Earlier this year, a global cybercrime fraud ring behind thousands of online scams totaling more than US$60 million and involving hundreds of victims worldwide was uncovered. The group ran 419 scams, which promise victims a significant share of a large sum of money in return for a small up-front payment; dating scams; Alibaba scams; and financial account hi-jacking, while leveraging an extensive money laundering network to disburse funds.

By employing a ‘behavior blending’ technique, the criminals compromised networks and evaded detection over sustained periods of time. The fraudsters would carry out two types of social engineering scams targeting businesses through either payment diversion fraud or CEO fraud. In the latter, spoofed emails from the boss are used to trick victims at an organization into wiring funds to the fraudsters.

But these scams were thwarted and the international criminal network’s leader by Interpol and the Nigerian Economic and Financial Crime Commission (EFCC) was arrested in June 2016.

In that operation, Fortinet’s FortiGuard Labs’ researchers augmented Interpol’s own technical expertise. “We saw a trend of certain malware being used for business email scams,” says Gavin Chow, network security strategist of FortiGuard Labs, whose research centers are located in Japan, China, Taiwan, Malaysia, Singapore, France, Canada and the US. “Our researchers managed to infiltrate the threat actors’ network and track the cybercriminals.”

Interpol had obtained information such as the emails of the kingpin, his cohorts and his gang members; a photo of the kingpin with associated GPS coordinates; cars that he owns and properties that he has purchased. And these were used to track and take down the cyber criminal gang.

Fortinet is actively involved in threat intelligence standards and protocols that are critical to achieving actionable threat intelligence. Apart from being an active member of an expert working group with Interpol for more than a year, Fortinet is also collaborating with the NATO Communications and Information (NCI) Agency and fellow members of the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group.

Fortinet has also tied up with the Korea Internet & Security Agency (KISA) to exchange cyber threat intelligence and expertise and jointly conduct research and analysis of Internet incidents in South Korea to determine the appropriate security technology and response required. The agreement also covers zero-day vulnerability research, which Fortinet provides to KISA to coordinate with affected vendors for patching.

Fortinet has been gathering a treasure trove of information from millions of devices deployed by 280,000 customers worldwide. According to IDC’s Worldwide Quarterly Security Appliance Tracker report, Fortinet has shipped over 2.7 million security appliances, averaging nearly twice as many security devices deployed per year as any other vendor.

Global and local insights

“With that spread of devices, we have visibility of threats going through our units,” Chow says. “We have different telemetry from a local perspective of a certain region or country, as well as from a global perspective with the same appliances. That is one of our key strengths because the devices are our sensors. They are deployed in live environments so we have visibility over actual threats going through them. This threat information is sent back to our data centers where we produce the threat reports and threat intelligence.”

Besides information from the ‘sensors’, Chow points out that Fortinet’s own research teams have also shared findings that add to its threat intelligence partners’ insights. For example, from April 1 to June 30, 2016, participants in the Fortinet Cyber Threat Assessment Program (CTAP) recorded over 185 million threat events and incidents, many of which had evaded traditional perimeter security defenses and gone onto the internal network where Fortinet assessment devices were located.

The CTAP is part of the FortiGuard Labs threat research team’s risk and advisory capabilities with its security platform. It provides customers with insight into the cyber threat landscape across all industries as well as specific regional insights, especially on threat actor-targeted activity, targeted spear phishing, ransomware and other threats.

With malware increasingly evading signature-based or pattern-based defense, and behavioral analytics gaining traction, “we are striking the balance between using the traditional way of detecting known viruses and putting in new ways of detecting unknown viruses through our FortiSandbox solution,” Chow adds. “But in real-life situations, we realize that the challenge with behavioral analytics systems is that they can be slower. And some may be so complex that it requires human analysis.”

To ease this challenge, Fortinet harnesses both signature-reliant malware detection and analytics within Fortinet’s sandbox solution. “There’s still an amount of delay when you do behavioral analysis,” explains Chow. “So how we balance it out in Fortinet is that if the malware is known, we can just use signatures, for instance, to detect them quickly. And then we leave the unknown malware to be scanned by the sandbox solution. Our strength is balancing security with performance.”