Proactively Detect and Respond to External Threats With FortiRecon Digital Risk Protection Service

Your external attack surfaces provide numerous potential intrusion points that cybercriminals regularly exploit to penetrate an organization. Among the most common techniques used to target and exploit your network are collecting leaked credentials and remote desktop protocols from the dark web, scanning for unpatched or misconfigured assets or database services (e.g., MongoDB, MySQL)—often created by Shadow IT, and creating fake social media accounts or websites to lure customers and employees into divulging their access credentials. Sadly, most organizations cannot detect these types of malicious activities.

In parallel, threat actors have been actively ramping up their game. For example, Ransomware-as-a-Service (RaaS) provides ransomware software and services for a percentage of any profits. RaaS has quickly emerged as a significant cybersecurity threat, helping attackers to expedite and expand their operations. It has also expanded the threat matrix by lowering the barrier for entry to cybercriminals who no longer need to be particularly expert or cyber-savvy to launch an attack.

To defend against today’s risks, organizations need to continuously monitor their external attack surface. This helps them to early identify and remediate vulnerable, internet-facing exposed assets, and detect and reset compromised credentials. They also need to quickly discover and takedown domain-infringing websites, rogue apps, and fake social media accounts, as attackers use these to capture credentials or spread false information about the organization or its products.

However, for most organizations, this is easier said than done.

How FortiRecon Can Help

FortiRecon, Fortinet’s Digital Risk Protection (DRP) SaaS-based service, can help. It combines three technologies and services—External Attack Surface Management, Brand Protection, and Adversary Centric Intelligence—to help you proactively protect your digital assets and data from external threats.

Threat actors see each asset and employee as a potential vulnerability in your cybersecurity.

FortiRecon provides organization-specific, expert-curated, and actionable external attack surface intelligence on exposed assets and threat actor activities, tools, and tactics. It does this by proactively monitoring the open web, social media platforms, mobile app stores, the dark web, and deep-web sources and alerts on organization’s misconfigured and vulnerable internet-facing assets, stolen credentials and brand infringement—including monitoring ransomware data leaks—to proactively identify, remediate, and execute takedowns of these sources on an organization’s behalf. 

Four Ways FortiRecon Helps Protect Your Organization Against External Threats

The sooner your organization identifies and mitigates a potential vulnerability, the less exposed you are to future risks.

1. Gain real-time visibility of your external attack surface

Many organizations still struggle to detect and control shadow IT. FortiRecon scans your external environment, often finding more unknown (and forgotten) assets than your IT and security teams even knew they had (not surprisingly, most are cloud assets). It’s safe to assume that if they’re unknown, chances are they are also vulnerable or misconfigured.

The FortiRecon External Attack Surface Management (EASM) solution provides an attacker’s view into your environment, showing you what they can easily discover during the reconnaissance phase of their attack. External scanning finds known/unknown attacker-exposed assets (e.g., domains, sub-domains, ASN, IP blocks, IP addresses). FortiRecon EASM then identifies exploitable vulnerabilities, such as configuration errors, SSL certificate issues, prone-to-attack ports, exposed database services, DNS-related issues, leaked data/credentials, and more. The service provides you with a detailed description of any security issue it identifies, as well as actionable remediation information. Global organizations can also view a global map of exposed digital assets per country, prioritizing assets or vulnerabilities by security severity. 

To help you measure your threat exposure mitigation efforts, FortiRecon EASM also provides ongoing comparative reporting to show your external security posture improvement over time. You can also view recent changes to your external attack surface (e.g., changes in internet-facing assets, open ports, expired or soon-to-be expired SSL certificates), remediation trends, and historical data. This information can help you identify patterns of change, policy violations, areas for improvement, and other potential risks to better refine your security program.

2. Prioritize your risk and remediation efforts for vulnerabilties

While timely patching is an essential element of any effective cybersecurity strategy, the reality is that most organizations cannot possibly patch every vulnerable asset. In addition, every environment includes contextual factors that can affect how risky a vulnerability may be. FortiRecon uses a powerful combination of human resources and artificial intelligence (AI) to provide a prioritized view of your vulnerability exposure, helping you to understand which vulnerabilities pose the greatest risk for prioritizing remediation.

