Security Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard,
NOT option for the rule to require that the endpoint have Windows Defe
Application Guard, and/or Windows firewall disabled.
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Answer Key:
✔ 1. Certificate
✔ 2. AntiVirus Software
✔ 3. OS Version
✔ 4. Windows Security
✔ 5. Registry Key
Index: 3.0
Use Case: FortiEDR - Advanced Protection
Objective Title: FortiEDR - Advanced Protection
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
The security team at ACME Corp must enhance its existing endpoint security solution to
prevent malware prevention and data loss.
Using FortiEDR, the SOC team will find and remediate possible threats on these new users’
laptops, particularly those working in more secure areas such as accounting and finance,
without impacting critical business services.
This enhanced endpoint protection use case will include the following exercises:
• Virtual patching feature until vulnerable software can be patched during a scheduled
upgrade (maintenance window).
• Event and forensics analysis on malware, PUPs (possibly unwanted programs), and
suspicious programs
Introduction
Objectives
• Overview of backend EDR infrastructure
Time to Complete
Estimated: 10 minutes
Index: 3.1 (a)
Use Case: Architecture and Deployment
Objective Title: Architecture and Overview
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
This objective introduces the FortiEDR solution components required to stop malicious threats.
This exercise provides additional context for future objectives.
The FortiEDR solution has several components, all of which work together to protect endpoints
at scale.
• FortiEDR Aggregator – manages the collection from the collectors to the FortiEDR
Central Manager
• FortiEDR Central Manager – a central web server and backend server for viewing
and analyzing events
• FortiEDR Threat Hunter Repository – allows admins to find and delete malware
across any of the devices.
Tasks
1. From the Lab Activity: Endpoint tab, access FortiEDR using the HTTPS option.
2. Click Dashboard. Locate System Components widget and note the system
components of the system.
Stop and Think
Key questions to ask before installing collector agents on the endpoints in your environment:
Tasks
Endpoint deployment/provisioning
1. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.
2. Go through the install wizard setting. Use the default settings and click Next
3. Leave path set to default: c:\program files\Fortinet\FortiEDR and click Next.
• Port: 8081
5. Click Yes
6. Click Close
7. Once installed, FortiEDR should be visible from on bottom right-hand side of the toolbar.
Note: There should be a port 555 connection to 172.168.100.132 [FortiEDR core] and a port
8081 connection to 172.168.100.133 [FortEDR manager/aggregator])
9. From the web browser, access FortiEDR using the web console.
10. Click the dashboard. Note green bar in the upper right side, indicating that the collector is
properly running on the Windows 2016 (Alice) victim machine
12. Make sure that the newly added endpoint (Alice) has:
14. Note that all policies by default are in simulation mode (which alerts on malicious activities).
Keep these settings for the next malware analysis exercise.
Note: Policies toggled on (green button) are in prevention mode. Prevention mode not only
alerts on malicious activity, but also actively block files categorized as malicious or
suspicious.
Note: Policies are always in either simulation or prevention mode. However, the rules
under each policy can be disabled on a case by case basis.
15. Once a policy is selected, the Default Collector group will show up on the right-hand side, as
shown below.
22. On the right-hand side of the Policies Settings page, check that the collectors (which include
the Alice victim PC) in the Default Collector Group are assigned to the Default
Communication Control Policy.
Success
Now that the Alice victim PC now has a FortiEDR collector installed and is added to the correct
security collector groups, it can detect malicious software runs on the machine.
• High-security collector group (used by EDR playbooks to isolate infected systems for
forensic analysis)
Question:
A user calls the help desk and cannot print. What can be done by the help desk to see if
FortiEDR is impacting the printing process?
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 0
Hint Text:
Hint
The user needs to be put in a group that doesn’t restrict them, but simulates the restrictions so
that the help desk can look at what events are being generated.
This will help determine communications control rule might be preventing the print job.
Answer: radio
Answer Text:
Answer
Simulation (Notification Only): FortiEDR only issues an alert for all connections that violate a
rule in a FortiEDR security policy. In simulation mode, FortiEDR does not secure
communications. FortiEDR comes pre-configured in simulation mode and can be used for
troubleshooting, but not security, until simulation mode is switched to prevention mode..
