Live Search - Bitdefender TechZone
Enhance threat hunting and incident response with Bitdefender Live Search. Proactively combat threats on Windows, Linux and macOS.
Hackers use different techniques to gain unauthorized access to the corporate network. One of the most common relies on locating vulnerable systems accessible from the Internet. Depending on the application vulnerability can be exploited and lead for example to remote code execution which happened to use in the zero-day critical vulnerability like Log4j2 or ProxyShell. This kind of software vulnerability enables a remote attacker to take control of a system and all its data and applications.
Once attackers gain entry points to the organization, they can initiate additional actions seeking out value targets and sensitive data. Using sophisticated techniques like phishing email attackers can spoof user passwords and gain valid credentials. The next step can be to move laterally within the network, and the attackers can use legitimate, pre-existing system binaries, scripts, and libraries, employing Living Off The Land (LOTL) techniques.
In the described above scenario, actions made by the attackers cannot be detected by standard protection functionality because the attackers are using vulnerabilities, valid credentials, or trusted applications. On the other hand, each action generates events which can be valuable for threat hunting and incident response capabilities.
Without specialized tools, the customers suffer from a lack of direct visibility into live data, and events. This leads to a lack of understanding of the organization’s current state about whether the company was breached/vulnerable and how many systems were affected.
Functionality Overview
Bitdefender’s Live Search is a significant addition to EDR and XDR tools, enhancing threat hunting and active incident response capabilities. By integrating Osquery, Live Search empowers organizations to proactively combat threats and swiftly respond to incidents across all major endpoint platforms, including Windows, Linux, and macOS.
Administrators can access a comprehensive management layer for Osquery, encompassing and visual management through the intuitive Control Center. This approach ensures that security analysts can seamlessly engage with Osquery and perform essential tasks without leaving the GravityZone console as an all-in-one security management platform.
Integration simplifies the deployment process through a centralized approach. Organizations can effortlessly and consistently deploy Osquery across their entire endpoint infrastructure by leveraging the power of BEST (Bitdefender Endpoint Security Tools) client policies. This centralized deployment strategy alleviates operational complexities, ensures uniformity in query execution, and equips all endpoints with the necessary capabilities to conduct comprehensive security queries. Moreover, Live Search facilitates the execution of queries on multiple endpoints concurrently.
Live Search works by querying the operating system using SQL-like commands, which allows users to retrieve information easily and quickly about processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, system configuration, and other aspects of the operating system in real-time.
The administrators have at their disposal more than 340 predefined queries ready to be employed out of the box, thereby ensuring effortless management.
Additionally, administrators have the flexibility to create new queries tailored to their specific needs, which can be saved in a private collection for repeated use. With access to over 390 tables, including 280 custom tables exposing EDR cache data from Bitdefender's technology, administrators can easily build new queries. The GravityZone web console provides a user-friendly schema helper panel, facilitating the query creation process through its embedded guidance.
Administrators can edit their previously saved queries, giving them the flexibility to modify and refine queries as needed. This essential feature promotes adaptability and ensures that users can keep their queries up to date, aligning them with evolving security requirements.
In addition, Live Search offers functionality allowing users to submit queries to multiple systems based on specific inclusion criteria. Whether selecting specific inventory objects or defining generic inclusion criteria based on system characteristics or metadata tags, users can tailor their queries precisely. This versatility enables organizations to efficiently target specific endpoints or groups of endpoints, streamlining their threat hunting and incident-response efforts.
The GravityZone console display of query results further enhance the usability of Live Search. Users can view the query results, facilitating quick analysis and providing immediate visibility into potential security issues. Additionally, Live Search offers the functionality of exporting query results. This feature enables users to generate comprehensive reports that capture query findings, facilitating further analysis, sharing with stakeholders, or inclusion in incident response documentation.
Example of Usage
The security team (like Bitdefender MDR) could use Live Search for threat hunting to discover this attack in its initial stages and proactively search for any potential threats. By querying for indicators of compromise (IOCs), such as suspicious registry keys, network connections, or system events, security teams can identify potential threats before they become full-blown incidents. In our case, security engineers can search any remote connections, scripts, DNS tunnelling, or PowerShell execution inside the organization.
After discovering the ongoing attack, the security team could use it for forensic and root cause analysis. Live Search can be used to gather forensic evidence after a security incident. By querying for information about file modifications, process information, and other indicators, security teams can piece together a timeline of events and identify the scope of an incident, trace the path of an attack, and identify the point of entry.
Live Search can be used for system administration tasks such as inventory management, software deployment, and compliance auditing. With Osquery, system administrators can easily gather information about the configuration of their systems, identify software that needs to be updated or patched, and ensure that their systems are in compliance with relevant regulations and policies. For example, the vulnerable Log4j library could be located and patched, which could prevent the attack completely.
Detailed information about Live Search configurations and usage can be found at our Bitdefender Support Center here.
Recommended Content
To learn more about the technologies included in the Detection layer we recommend reading the next article Anomaly Detection.