Skip to main content

Incident Investigation and Forensics - Bitdefender TechZone

Abstract

Bitdefender GravityZone provides an efficient solution for incident investigation and response. With Extended Root Cause Analysis and a unified view of incidents, administrators and security teams minimize response time, understand attack chains, and enhance cybersecurity posture.

While not all attacks can be stopped, security teams should focus on detecting incidents that manage to evade prevention and protection technologies.

An incident refers to any unplanned event that disrupts normal operations and causes or has the potential to cause damage or harm to the organization's assets, services, or data. Incidents can be caused by a wide range of factors such as software bugs, hardware failures, cyber-attacks, or human errors.

Incident investigations provide insights into the vulnerabilities and weaknesses exploited during an attack. This process helps develop a historical record of incidents, which can be used to identify trends, patterns, and recurrent threats. Understanding how an attack occurred is crucial for containing the threat and preventing further damage. It is also important in the learning process from past experiences and contributes to improving overall safety and security by developing strategies to minimize their impact.

Analyzing security incidents can be overwhelming for security analysts. The task of sifting through extensive data from various sources without clear connections significantly reduces response time and the likelihood of stopping the spread of an attack. With the GravityZone Incidents functionality, administrators gain access to a consolidated platform that streamlines the analysis process by providing a unified view.

Incidents

The Incidents functionality helps filter, investigate, and act on all security events detected and generated for the managed company in the last 90 days. Administrators can distinguish two types of incidents:

  • The Endpoint Incidents displays all suspicious incidents detected at the endpoint level (EDR), that require investigation and upon which no action has been taken yet.

  • Organization Incidents consolidate all incidents and detections into a single panel. When possible, this feature correlates host-level endpoint incidents (EDR) from all endpoints. For XDR subscription, correlation is done together with attacks identified by Sensors.

The All Incidents Investigation tab provides a human-readable summary of all incidents where administrators can customize smart views according to their needs or use default ones.

Bitdefender GravityZone Incident section

Bitdefender GravityZone Incident section allows security teams to check all Incidents at a glance.

Once incidents are correlated, only the root entry remains, with an ID of child incidents correlated with the one displayed in the grid. With a list of entities involved in the incident administrators can prioritize their tasks to break the chain of the attack. It simplifies the triage process and allows security professionals to concentrate on these more complicated incidents.

Bitdefender GravityZone root entry

Bitdefender GravityZone root entry of correlated incidents.

Detailed information about Incident Investigation flow can be found at our Bitdefender Support Center here.

Incident Advisor

GravityZone Incident Advisor was designed to minimize the time required to investigate and contain threats. It is available as a default landing page when an incident is selected and provides an intuitive and visually comprehensive overview of information for key questions:

  • What happened: A short summary and information about the incident severity score.

  • Why this incident was generated: It includes mapping to MITRE ATT&CK tactics and techniques used during the incident, along with the Root Cause Analysis.

  • How this incident has affected the organization: This covers all affected resources based on the information from endpoints and Sensors.

  • How to respond to minimize the business impact: Provides single-click response across the organization. All the response actions were detailed in the Threat Response article.

  • Which risk led to the incident: Pinpoints the root causes that led to the incident and reveals all related security risks linked to incident-related entities.

Bitdefender GravityZone Incident Advisor layers

Bitdefender GravityZone Incident Advisor allows security teams to check all the key details about the particular incident.

Incident Advisor correlates data from multiple sources, presenting it in a format that minimizes the time security specialists need to investigate and respond to the incident. You can export a selected incident into PDF format. This report includes all the information that's included in Incident Advisor.

Root Cause Analysis

The Root Cause Analysis provides an interactive graphical map of the investigated incident. This map highlights the critical path, which is the exact sequence of events that triggered the attack. It also shows all other elements involved, allowing you to see the bigger picture but keeping the critical path in focus. By visualizing the flow of the attack and the relationships between processes and file system operations, you gain a deep understanding of how the attackers operated. This valuable insight enables you to take decisive action to stop the attack in its tracks and prevent future breaches.

Bitdefender GravityZone Root Cause Analysis

Bitdefender GravityZone Root Cause Analysis allows security teams to check all milestones during incident execution.

Extended Root Cause Analysis

An in-depth investigation of the security incident is available via a visual graph. The Graph tab presents a dynamic visual representation of the ongoing incident investigation, offering a detailed activity timeline. It illustrates the sequence of correlated sources, data, context, and events caused by external agents, whether they have already occurred or are still active in the environment. Security analysts can find relationships and directions of communication across users, endpoints, cloud workloads, and files.

Bitdefender GravityZone Extender Root Cause Analysis

Bitdefender GravityZone Extender Root Cause Analysis allows security teams to deeply investigate each single incident.

The portal user experience is rich with visualization and easy to pivot from fact to information within a report. Selecting, for example, the initial access stage will automatically highlight all elements and connections occurring at this stage of the incident.

Extender Root Cause Analysis details

This allows security teams to understand the attack chain and determine the specific Tactics, Techniques, and Procedures (TTPs) employed by the threat actor. The comprehensive insights gained from Extended Root Cause Analysis empower security teams to launch targeted Responses and enhance defenses against similar threats enhancing cybersecurity posture.

Response

For each incident, administrators have access to the Remediation section, which includes actions requiring immediate attention, actions that have already been executed, or actions that have been dismissed. The available actions vary based on the type of Sensors the administrator has.

In the case of Endpoint Incidents, security teams can isolate the endpoint, block the file, or establish a Remote Shell connection. Together with a Patch Management subscription, administrators can install patches to reduce the attack surface by minimizing active vulnerabilities. For those using Sensors like Active Directory Sensor, security teams can disable an Active Directory account or force a password reset. Additional information about responses and available actions is detailed in the Threat Response article.

Bitdefender_GravityZone_Response_section.jpg

Bitdefender GravityZone Response section allows security teams to take any action needed.

Forensics

To collect extra information from endpoints affected by an incident security analysts can create an Investigation Package with forensic data. This functionality is available for Windows, Linux, and macOS computers. Detailed information about collected data depending on the operating system can be found on our GravityZone Support Center page and the instructions on creating an investigation package.

Bitdefender GravityZone Investigation Package

It is worth noting that investigation files have a data retention period of 24 hours. All files are encrypted in transit, at rest, and in use.

Recommended Content

To learn more about the technologies included in the Detection layer we recommend reading the next article Live Search.

More Resources

Watch our demo to see Incident Advisor in action: YouTube Demo

GravityZone Incident Guided Tour: Incident Guided Tour