Answer Key:
✔ 1. Simulation group
✘ 2. High security group
✘ 3. Printing security group
Index: 3.2
Use Case: Advanced Protection
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Introduction
ACMEcorp’s security admins must reduce their attack surface by stopping advanced
malware and virtually patching healthcare and point of sale workstations until the next
scheduled maintenance.
Because threat actors target users with custom malware, ACMEcorp’s endpoint
protection solution must detect malware without relying only on legacy signature-based
solutions that depend on hashes, as would be the case with first-generation endpoint
products. ACMEcorp must also defuse critical vulnerabilities in older and unpatched
workstations in a way that does not disrupt business continuity.
Security admins at ACMEcorp would like to stop all advanced malware from initially
executing on endpoint clients. For the files allowed to run, the ACMEcorp security team
would like to inspect, record, and block malicious behaviors.
Objectives
Time to Complete
Estimated: 25 minutes
Index: 3.2 (a)
Use Case: Advanced Protection
Objective Title: Malware Analysis
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
Because threat actors target executives with custom malware, ACMEcorp’s endpoint protection
solution must detect malware without relying only on legacy signature-based solutions that
depend on hashes, as would be the case with first-generation endpoint products.
Tasks
To demonstrate how FortiEDR’s pre and post-execution rules detect modified malware, we will
be appending characters to a known malicious file to change the hash signatures and confirm
how it is undetectable with ClamWin (a first-generation open source antivirus tool) and Virus
Total (a cloud-based antivirus database).
After modifying the executable, we will use PE Studio to find suspicious artifacts and compare
the modified executable (with the new signature, due to the appended strings) to the original
malware.
1. On the FortiEDR, toggle the security policies back to simulation (Security Settings > Security
Policies > Execution Prevention )
Note: For good measure, it’s helpful to confirm that the security policies are always assigned to
the collector group as demonstrated below (Check policy, click Assign Collector Group, and
then assign to the right collector group, Default Collector Group).
Note: The side Collector Group Assignment window does not come up unless you check a box
or expand the policy. When set to simulation mode, FortiEDR will still detect the malware but
not block it at the client end (FortiEDR collector). After this exercise, you should see events in
the FortiEDR manager.
2. From the Lab Activity: Endpoint tab, access Alice machine using the RDP option.
3. On Alice, open the Windows command prompt (CMD) and enter the command
Note: sigtool.exe is included with ClamWin. It creates a ClamWin antivirus signature for the
known malicious file. It requires two dashes (- - ) before passing parameters, like sha1.
5. Next, enter the following command to scan the directory using the newly generated
signature (Note: double dashes are required for the parameter, as seen in the output
example)
6. Type the following command to examine the hash of the file using certutil (note: single
dash, not double dash)
cd c:\reports
9. Append the string “fasttrack” to the newly named file by entering the following command
10. Enter the following two commands and note the different SHA1 hash
Note: This new modified file is not recognizable by ClamAV, as evidenced by the following
commands.
12. Open the file c:\reports\tspresport-fasttrack.exe and note “fasttrack” string at the end of
the file.
Note: The FortiEDR pre-execution rules sometimes prevents opening this file in a hex editor.
If so, you may have to return to EDR and apply the simulation mode to the pre-execution to
do this exercise.
Note: A simple modification like this might not thwart all commercial scanners that use
non-signature based detection, such as file heuristics or static analysis. The next exercise will
demonstrate how one might look inside a file to find questionable components.)
13. Click and open PE Studio (icon on Windows Desktop)
Note: The FortiEDR pre-execution rules sometimes prevents opening this file in PE Studio. If
so, you may have to return to EDR and apply the simulation mode to the pre-execution to
do this exercise.
Note: Wait about a minute for PE Studio to inspect the code and find the malicious artifacts.
After some time, items in the left panel will turn red.
15. Click Indicators on the left and note the blacklisted items inside the file (levels 1,2,3)
16. Click Imports on the left panel and note the blacklisted items (x).
17. Click strings on the left panel and note the blacklisted strings (x).
Note: If there is a delay with PE Studio connecting us to Virus Total, manually search the
webpage for hashes (www.virustotal.com). PE Studio depends on open access to the free
version of Virus Total, which sometimes times out with excessive use.
