Attack Scenario
FortiNDR uses attack scenarios to identify malware attacks. FortiNDR scientifically classifies the malware attack times into attack scenarios, making FortiNDR your personal malware analyst on the network.
Most security technologies can only tell you that your network is infected with virus names without much context. FortiNDR moves beyond that to tell you exactly what the malware is trying to achieve providing SOC analysts more insightful information for their investigation.
|
In Center mode, FortiNDR collects and presents all Attack Scenarios reported from every Sensor connected to this Center. |
The Attack Scenario Summary counts the number of incidents of all the attack scenario types. They are organized into Critical, High, Medium, or Low severity.
Scenario types
FortiNDR can detect the following attack scenarios:
|
Scenario |
Severity |
Description |
|---|---|---|
| Cryptojacking | Low | Cryptojacking is a type of cybercrime where a malicious actor uses a victim’s computing power to generate cryptocurrency. |
| Application | Low | A broad category of software that might download and install additional, unwanted software that could perform activities not approved or expected by the user. |
| Web Shell | Low | A script that can be uploaded to a web server to allow remote administration of the machine. Infected web servers can be Internet-facing or internal to the network where the web shell is used to pivot further to internal hosts. |
| SEP | Low | Attackers use Search Engine Poisoning to take advantage of your rankings on search engine result pages. |
| Phishing | Low | A fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising itself as a trustworthy entity in an electronic communication. |
| Sophisticated | Medium | Malware that contains more than one attack scenario. |
| Scenario Heuristic | Medium | Scenario heuristic identifies applications or software that demonstrates an array of suspicious traits. |
| DoS | Medium | This can access connection handling remotely, perform denial of service, or distributed DoS. |
| Generic Trojan | Medium | Any malicious computer program which misleads users of its true intent. |
| Banking Trojan | High | Malicious software that can access confidential information stored or processed through online banking systems. |
| Backdoor | High | This can give a hacker unauthorized access and control of your computer. |
| Data Leak | High | A data leak is when sensitive data is exposed physically on the Internet where malicious actors can access it. |
| Rootkit | High | Software tools that enable an unauthorized user to get control of a computer system without being detected. |
| Exploit | High | A piece of software, a chunk of data, or a sequence of commands that uses a bug or vulnerability to cause unintended or unanticipated behavior on computer software, hardware, or something electronic, usually computerized. |
| Botnet | High | A botnet is a network of hijacked computers and devices infected with bot malware and remotely controlled by a hacker. |
| Ransomware | Critical | Malicious software that can block access to a computer system until money is paid. |
| Fileless | Critical | A variant of computer-related malicious software that is exclusively a computer memory-based artifact. |
| Wiper | Critical | Malware that erases contents in the hard disk of an infected computer. It's usually designed to destroy as many computers as possible inside the victim's networks. |
| Industroyer | Critical | A malware framework originally designed to deliver specific cyberattacks on power grids. The recent generation of this malware has also started to target industrial control systems. |
| Worm Activity | Critical | A worm is capable of spreading itself to other systems on a network. |