Threat Response - Bitdefender TechZone
The ability to respond depends on visibility into ongoing incidents. See how Bitdefender GravityZone ensures fast and accurate response to security incidents with remediation guidance.
With all the information about incidents, from Prevention, Protection, and Detection layers, security specialists need to have response tools at their disposal.
Response refers to the set of actions that can be taken in reaction to security incidents or threats detected on the network. The containment phase aims to stop the impact of an incident before it can create additional damage. Incidents can be stopped using various methods, including automated responses, guided responses, and pre-approved actions for Managed Detection and Response services. The main goal is to effectively manage incidents to minimize damage to the system and data.
Below in the article, we will describe response actions available in Bitdefender GravityZone. These actions can help organizations effectively manage and mitigate the impact of security incidents, protect sensitive data, and ensure the overall security and resilience of their IT infrastructure.
Managing Remediation
Every incident in Bitdefender GravityZone can be viewed and investigated under the Incident section, as described in the Incident Investigation and Forensics article.
Bitdefender GravityZone Incident section allows security teams to check all Incidents at a glance.
For each incident, depending on how many assets were involved in the incident, administrators have access to the Remediation section or the Response tab, which includes actions requiring immediate attention, actions that have already been executed, or actions that have been dismissed.
The Remediation section is available when only one computer is engaged in an incident.
Bitdefender GravityZone Remediation section
The Response section is available when more than one computer or any other assets coming from Sensors are engaged in an incident.
Bitdefender GravityZone Incident Advisor allows security teams to check all the key details about the incident and take the Response action
Executed Response
In the Executed section, the administrator can check the actions that were performed manually from the Incident Investigation Graph or by executing response recommendations. The summary for each action contains:
The action description
The result: successful or failed
The action types
The host(s) where the action was executed
The response type: endpoint or XDR Sensors
Guided Response
In the Response section, the user is presented with different options to respond to the incident based on the correlated detections. The Recommended Actions section includes Containment and Remediation actions.
Bitdefender GravityZone Response section allows security teams to take any action needed.
The list of available actions is based on the number of additional Sensors integrations defined in GravityZone. The administrator can choose which actions he would like to run and then trigger the execution by clicking on the actions button. Each selected action has a Status, and once it has successfully run, the administrator will be able to expand the action to see its summary.
Incident response action
The following actions (automatic, manual) can be taken as incident response actions.
Action | Platform / XDR Sensors | Target |
|---|---|---|
Endpoint Protection | Endpoint | |
Kill Process | Endpoint Protection | Process |
Quarantine | Endpoint Protection | File, Process |
File blocklist | Endpoint Protection | File, Process |
File exclusion | Endpoint Protection | File, Process |
Add to Sandbox | Endpoint Protection | File, Process |
Search with VirusTotal | Endpoint Protection | File, Process |
Search with Google | Endpoint Protection | File, Process |
IP Exclusion | Endpoint Protection | Host |
URL Exclusion | Endpoint Protection | Host |
Install patches | Endpoint Protection | Endpoint |
Collect investigation pkg | Endpoint Protection | Endpoint |
Remote Shell | Endpoint Protection | Endpoint |
Disable AD user | Active Directory | User |
Reset AD user password | Active Directory | User |
Mark user as compromised | Azure AD | User |
Disable Azure user | Azure AD, O365 | User |
Reset Azure user password | Azure AD, O365 | User |
Delete email O365 | O365 | |
Disable AWS IAM account | AWS | User |
Delete email Gmail | Google Workspace | |
Disable Google user | Google Workspace, Google Cloud Platform | User |
Reset Google user password | Google Workspace, Google Cloud Platform | User |
Disable user - Atlassian | Atlassian Cloud | User |
Remote Connection
Remote Shell connection compatible with Windows, Linux, and macOS operating systems. It establishes a remote connection with custom shell commands to the endpoint involved in the incident for immediate removal of the threat or collection of data for further investigation. When the remote connection is established, the administrator will be logged in as user ‘root’ privileges. All the available commands that can be used by the administrator through the terminal session were described on the GravityZone Support Center.
Bitdefender GravityZone Remote Connection allows security teams to act directly on endpoint engaged in incident.
Download/Upload File
When the remote shell connection is established, administrators can upload and download up to 20 files at a one time with an overall size of 256 MB. All files are encrypted in transit, at rest, and in use. Downloaded files are available in the Investigation Files Activity section for 24 hours, then the archive is automatically removed.
Preapproved Actions for MDR Service
MDR analysts swiftly assess security incidents and take decisive actions to contain and mitigate the threat. Collaborating with the organization’s internal stakeholders, they provide regular updates and guidance throughout the security event. The administrator can define what action can be taken by the MDR team without explicit approval in The Pre-approved Actions page can be found under Service Management. During security incidents, the MDR team offers guidance and informs of any pre-approved actions taken within the service level agreement. These pre-approved actions include tasks, such as killing processes, isolating a host, and forcing a password reset on a compromised user account. The complete list of actions was described in the Manage Detection and Response article.
Through the Bitdefender MDR portal, organizations can easily configure Pre-Approved Actions.
Recommended Content
To learn more about the technologies included in the Response layer we recommend reading the next article Managed Detection & Response (MDR).