Proactive Hardening and Attack Surface Reduction (PHASR)
Overview
The Proactive Hardening and Attack Surface Reduction (PHASR) solution provides organizations with a detailed view of their internal attack surface, identifying areas where attack vectors could potentially be exploited. PHASR continuously monitors endpoint activities, learning typical user behaviors and system interactions. Once this learning phase completes, PHASR generates actionable recommendations to reduce the attack surface by addressing identified possible attack vectors.
The “attack surface” encompasses all possible points of entry that malicious actors could use to exploit attack vectors within the system. By maintaining a precise understanding of these entry points, organizations can preemptively mitigate risks, reducing the likelihood of unauthorized access and potential system compromise.
Eligibility
To use the feature, you must meet the following requirements:
Your company has a valid license key.
You have administrative privileges over the company's network.
You have access to the My company > Early access tab to select ASM Dashboard and enroll your company in the program.
Deploying PHASR
PHASR works as an extension of the Risk Management feature, which requires a BEST agent installed on your managed endpoints, and a policy applied to them that has the Risk Management feature enabled along with the PHASR feature.
Policies are used to enable and configure features on endpoints. Apply the following changes to the policy of your choice:
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu.
You can either:
If this is a new policy, under Risk Management, enable and configure the feature.
While on the same page, make sure the PHASR toggle is enabled, and select the checkboxes for each activity type you would like to monitor.
Important
If you do not enable a specific activity type, PHASR will not gather any related data, and the associated widget will not display any data in the PHASR Dashboard.
Save your policy.
If you created a new policy, apply it on the endpoints where the feature is deployed:
Go to the Network page from the left side menu.
Select the endpoints you want to apply the policy to.
Click the Assign Policy button at the upper side of the table.
Select the policy you want to apply.
Click Finish.
Note
For more information, refer to this kb article.
If you have edited an existing policy, make sure it is applied to all endpoints where the feature is deployed.
This will ensure that the feature is enabled and configured to best suit your company's needs.
Exploring widgets
Data collected by PHASR is organized into categories, analyzed, and presented in relevant widgets. You can find these widgets on the Monitoring > ASM dashboard page.
This page provides a range of widgets that offer detailed insights into your company’s potential attack structure, identifying areas of exposure and enhancing visibility into possible attack vectors. It highlights easily actionable fixes and includes links to relevant information on users, endpoints, and processes, enabling more efficient and targeted mitigation efforts.
The feature makes use of the following widgets:
Attack surface exposure
This widget displays the percentage of the company's current attack surface exposure. It highlights the portion of potentially exploitable attack vectors, providing a clear measure of exposure risk. The objective is to reduce this percentage, thereby minimizing the company's vulnerability to potential threats.
Top recommendations by impact
This widget displays prioritized recommendations, categorized into two sections:
Global - You can apply a recommendation to restrict all processes from a category. This will apply to all identities.
Group - You can apply a recommendation to restrict a single process from a category. This will apply to all identities.
The recommendations are ranked by their potential impact on reducing attack surface exposure. Each recommendation shows the number of affected endpoints and users, helping to focus efforts where they will be most effective.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Detected incidents for monitored activity types
This widget lists the total number of detected incidents associated with each activity type monitored by PHASR:
Tampering tools
Living Off the Land Binaries
Cryptominers
Hacktools
Remote admin tools
Each category indicates if monitored processes were involved in incidents. For a detailed list of related incidents, you can follow the links provided in each category. These links direct you to the Incidents page. Each activity type can have one of the following values:
No processes from this category involved in incidents
Processes from this category involved in incidents
Data gathering in progress
No data available
When you pivot to the Incidents page, the Target activity type column is not displayed by default. To view them, open the Settings panel and enable the PHASR categories option.
Hacktools
This widget categorizes user profiles in two groups, based on hacktool usage. For each recommendation related to hacktool usage, the widget displays the number of affected users and endpoints where the specified action is applicable.
