Hacking and defense, a seemingly mysterious but indispensable field. Recently, Fortinet (Nasdaq: FTNT), the global leader in the field of network and security integration, launched the online live broadcast of the Fortinet DEMO DAY series of practical offensive and defensive drills, allowing everyone to watch how hackers "hack", destroy, and Fortinet How the series of products are disassembled and resolved one by one!
In the first issue, Zhuang Zhehao, a member of the Fortinet attack and defense expert team, had an in-depth Q&A interaction with the online audience after the hacker attack and defense demonstration. The following are seven related questions and answers that everyone is concerned about:
Question 1. What is the difference between brute force cracking and credential stuffing attacks?
Generally, the two may be considered as one. But after a deep understanding, you will find that there are certain similarities between the two, but there are some differences.
Brute force cracking is actually more like an indiscriminate attack, and there is no clear concept of the target site. But credential stuffing attacks are more similar to APT attacks, which means that its attacks must be targeted. For example, credential stuffing attack enterprise OA is different from simple and weak passwords such as root, admin, and admin123 used in brute force cracking, credential stuffing attack will put a lot of effort into understanding the target.
This includes the recruitment, after-sales, marketing and other related emails, account numbers and other information published by the company on the public network, and the establishment of a relatively clear email and account database. At the same time, it may not directly use the general-purpose password dictionary downloaded from the Internet. It is common to add password combination rules that match target company abbreviations, personal names, company names, and so on.
Question 2: How does Fortinet interact with third-party products?
First of all, for products and solutions such as FortiAnalyzer, the best synergistic linkage must be Fortinet's own products. However, if the third party has an open API, Fortinet-related products can also be linked. For example, FortiSOAR can interface with third parties through API, and match Playbook scripts according to different types of events for corresponding disposal.
Question 3: Can FortiSIEM replace FortiAnalyzer?
First of all, I think the two are a subset and containment relationship. SIEM actually includes the functions of FortiAnalyzer. Secondly, FortiSIEM is not only compatible with Fortinet's own products, such as FortiGate, FortiWeb, FortiAnalyzer, SOC, etc., but also compatible with third-party products, such as mainstream products such as Cisco and Symantec.
But FortiAnalyzer is different. Its log analysis is weaker than that of SIEM, and it can only analyze the logs of products in the Fortinet system. It cannot be as inclusive as SIEM, and can connect to multiple products of other manufacturers.
This is the relationship between the two. FortiAnalyzer is a bit similar to SOAR. It can be understood that FortiAnalyzer is a lightweight product that integrates SIEM and SOAR and is more specific to Fortinet products.
Question 4: How to reflect the product value of FortiWeb?
For enterprises without any web protection in the past, how does the deployment of FortiWeb reflect its WAF value? Although each enterprise may be different, and each industry may be different, but there is still room for further development:
Comparison before and after vulnerability scanning. This is just an appearance, because missing scans must be objective. After deploying FortiWeb, the number of vulnerabilities is directly reduced. This kind of data comparison before and after is very objective.
But missed scanning is a preventive measure, not an intervening operation. Therefore, after the deployment of FortiWeb, the comparison of the results of vulnerability scanning before and after can be said to have certain reference significance, but it cannot fully reflect the true value of this product.
Key point 1: Has FortiWeb affected normal business forwarding? In many cases, deploying security products means dealing with business departments, so we must first judge how much impact the deployment of equipment has on the business. If the impact on the business is small, like many Fortinet products that use high-performance Self-developed ASIC chips have minimal impact on business. That is, the continuity of the business is guaranteed first, so that the normal forwarding of the business is not affected, and then the protection value is discussed.
The second key point is to check whether the deployed security protection equipment has played a role in security protection through regular missed scans and penetration tests. It is indeed difficult for the security department to reflect its value, but it is not completely impossible. In addition to missed scans and penetration tests, enterprises can also regularly carry out red-blue confrontation, so that the deployed WAF can better reflect the value through visualization and protection data.
Once the confrontation between red and blue becomes the norm, the CEO and CFO of the enterprise will see that the frequency of attacks they receive every year will gradually decrease. As in the past, about 100 security incidents were dealt with each year, or how much damage these 100 incidents would cause. Now that WAF is deployed and red-blue confrontation is normalized, the reduction of security incidents and losses can be converted into The protection value of deploying WAF.
Question 5. Is there a corresponding template for FortiAnalyzer Playbook?
The FortiAnalyzer Playbook is actually lightweight and very simple, we don't even call it a template, because the template is actually a bit heavier. A thousand words are worse than a personal experience. We will set up some different offensive and defensive scenarios. Enterprises interested in testing are welcome to contact us to experience through actual testing.
Question 6: Which one is stronger, FortiWeb forwarding or Nginx forwarding?
In fact, the two are not in the same category. If you only talk about forwarding performance, FortiWeb must be stronger. But most of Nginx is deployed on the server, it is just a component on the server. In addition to virtualization deployment, FortiWeb also supports hardware devices. This mode actually has a hardware accelerator card, which can accelerate forwarding performance, especially https performance. And Nginx is an X86 architecture, which is very dependent on the performance of the underlying X86 platform, so I think FortiWeb is stronger. Although it is difficult to measure through specific indicators, from the perspective of technical architecture design, it can actually be analyzed to determine its strength.
Question 7. How does FortiWeb protect Exchange Server?
What FortiWeb mainly protects is not the mail server, but the external publishing site. Therefore, for the mail server, FortiWeb must protect the front-end page of the mail server, such as the front-end page of Exchange's OWA, rather than protecting the specific mail flow. .
Fortinet will show you how the professional email security gateway FortiMail carefully protects the internal and external security of corporate emails in the second phase of DEMO combat attack and defense. Welcome to scan the QR code of the picture below to follow!