Your cart is currently empty!
Fortinet Breach
Analysis of the Fortinet incident through MITRE ATT&CK and EBIOS RM
The Fortinet incident, involving a 440GB data leak from an Azure SharePoint environment, highlights the risks of cloud data exposure. The attack, claimed by a hacker named “Fortibitch,” raises questions about the security of SaaS environments and access control. This presentation analyzes the incident through two lenses: the MITRE ATT&CK framework to understand the attack’s phases, and the EBIOS RM methodology to anticipate and manage risks.
1. Attack Context
- Key Points:
- Leak of 440GB of data from an Azure SharePoint environment.
- Involved financial, HR, and customer information.
- No ransomware or data encryption observed.
- Implication: Increased risks associated with SaaS environments and access management.
2. MITRE ATT&CK Analysis
| Initial Access | T1078 (Valid Accounts) | Use of stolen credentials to access SharePoint. | Attackers likely used stolen credentials (phishing or credential stuffing) to access the SharePoint environment | Continuous User Awareness (M1017): Training and assessment of users Multi-factor authentication (M1032): Implement MFA to limit the use of compromised accounts. |
| Discovery | T1083 (File and Directory Discovery) | Exploring directories and files in SharePoint | After gaining access, attackers probably explored directories to locate sensitive files | Least Privilege (M1029): Limit access to sensitive files to a restricted number of legitimate users. |
| Collection | T1114 (Email Collection) | Extracting sensitive files, including financial | The attacker likely collected sensitive documents for exposure | Data Loss Prevention (DLP) (M1021): Use DLP solutions to monitor and restrict unauthorized data collection.sensibles. |
| Exfiltration | T1041 (Exfiltration Over Command and Control Channel) | Transferring data to an external server | Data was exfiltrated before being leaked on BreachForums | Network Intrusion Detection and Prevention (M1037): Deploy intrusion detection systems to identify and block exfiltrated data. |
| Impact | T1486 (Data Encrypted for Impact) | (Not used in this case) Encrypting data to disrupt operations | No ransomware was used in this attack, though this technique is common in other breaches. | Regular Backups (M1053): Regular data backups allow for quick recovery in case of a destructive attack. |
Step 1: Initial Access
- Possible Techniques:
- T1078 (Valid Accounts): Access obtained via stolen credentials (phishing or credential stuffing).
- Explanation: The attack seems to have relied on the exploitation of compromised credentials to access SharePoint.
Step 2: Discovery
- Possible Techniques:
- T1083 (File and Directory Discovery): Identification of sensitive files stored on SharePoint.
- Explanation: After gaining access, the attacker likely explored directories to locate sensitive files.
Step 3: Collection
- Possible Techniques:
- T1114 (Email Collection): Extraction of sensitive data, including financial information and HR data.
- Explanation: The attacker extracted sensitive files for later exposure.
Step 4: Exfiltration
- Possible Techniques:
- T1041 (Exfiltration Over Command and Control Channel): Exfiltration of data via external channels.
- Explanation: The data was exfiltrated to an external server before being leaked.
Step 5: Impact
- Possible Techniques:
- T1486 (Data Encrypted for Impact): Though not used here, the absence of encryption or ransomware is notable.
- Explanation: The impact remains limited as the attack did not cause major operational disruptions.