Additionally, it highlights the anticipated impact of each recommendation on the overall risk surface, aiding in more precise risk management and effective mitigation strategies.
Tip
Hacktools are utilities that can be used to access, manipulate, or exploit systems and data. The PHASR widget for hacktools monitors user profiles for such tools, identifying users with recorded usage and offering recommendations to minimize risks associated with unauthorized access or misuse.
This widget displays data based on the phase of the data gathering process PHASER is currently in:
Data gathering phase - When PHASR is first enabled, it will start actively gathering data from user profiles to establish patterns and detect potentially exploitable attack vectors. During this time, this widget displays a pie chart to illustrate phase progress.
Monitoring phase - When data has been gathered for all users, the widget shows a final pie chart summarizing the total number of users with hacktool usage versus those without, providing a comprehensive view of hacktool exposure across the organization, along with a list of recommendations that have still not been implemented.
Hybrid phase - If during the monitoring phase new users are detected, monitoring will start for those users, while keeping data from existing users.
Previous recommendations remain visible, while the progress of analyzing new user data is displayed on the pie chart. This allows you to view actionable insights while the widget continues to learn about new users.
After gathering data for the new users,, the widget will return to monitoring phase.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Miners
This widget monitors user profiles and organizes them based on the detection of cryptocurrency mining tools or activities within the organization’s environment. It provides insights into users with recorded mining activity, users with no recorded activity, and recommendations for reducing exposure to unauthorized or potentially harmful mining operations.
Tip
Miners are software tools used for cryptocurrency mining, often consuming significant system resources and posing potential security risks if unauthorized. The PHASR widget for miners identifies user profiles engaged in mining activities, helping organizations monitor resource usage and reduce exposure through tailored recommendations.
This widget displays data based on the phase of the data gathering process PHASER is currently in:
Data gathering phase – When PHASR is first enabled, the widget begins actively collecting data from user profiles to establish patterns and detect any mining-related activities that could exploit system resources. During this time, this widget displays a pie chart to illustrate phase progress.
Monitoring phase – When data has been gathered for all users, the widget displays a final pie chart summarizing the total number of users with mining activity versus those without. This phase also includes a list of recommendations that have not been yet implemented, providing a comprehensive view of mining exposure across the organization.
Hybrid phase – If during the monitoring phase new users are detected, monitoring will start for those users, while keeping data from existing users.
Previous recommendations remain visible, while the pie chart updates to show the progress of analyzing these new user profiles. This hybrid phase allows actionable insights from existing data to remain available as PHASR continues monitoring and assessing any new mining-related activity.
After gathering data for the new users,, the widget will return to monitoring phase.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Remote admin tools
This widget monitors user profiles and categorizes them based on the detection of remote administration tools (RATs) within the organization. It provides insights into users with recorded usage of remote admin tools, users with no recorded usage, and recommendations to manage or mitigate any potential risks associated with these tools.
Tip
Remote administration tools (RATs) provide remote access to systems for management or support, but can be exploited if misused. The PHASR widget monitors for RAT usage across user profiles, distinguishing between authorized and potentially risky activities, and provides actionable insights to secure remote access points.
This widget displays data based on the phase of the data gathering process PHASER is currently in:
Data gathering phase – When PHASR is first enabled, the widget begins actively collecting data from user profiles to establish patterns and detect any remote admin tool usage that could pose a security risk if misused. During this time, this widget displays a pie chart to illustrate phase progress.
Monitoring phase – When data has been gathered for all users, the widget displays a final pie chart summarizing the total number of users with remote admin tool usage versus those without. This state also includes a list of recommendations that have not been implemented yet, providing a comprehensive view of remote admin tool exposure across the organization.
Hybrid phase – If during the monitoring phase new users are detected, monitoring will start for those users, while keeping data from existing users.