Vulnerabilities are classified according to the following parameters:

• CVE system severity and CVSS scores
• Exploitability in the wild
• Information collected from invite-only forums about an attacker’s intent
• External attack surface scans

FortiRecon combines these elements to rate and classify (elevate/lower) vulnerabilities based on their actual risk to the organization. It also recommends remediation activities, helping security teams quickly mitigate potential security issues. You can also add CVEs that you’d like FortiRecon to continuously monitor and alert on.

In the example below, out of 1,648 notable global vulnerabilities, this organization has to attend to only 62 vulnerabilities—of which only - three are rated as high (with no vulnerabilities ranked as critical).

One of the most effective tools in our FortiRecon arsenal is our patented AI technology, trained on one of the industry's largest and most diverse datasets. This enables it to deliver accurate, validated information regarding threats. However, more than a quarter of our FortiRecon reports are based solely on the human intelligence we collect, helping to provide the most realistic view of potential risks to an organization.

3. Preserve and protect your brand

Many organizations find it challenging to monitor website, mobile app infringement, and phishing campaigns that target end-users and customers, as these are outside the typical scope of their security teams. FortiRecon Brand Protection uses proprietary algorithms that enable these organizations to receive early warnings on brand and reputation risks and act fast, using specialized takedown services to protect your brand reputation.

One of the most critical areas the brand protection service looks for is "brand abuse." This data point provides an immediate view into the number of illicit websites threat actors are already using to deceive your customers and employees. Another crucial data point is brand impersonation on social media platforms, such as fake Facebook accounts, that attackers use for the same purposes. 

To help provide an early indication of phishing campaigns against your organization, we can also create a digital watermark you can add to your web page. This watermark is a built-in Java Script that lets us know where your content is hosted. When threat actors copy pages from your website and try to host them elsewhere to create a phishing campaign, we can immediately detect where this website is hosted and initiate a takedown based on its location.

The FortiRecon Brand Protection dashboard also provides an intuitive interface that allows your security team and your C-level to quickly understand the risks posed to your organization, customers, data, and brand reputation.

4. Continuously monitor the dark web for data and credential leaks

Leaked data and credentials, Remote Desktop Protocol (RDP) access, and compromised VPN credentials are among the top items for sale on dark web marketplaces, providing attackers with a gateway into your network.

Take, for example, credential stuffing attacks, one of the most prevalent causes of data breaches. These attacks work so well because many users use the same usernames and passwords to log in to different systems, and attackers have easy access to millions of compromised user credentials on the dark web. Combining these credentials with simple botnets allows attackers to test the validity of username and password combinations, and when a credential is still active, they gain access.

The FortiRecon Adversary-Centric Intelligence service (ACI) monitors the dark web to quickly identify when your sensitive information falls into the hands of cybercriminals. This reduces the window of opportunity to make copies of sensitive data and credentials and use or sell them. If leaked data is detected early enough, you still have time to take proactive steps, such as a password reset, to prevent or block an attack.

The FortiRecon ACI service leverages the FortiGuard global team of threat analysts who identify threats by directly engaging with malicious actors. We actively scour the dark web, including invitation-only sites, where cybercriminals constantly advertise and post threats and sell data and credentials belonging to specific organizations. We also monitor hidden chat rooms, open-source intelligence sources, private websites, peer-to-peer networks, Pastebin/IM, and social media platforms and alert you on threats to your organization. And for our financial services customers, we also provide credit card BIN monitoring, with alerts on leaked credit and debit card numbers.

All findings are rated based on criticality (resources include Darknet, TechINT, OSINT, HUMINT, and more) and can also be filtered by adversaries’ motivations (e.g., ransomware, zero-day trends, etc.).

When required, FortiRecon takedown services are available for fake social media accounts, websites, and rogue mobile applications, so these rogue sites and applications are no longer a threat.

Getting Started

The FortiRecon service provides three optional bundles. Available as stackable modules, you can purchase FortiRecon EASM as a standalone service, combine it with FortiRecon Brand Protection, or with both FortiRecon Brand Protection and FortiRecon Adversary Centric Intelligence for complete coverage.

To learn more about FortiRecon or to request a demo, contact us.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.