Compromised Host Detection

In the event FortiAnalyzer detects a potentially compromised host via Indicators of Compromise (IOC) activity, an event will be created by FortiAnalyzer and an alert sent to Fresh. Fresh will create an urgent ticket for the event for the Compromised Hosts agent group comprised of all members of the KPBSD Information Services Department - Security Team. Additionally, a team notification will be sent to the team's IOC Response channel in Microsoft Teams. This article provides an overview of how members of that team should respond.

Ticket Assignment and Initial Triage

DO NOT make assumptions that other members of the Security Team are handling the ticket. Upon notification of an alert, members of the Security Team should leverage the IOC Response channel for the team in Micrsoft Teams to coordinate who will serve as the initial analyst for the incident and take ownership. Other members can (and generally should if able) continue to assist the assigned analyst with their initial incident review.
Upon ticket assignment to an initial analyst, the analyst should begin gathering available data on the host to ascertain the risk likelihood of the detection being a legitimate incident and the severity of the incident if so. Data for initial review should likely include:
- FortiAnalyzer log information specific to the event. To access this information:
  1. Log into the FortiAnalyzer and select the DataCenter ADOM.
  2. Go to Incidents & Events > Handlers > Basic Handlers.
  3. Scroll down and select the Event number (far right column) for KP-Compromised Host-Detection-IOC-By-Endpoint-NoBYOD.
  4. Expand the Event specific to the alerted Host IP.
  5. Additional log data can be found under Log View.
- Externally accessed IPs or domains logged should be reviewed against multiple reputation databased such as:
- Testing of logged malicious sites can be safely conducted using cloud sandboxes like app.any.run
- If the host is a managed Windows device, briefly VNC in to observe current activity.
- Locate the asset record for the host in Fresh and access the activity record for that asset. Any previous infections should be visible here from linked tickets and considered when determining risk level.
Once the analyst has determined a preliminary risk assessment, downgrade the Fresh ticket priority from Urgent to the appropriate level as needed.

Security Response Actions

How the Security Team responds to a potentially compromised host is highly subjective to each situation, so these actions should be considered best practice with the understanding that action taken for each situation may likely vary.

Urgent Risk

If the event is determined to be (or shows signs of likely being) an active infection such as a botnet, rootkit, or other system compromise:

Isolate the host from the network however possible immediately.
All Security Team members should be immediately notified and preparations made to implement an Incident Response Plan or alternative response as appropriate.

High Risk

If the event shows no evidence of active infection, but logged traffic does indicate highly risky traffic to/from the host:

Re-image the computer.
- Assign a high-priority ticket for this to the appropriate school tech.
- Reach out to them, do not wait for them to find the ticket in their queue.
Run a Windows Defender scan on the User Profiles for the most recent users.
Reset the User Profile(s).

Medium Risk

If the event shows no evidence of active infection, but logged traffic does indicate moderately risky traffic to/from the host:

Re-image the computer.
- Assign a high-priority ticket for this to the appropriate school tech.
- Reach out to them, do not wait for them to find the ticket in their queue.
Run a Windows Defender scan on the User Profiles for the most recent users.

Low Risk

If the event shows no evidence of active infection, but logged traffic does indicate low risk traffic to/from the host:

Run a Windows Defender scan on the User Profiles for the most recent users.

False Positive

If the event shows no evidence of active infection and any traffic to/from the host appears to be false positive(s):

Submit a content classification review request to Fortinet here: FortiGuard Content Classification Request

Incident Wrap-Up

Prior to closing the Fresh ticket the analyst assigned to point and/or the Security Team assisting should:

Associate the computer asset record in Fresh with the incident ticket.
Verify the computer reimage has been completed if applicable.
Add notes to the ticket documenting findings. These can be fairly brief, but ensure the basics are outlined.
Any school staff involved should be notified of findings/all-clear when done.
Depending on the severity/scope of the incident, a wrap-up meeting with the full Security Team should be held.