• What defenses are in place if threat actors sent your company’s executives custom
made malware?
• Which lines of defense (firewalls, secure email gateways, desktop AV) might depend on
signature-based protection in detecting malware?
The limitations of signature-based solutions compel security admins to think more carefully
about pre and post-execution policies on protected endpoints. Using FortiEDR, we can prevent
malicious files from executing or even allowing them to execute and safely record their
interaction with other operating systems' files.
Question:
Which of the following artifacts might be helpful when initially analyzing malware with a tool
like PE Studio (choose all that apply)?
Hint: 1 Points: 0
Hint Text:
Hint 1
Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.
Answer: checkbox
Answer Text:
Answer
Malicious software often attempts to hide its intents in order to evade early detection and
static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, anomalies
and other valuable indicators.
Answer Key:
✔ 1. suspicious patterns
✔ 2. unexpected metadata
✔ 3. anomalies
Index: 3.2 (b)
Use Case: Advanced Protection
Objective Title: Pre-Exec Protection
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
Security admins at ACMEcorp would like to stop all malware from initially executing on
endpoint clients. The following steps will create a pre-execution security policy that prevents
malware from damaging a computer.
Rules included in this policy include:
• Suspicious drivers
Tasks
2. In FortiEDR, click Security Settings > Security Policies and confirm policies are in prevention
mode (simulation mode was just for testing purposes in the previous exercise).
Note: All Execution Prevention rules are set to block (except for those grayed out)
3. On the right-hand side, note that Default Collector Group is in the Execution Prevention
policy
4. From the web browser, access Alice machine using the web console and open Explorer
6. Optional: If you toggle the pre-execution to simulation and set the post-execution policies
prevention, you should see the following ransomware message and then a popup from
FortiEDR collector stopping the file from actually being encrypted. Otherwise, this
message will be surpressed.
7. At the bottom right hand side, you should see the following pop up, indicating that FortiEDR
has blocked the malicious process.
Note: If this file runs multiple times, you will see the popup has different PID (process ID)
numbers, indicating that FortiEDR allowed it to run each time and stopped malicious activity
in the post-execution policy. While FortiEDR stops malware in pre- and post-execution, in
some environments, we may still want to allow users to open suspicious files and then
check for malicious activity afterward.
9. From the web browser, access FortiEDR using the web console.
10. Click Event Viewer and confirm that FortiEDR labeled the event as suspicious and stopped
the files from being renamed.
Stop and Think
How might FortiEDR pre-execution rules better protect users than legacy signature-based
antivirus solutions or sandbox solutions that first detonate malware in a virtual machine?
Question:
How might malware creators ensure that their files remain undetected in some VM sandboxed
environments?
Answer: checkbox
Answer Text:
Answer
Malware creators look for the following clues that their software is being run in a virtualized
environment and not by their targeted users:
• MAC OUI
• Screen resolution
Answer Key:
✔ 1. MAC OUI known hypervisors (VMware etc)
✔ 2. Low CPU core count / low RAM
✔ 3. Screen resolution
✔ 4. Recent file count / Desktop file count
✔ 5. Few applications, active windows, or processes
✔ 6. Check for malware researcher tools (wireshark, procmon, sysmon, python.exe, etc)
Index: 3.2 (c)
Use Case: Advanced Protection
Objective Title: Virtual Patching
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Background
FortiEDR categorizes application based on the Common Vulnerability Scoring System (CVSS) CVE
scheme. This scoring system provides a useful vulnerability assessment tool and is classified
based on the National Vulnerability Database (NVD) severity ratings (Unknown, Low, Medium,
High, Critical).
As older and unpatched workstations come online, security admins at ACMEcorp must reduce
their attack surfaces and maintain business continuity. Mission-critical applications, such as
point of sale and healthcare workstations, cannot be interrupted before the next patch
maintenance window.
Tasks
4. From the web browser, access Alice machine using the web console.
5. Next, open the install folder on the desktop and install the 2013 version of Opera (already
downloaded from https://ftp.opera.com/ftp/pub/opera/desktop/). Click the Opera exe file
(v15) and hit the Accept and Install option.
5. On the Alice victim PC, open up Opera. You should be able to surf the web with no
problems.
