Stage 1: Network

Network 01-01: Likely LAN side is connecting to call back server. Pls stop those connection.

Hints:

·      Review traffic log to locate form of attack thru pointing to some IP address.

·      Or, you can put the IP address to FortiGuard Threat Intelligence lookup.

·      You can consider Internet Services DB (ISDB).

·      Policy direction: LAN->WAN (SDWAN)

Network 01-02: Some attack (CVE) generated from LAN to DMZ. Pls stop.

Hints:

·      Policy direction: LAN-> DMZ.

·      Encrypted attack payload via SSL --> How to detect?

Network 01-03: Hacker traffic cause big latency on WAN1. Pls enable SDWAN.

Hints:

·      You can enable SLA performance to check the issue.

·      There is WAN2 (gateway 20.20.0.254) able to access internet as well.

·      Try configuring FortiGate SDWAN profile and add WAN2 to SDWAN Profile. Then, set SDWAN policy to WAN2 with best quality

Network 01-04 : Investigation found some malware in SMB folder. Pls dig it out.

Hints:

·      Lots of file in share folder. Scanning may take some time. Please do it earlier.

·      Configure FortiNDR to scan the SMB folder (\\192.168.100.60\share). Then, trigger manual scan by "Scan Now"​.

​

Network 01-05: Ensure secure access to internal resources need approval and recording.​

Access FortiPAM, Retrieve the secret via Approval Process

Each group will have 2 user accounts and 1 approver account

·      user01, user02

·      Approver

Initiate a WebRDP access Web Server via VIP. Score count by recording successful.

Hints:

·      User could make a request to dedicated secret with user account.

·      The approver account can only be used for approval process.

·      Please install browser extension to run Web RDP access internal. Pls close the browser if it is successful, close log counts the score.