3. EBIOS RM Risk Analysis
| EBIOS RM Step | Description | Identified Scenarios | Potential Impacts | Proposed Mitigations |
|---|
| 1. Scope and Stakeholders | Define the scope and stakeholders involved. | Azure SharePoint used by Fortinet, accessible to employees, partners, and clients. | Risks of unauthorized access, internal and client data compromise, unsecured file sharing. | Limit access to sensitive environments, implement strict permission management policies. |
| 2. Risk Scenarios | Identify potential attack or compromise scenarios. | 1. Credential compromise via phishing or information theft. 2. Public sharing of sensitive files. | Internal data leakage (HR, clients), exposure of critical documents, reputation damage. | Implement multi-factor authentication (MFA), regularly audit access permissions, minimize unnecessary access. |
| 3. Feared Events | Determine critical events for the organization. | 1. Loss of control over sensitive files (e.g., HR, financial, client data leak). | Loss of customer trust, potential regulatory sanctions (e.g., GDPR). | Continuous monitoring of critical file access, encrypt data in transit and at rest, restrict external access. |
| 4. Impact Scenarios | Analyze the consequences if these scenarios materialize. | 1. Exfiltration of sensitive data through unauthorized SharePoint access. 2. Exposure of confidential documents. | Damage to Fortinet’s reputation, customer relations impact, financial risk due to data loss. | Apply Zero Trust principles, segregate critical and less sensitive data, reinforce cloud security practices. |
| 5. Risk Treatment | Propose measures to reduce identified risks. | 1. Improve access management practices. 2. Implement continuous SaaS environment audits. | Reduced likelihood of unauthorized access, improved management of sensitive information, data protection. | Encrypt critical data, implement appropriate data retention policies (deleting obsolete data), detect and respond to security anomalies. |
Step 1: Defining the Scope and Identifying Stakeholders
- Scope:
- Azure Cloud (SaaS) used by Fortinet.
- Stakeholders:
- Fortinet, customers, employees.
- Associated Risks:
- Risks of sensitive data exposure in shared environments
Step 2: Anticipated Risk Scenarios
- Scenario 1: Unauthorized access via compromised credentials.
- Impact: Compromise of sensitive customer and internal data.
- Mitigations: Implement multi-factor authentication (MFA), monitor suspicious activities.
- Scenario 2: Public sharing of sensitive files.
- Impact: Leakage of critical data to unauthorized third parties.
- Mitigations: Limit access to shared files, improve permission management.
Step 3: Impact Analysis
- Overall Impact:
- Risk to Fortinet’s reputation, even though the incident affects only a small portion of the customer base.
- Preventive Actions:
- Securing SaaS environments, regularly auditing access and configurations.
4. Mitigation Measures and Best Practices
Recommended measures :
- User awareness on phishing techniques and data breaches.
- Implementation of MFA on all SaaS systems.
- Limiting access permissions to specific users.
- Continuous monitoring of cloud environments to detect abnormal behavior.
- Application of Zero Trust principles on third-party platforms.
| Measure | Cost | Difficulty of Implementatio | Feasibility | Estimated Timeline |
|---|
| 1. MFA Implementation on All SaaS Systems | Moderate to high (depending on system size) | Low to medium (depends on current infrastructure) | High | Short term (1-2 months, depending on SaaS systems and MFA integration) |
| 2. User Awareness on Phishing Techniques and Data Breaches | Low to moderate | Medium (continuous training and simulations) | High | Short to medium term (1-3 months for initial training, then ongoing) |
| 3. Reducing Access Permissions to Specific Users | Low | Medium to high (access audit and management) | Medium to high | Medium term (3-6 months, depending on user numbers and system complexity) |
| 4. Continuous Monitoring of Cloud Environments to Detect Abnormal Behavior | Moderate to high (monitoring tools, SOC) | High (requires advanced monitoring tools and/or SOC) | Medium to high | Medium term (3-6 months to set up and configure tools) |
| 5. Zero Trust Implementation on Third-party Platforms | High (full implementation and integration) | Very high (requires architecture changes) | Medium | Long term (6-12 months or more, depending on platform and process complexity) |
5. Conclusion
- The Fortinet incident highlights the crucial importance of access management and cloud environment security. These are essential to prevent such compromises in the future.
- The MITRE ATT&CK analysis shows the steps involved in the exploitation of the attack
- EBIOS RM analysis allows for anticipating and assessing risks.
- Adopting solutions such as MFA, continuously monitoring systems, and reviewing data storage practices are key measures to improve security.
Leave a Reply