Note: the start-up page this version displays is 404 (not found), but other pages work.
6. Confirm that the Opera version is v15.0 (circa 2013). On the left-hand corner, pull down the
Opera menu and select About Opera.
Note: In the background, Opera runs an updater to upgrade from version 15, so if you
close this browser and re-open, you may see a different version than 15.0
7. From the web browser, access FortiEDR using the web console
9. Under Application, note that FortiEDR collector has registered Opera version 15.0.
Note: if you do not see the Opera Internet Browser, make sure that applications view is
set to All on the left upper hand side of the display. If the wrong application filter is on,
then you will only see a subset of applications.
10. From the web browser, access Alice machine using the web console and close the
Opera browser.
11. In the files folder on the desktop, Right-click on the v42 version of Opera, Run as
administrator and then click Accept and Upgrade.
12. Once Opera opens again, confirm that the new version number has upgraded to 42.0
(Menu > About Opera).
Note: on the desktop is a modified O that indicates that Opera has gone from version 15
to version 42.0. Now that we’ve opened v42.0 up, the FortiEDR collector will this as a
new application.
13. From the web browser, access FortiEDR using the web console.
14. Go to Communication Control > Applications and note the updated version (42) as well as
the previous older version (15).
Note: version 42.0 will not show up in Communication Control if the new version of Opera
has not been executed on the Alice Victim host machine. Be sure to open it on the endpoint
first before going to Communication Control > Applications.
15. Check the checkbox for version 15 for Opera Internet Browser.
Note: if Opera is not showing up in Communication Control, confirm that the All
Applications option is selected in the top left.
17. Under Modify Action (for Opera v15), pull down the menu for Default Communications
Policy and select Deny.
Note: On the right-hand side of the screen (in Application Details), Default Communication
Control was set to allow. By saving this deny policy, FortiEDR does not allow the first older (v15)
version from connecting to the Internet but allow other later and (more secure!) versions to
function as expected. This policy reduces the attack surface of computer systems that cannot
afford downtime due to software patches (point of sale, OT, kiosks, etc.).
Success
Your Opera browser (v42) should now communicate with the internet. Other workstations
added to this collector group and policy would not use Opera (v15) to communicate to the
Internet.
Question:
Which of the following issues could NOT be addressed with FortiEDR’s Communication Control?
Hint: 1 Points: 0
Hint Text:
Hint 1
Hint: 2 Points: 0
Hint Text:
Hint 2
Answer: radio
Answer Text:
Answer
A user playing an offline game – Communications control allows programs to safely run locally,
just not communicate with other hosts until allowed by policy.
All of the other scenarios listed would be stopped by FortiEDR communication control policies.
Answer Key:
✘ 1. users running outdated versions of a program with known vulnerabilities
✘ 2. a user installs an open source program, but company policy prohibits because of the risk
of outbound communication
✘ 3. A user in finance installing an insecure file sharing program
✔ 4. A user is playing offline games during a meeting
Index: 3.2 (d)
Use Case: Advanced Protection
Objective Title: Post-Exec Protection
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Background
The post-execution policies (exfiltration prevention and ransomware prevention) offer security
admins an additional safety net needed to detect highly advanced malware by recording each
host details that would provide additional info about a program’s behavior, such as suspicious
file encryption and data leaks.
The ACMEcorp security team would like to inspect and block malicious behaviors on files
allowed to execute.
Tasks
In this lab, instead of stopping malware before it runs, pre-execution policies will log only, and
the post-execution security policy will catch malicious files.
4. Once prompted by the Policies Mode Change box, select Set to Simulation
5. Look to the right-hand side and ensure that the Default Collector Group is attached to
these policies.
6. From the web browser, access Alice machine using the web console.
10. From the web browser, access FortiEDR using the web console.
11. Confirm that TPS-report.exe was tagged as suspicious and prevented from running.
12. On the right-hand side, confirm that the file was classified post-execution as ransomware.
13. From the web browser, access Alice machine using the web console and open File Explorer.
15. Click dynamiccode64.exe file. (Event will be analyzed in the next exercise)
Introduction
Objectives
Time to Complete
Estimated: 25 minutes
Index: 3.3 (a)
Use Case: Events, Forensics, and Reports
Objective Title: PUPs and Suspicious Files
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Tasks
The files in this exercise are not technically malware, but they may pose some risks to
security-conscious enterprises, as they might communicate to other countries or possibly are a
platform for other potentially unwanted programs.
