Detection – Bitdefender TechZone

Not all attacks can be stopped using prevention and protection layers. Hackers use several types of strategies to remain undetected in the victim network for an extended period of time. These strategies are designed to make it difficult to detect malicious activity and defeat attacks.

Threat actors often use advanced techniques like phishing emails to obtain valid credentials. This allows attackers to get a foothold within an organization and move laterally through the network using administrative tools like Remote Desktop (RDP) or WinRM Service. Attackers can utilize scripts or PowerShell to install additional tools, which can create hidden communication channels, allowing for undetected communication with the victim network. These actions invariably generate events that can only be detected using specialized tools but cannot always be recognized by the protection layer due to the use of legitimate tools.

The detection pillar of GravityZone is focused on detecting threats that have evaded prevention and protection technologies. Detection capabilities are a crucial component of a strong cybersecurity posture. These technologies work together to identify security incidents and provide security teams with the information they need to respond quickly.

Bitdefender GravityZone as a single management platform simplifies security control management and reduces complexity. While Endpoint Detection and Response (EDR) can detect and provide automated investigation results of suspicious endpoint activity, with an additional network sensor, we can gather network-related events to understand the incident's context. Having a richer context enhances visibility within the organization. It is crucial to remember that attacks can occur from unmanageable systems like cameras or other IoT devices; without full visibility, attacks can move laterally within the organization and do so without being noticed.

Hybrid architectures also require additional sensors to collect information related to user sign-in activity and configuration changes in a cloud environment. By collecting logs from all sensors and endpoints, the eXtended Detection and Response (XDR) mechanism will correlate signals, which might otherwise be overlooked, to assemble a comprehensive view of the attack chain.

Finally, automated incident advisor and root cause analysis tools assist organizations in understanding the nature and extent of a security incident. This makes the incident management process more focused on outcomes since the burdensome manual correlation and incident analysis tasks are performed by XDR. Related tools such as integrity monitoring help identify unauthorized changes to critical systems or data to complete the picture for administrators.