Introducing Live Search: A Real-Time Search Enhancement for Threat Hunting and Incident Response

On April 25, 2023, Bitdefender added a new Live Search capability to GravityZone which improves visibility into the organization and enables IT security professionals and security operation center (SOC) teams to quickly and easily search for specific files or applications while benefiting from the collective knowledge of the cybersecurity community. This new feature enhances threat hunting and active incident response capabilities, enables admins to identify misconfigurations and software vulnerabilities, and check system compliance with regulations and standards, enabling organizations to remain vigilant in detecting and responding to emerging threats. 

According to Forrester ‘threat hunting is an exercise blending expertise, intuition, and creativity ’ ¹. Another Forrester report states that available tools ‘are often complicated and difficult to use, hindering analysts’ ability to do this effectively.’ ² A recent survey also shows that ‘41% of security decision-makers indicated that analysis(investigation) is the phase that takes the most time in the incident alert/response process.' ³

Bitdefender’s new Live Search is a significant addition for to its EDR and XDR tools because it enables analysts to investigate alerts more effectively through combination of out-of-the-box threat hunting queries and access to the collective knowledge of the cybersecurity community.  

As businesses increasingly rely on digital infrastructures, the risk of cyber-attacks is higher than ever. Attackers have multiple techniques at their disposal to gain unauthorized access to corporate networks—the most common one being exploiting vulnerabilities in internet-accessible systems.  

A common issue for organizations is when end-users run applications without an administrator's level of knowledge about the components required to build and maintain the applications. Outdated libraries in these applications can become an entry point for attackers to infiltrate the organization. Recent events, such as the Log4j2 Zero-day critical vulnerability, highlight the risks presented by software vulnerabilities. Beyond applications, a vulnerability in an operating system such as Unauthorized RCE Vulnerability in MSMQ Service also pose significant risks for organizations. While these vulnerabilities are examples of application and operating system risks, they are representative of a wider problem which is difficult for organizations to solve.  

Threat actors also often use advanced techniques like phishing emails to obtain valid credentials. In fact, according to the Bitdefender 2023 Cybersecurity Assessment Report of IT and cybersecurity leaders reporting that their company has seen an increase in the sophistication of phishing attacks. This allows attackers to get a foothold within an organization and move laterally through the network using administrative tools like Remote Desktop (RDP) or WinRM Service. By executing scripts or PowerShell, attackers can install additional tools to create hidden communication channels which enable undetected communication with the victim network. All these actions inevitably generate events that can be detected only using dedicated tools. 

Live Search

Live Search is a critical tool for SOC teams including Bitdefender Managed Detection and Response that can leverage Live Search for threat hunting to discover attacks in their the initial stages and proactively search for any potential threats. By querying for indicators Indicators Of Compromise (IOCs), such as suspicious registry keys, network connections, or system events, security teams can identify threats before they become full-blown incidents. Security engineers can search for any remote connections, scripts, DNS tunneling, or PowerShell execution inside the organization. 

After discovering an ongoing attack, Live Search is also a vital tool for security teams in forensic and root cause analysis efforts. Live Search can be used to gather forensic evidence after a security incident. By querying for information about file modifications, process information, and other indicators, security teams can piece together a timeline of events and identify the scope of an incident, tracing the path of an attack, and identifying the point of entry. 

Live Search is a powerful tool that gives security teams and system administrators the ability to gather information about the state of their systems and workloads in real-time. Live Search works by querying the operating system using SQL-like commands, which allows administrators to quickly and easily retrieve information about processes, system configuration, and other aspects of the operating system and applications. 

Live Search also helps streamline system administration tasks including inventory management, software deployment, and compliance auditing. With Live Search, administrators have the right tool to easily collect information about the configuration of systems, identify software that needs to be updated or patched, and understand if systems are compliant with relevant regulations and standards. For example, Live Search could be used to identify systems which have a vulnerable version of the Log4j utility, allowing administrators to focus attack prevention efforts on the most vulnerable systems.  

Featured

To focus administrator efforts, Live Search includes the Featured section where administrators can find the latest queries. Immediately after login, administrators have access to queries dedicated to the latest threats, suspicious activities, and supply chain attacks. 

Summary

The ability to protect sensitive information from unauthorized access is a critical aspect of information security. It requires a multi-layered approach, including physical security measures, network security protocols, access controls, and encryption techniques. Live Search provides multiple benefits for administrators including threat hunting and active incident response, streamlined visibility, comprehensive search capabilities, and central management.  

The new Live Search capability is available now and is included in Bitdefender GravityZone Business Security Enterprise and the Gravity Zone EDR Cloud. 

Learn more about Bitdefender GravityZone.

 

Original source references:
 1. Threat Hunting 101, Forrester Research Inc., July 15th, 2022
 2. Analyst Experience: SOC Analysts Finally Escape The Shackles Of Bad UX, Forrester Research Inc., April 14th, 2022
 3. Security Survey 2022, Forrester Research Inc., Sep 12th, 2022