1. From the web browser, access Alice machine using the web console.
2. Open the install folder on the desktop and Right-click on the DriverEasy_Setup.exe file.
3. Install as administrator.
• Language English
4. Click Install Now. (Note the FortiEDR popup messaging saying it was blocked)
4. Close both the installation screen, as well as the FortiEDR alert message.
Note: there may be several popup alerts for each PID, as the program tries to start multiple
times.
5. In the install folder on the desktop, right-click and install (as administrator) the
SteamSetup.exe file.
• Welcome screen
• Language: English
9. Once steam updates and opens, then close it ( in the upper right-hand corner)
Stop and Think
Netsh, which comes with DriverEasy, is a command-line scripting utility that allows you to
display or modify the network configuration of a computer that is currently running. Steam is a
gaming platform safely used by millions of home users.
Question:
Which of the following tools might be a problem for users in enterprise environments?
Answer: checkbox
Answer Text:
Answer
All of the tools below are generally considered questionable for most enterprise users
(excluding appropriate IT and security employees)
• Netcat
• Wireshark
• Nmap
• Nessus
• IRC
Answer Key:
✔ 1. nc (netcat)
✔ 2. wireshark
✔ 3. nmap
✔ 4. nessus
✔ 5. irc
Index: 3.3 (b)
Use Case: Events, Forensics, and Reports
Objective Title: Event Analysis
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Tasks
1. From the web browser, access FortiEDR using the web console.
Note: You should see the alerts generated by the previous exercise. These non-archived
alerts are aggregated by process, and an alert can comprise of multiple raw events.)
3. Click on each of the alerts and note the Device the event was detected on the endpoint
4. Find and click the endpoint device (Alice) to see the alerts associated with it.
• DriverEasy.exe classified as Inconclusive
• SteamService.exe classified as PUP
Note: The Exfiltration Prevention engine triggered the rule Unconfirmed Executable –
Executable File Failed Verification rule for the DriverEasy.exe process, which is often used
in MITRE techniques such as Credential Dumping and Input Capture.
FortiEDR solution indicates the rule that triggered an event and detailed information about
the rule (description of the rule, MITRE techniques and possible remediation steps). This
information helps bridge knowledge gaps and help SOC admins quickly remediate and
resolve issues.
6. At the bottom left corner of the screen, click the triangle ( ) in the ADVANCED DATA pane
to expand for an Event Graph and Geo Location data related to the highlighted event.
Note: Geo Location may not show in some cases
This graph shows the point at which FortiEDR blocked the DriverEasy.exe process and all the
steps leading up to it. This event in particular included:
Note: the yellow bug on the card for the connection attempt shows which rule was
broken at which step. These bugs will change based on the Classification of the event
8. On this screen, we might see an attempted connection to an IP. For example, the IP
Address of 172.217.1.110 is owned by Google in the United States.
9. Click the triangle ( ) next to ADVANCED DATA to minimize the pane once again.
Events in FortiEDR can be organized by either processes or devices, depending on which view is
selected. When might each view help investigate security events?
(Note: Some events may not need immediate attention, yet a SOC admin might click on them to
get more information before moving on to another event. This can lead to a mixture of read
and unread events within the Event Viewer. Clicking the filter at the top of the list ( )
allows you to hide some events, including the Read events.
If multiple admins are using the system, the read/unread status is local to the individual admin
and not system-wide. The upcoming objective will demonstrate how to use the Handled and
Archive statuses, which are system-wide flags.)
Question: When does an Alert or Device change its status from Unread to Read? (Pick one)
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. Once any event within the alert has been read
✔ 2. Once all events within the alert have been read
✘ 3. When the alert has been flagged as Handled
✘ 4. After you exit from the FortiEDR Manager GUI
Index: 3.3 (c)
Use Case: Events, Forensics, and Reports
Objective Title: Forensics
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Tasks
1. From the web browser, access FortiEDR using the web console.
2. Click Event Viewer.
3. Now, click the triangle ( ) for the DriverEasy.exe event to dive into the Raw Event Details
screen.
5. At the bottom of the screen, click the triangle ( ) to expand the ADVANCED DATA pane
showing the Event Graph and Geo Location information (if visible).
6. Click on each Raw Event to view its details more closely. You will notice how FortiEDR
blocked multiple events, including:
8. Click the checkbox ( ) for the DriverEasy.exe event and then click the Forensics button
Note: You will be in the Flow Analyzer View, similar to the Event Graph available from the
Event Viewer tool.
9. Click the Stacks View icon ( ) in the upper right corner of the screen.
Note: There is a lot of detailed information about the event available here in Forensics
under the Stacks View. Each of the steps leading up to the event will be listed and can be
clicked.
Start with the first PARENT PROCESS CREATION step and work your way to the right.
Pieces of useful information to determine if the event is safe or malicious include:
• Source Process
• Company
• Target
• Certificate
• Hash
Note: In the last raw event, you’ll notice the red dot ( ) on the top line for the executable
DriverEasy.exe. This dot indicates where the rule was violated that created the event.
On the far right, click the three vertical dots icon ( ) next to the violating process's hash.
Note: VirusTotal does not provide a definitive answer regarding the safety rating of a hash.
However, it is a reputable source that helps make an educated decision when used with
additional context.
13. Return to the Event Viewer by clicking the tab at the top of the screen.
Question: You have loaded an event to the Forensics tab and now want to add another event
for comparison. What is the best way to do this? Feel free to try this in your environment.
Hint – As part of the process, look for this icon
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer Key:
✘ 1. You can only view one event at a time in the Forensics tab
✔ 2. Go to the Event Viewer tab, select the second event and click the Forensics button to
load it into the Forensics tab
✘ 3. Go to the Event View tab and choose both events then click the Forensics tab
✘ 4. Click Add in the Forensics tab
Index: 3.3 (d)
Use Case: Events, Forensics, and Reports
Objective Title: Exceptions, Reports, and Archiving
Points: 10
----------------------- Objective Section -----------------------
Objective Text:
Tasks
1. On the Event Viewer page, find and click the alert for device Alice.
2. Click the checkbox on the left for the DriverEasy.exe event
3. At the top of the screen, choose the Export pull-down menu and select PDF
Note: In the above example, only events within view would be exported into PDF. In many
environments, auditors may require PDF exports of all events, including those Archived.
4. A pop-up window will display on the screen showing the report being generated. Once it
is finished being developed, click the Download link to save a copy of the report.
5. At the bottom of the browser, click the saved PDF file to preview the report.
6. In the report, we have the most pertinent information about the event, including the ID,
which can be used to help locate the event later if we ever need to review it again:
• ID
• Device
• Process
• Classification
• Destinations
• Received
• Action
7. Close the browser tab for the report to return to the FortiEDR interface.
8. Click the Close button to close the pop-up window
9. Click the DriverEasy.exe event so that it expands, and you can see the User, Certificate, full
Process Path, and the number of Raw data items.
10. Click the Create Exception icon ( ) to the left of the User field.
11. In the pop-up window, create the new exception with the following values, then click the
Create Exception button.
• All groups
• All destinations
Note: Clicking the little flag next to each event also handles events.
13. A pop-up window will display. Set the following fields and click the Save and Handled
button.
• Set the Classification to Safe
14. The archived event will now disappear from the Events List.
Answer: radio
Answer Text:
Answer Key:
✘ 1. Apply exception to as many paths or destinations as possible, but make sure they cover
as few users as possible
✘ 2. Always file a ticket with Fortinet before creating an exception
✔ 3. Apply exceptions to a minimal number of destinations and paths
✘ 4. Create exceptions for as many events as possible to prevent productivity inhibitors
Index: 4.0
Use Case: Conclusion
Objective Title: Review
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Review
After completing this Fast Track module, you should now understand how:
1. FortiClient EMS protects the endpoint and integrates into the Fortinet Security Fabric for
increased visibility and control of the network.
2. FortiEDR provides endpoint protection for pre and post infection scenarios with extensive event
monitoring, alerting and forensic investigation capabilities.
Index: 4.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Thank You
Please take a moment to complete our short survey located within web portal tab above.