Previous recommendations remain visible, while the pie chart updates to show the progress of analyzing these new user profiles. This hybrid state allows actionable insights from existing data to remain available as PHASR continues monitoring and assessing any new remote admin tool activity.
After gathering data for the new users,, the widget will return to monitoring phase.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Tampering tools
This widget monitors user profiles and categorizes them based on the detection of tampering tools within the organization. It provides insights into users with recorded usage of tampering tools, users with no recorded usage, and recommendations to mitigate risks associated with these tools and maintain system integrity.
Tip
Tampering tools are used to alter or bypass system protections, which can compromise security and data integrity. The PHASR widget for tampering tools detects such activities within user profiles, highlighting potential threats and providing recommendations to maintain system integrity.
This widget displays data based on the phase of the data gathering process PHASER is currently in:
Data gathering phase – When PHASR is first enabled, the widget begins actively collecting data from user profiles to establish patterns and detect any tampering tool usage that could compromise system security or integrity. During this time, this widget displays a pie chart to illustrate phase progress.
Monitoring phase – When data has been gathered for all users, the widget displays a final pie chart summarizing the total number of users with tampering tool usage versus those without. This phase also includes a list of any outstanding recommendations that have not been implemented yet, providing a comprehensive view of tampering tool exposure across the organization.
Hybrid phase – If during the monitoring phase new users are detected, monitoring will start for those users, while keeping data from existing users.
Previous recommendations remain visible, while the pie chart updates to show the progress of analyzing these new user profiles. This hybrid phase allows actionable insights from existing data to remain available as PHASR continues monitoring and assessing any new tampering tool activity.
After gathering data for the new users,, the widget will return to monitoring phase.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Living Off the Land Binaries
This widget monitors user profiles and categorize them based on the detection of Living Off the Land Binaries (LOLBins) within the organization. It provides insights into users with recorded usage of these binaries, users with no recorded usage, and recommendations to minimize risks associated with the use of system-native tools that can be exploited for malicious purposes.
Tip
LOLBins are legitimate system binaries that can be repurposed for malicious actions, allowing attackers to evade detection. The PHASR widget monitors for LOLBins usage across user profiles, identifying instances where these binaries might be exploited, and offering strategies to reduce risk while maintaining necessary system functionality.
This widget displays data based on the phase of the data gathering process PHASER is currently in:
Data gathering phase – When PHASR is first enabled, the widget begins actively collecting data from user profiles to establish patterns and detect any usage of LOLBins that could be exploited for unauthorized actions. During this time, this widget displays a pie chart to illustrate phase progress.
Monitoring phase – When data has been gathered for all users, the widget displays a final pie chart summarizing the total number of users with LOLBins usage versus those without. This phase also includes a list of any outstanding recommendations that have not been implemented yet, providing a comprehensive view of LOLBins exposure across the organization.
Hybrid phase – If during the monitoring phase new users are detected, monitoring will start for those users, while keeping data from existing users.
Previous recommendations remain visible, while the pie chart updates to show the progress of analyzing these new user profiles. This hybrid phase allows actionable insights from existing data to remain available as PHASR continues monitoring and assessing any new LOLBins activity.
After gathering data for the new users,, the widget will return to monitoring phase.
Hovering over a recommendation name reveals the full description, providing further details for informed decision-making.
Customizing the dashboard
The ASM Dashboard is fully customizable, allowing you to move and resize widgets, and choose the widgets to be displayed.
Moving widgets
To move any widget, using the drag handle button on the upper right side of the widget, drag the widget and drop it where you want it moved.
Resizing widgets
To resize a widget, click the resize button on the lower right side of the widget, and drag it until it reaches the size you want.
Working with smart views
This feature allows you to customize, save, and switch between different loadouts of the page.
The panel has the following sections:
Search views - Use this search field to filter out the existing views, by name.
Saved - This section displays a list of all your saved views that have not been marked as favorites.
Favorites - All views marked as favorites are displayed under this section.
Defaults - This section displays the views that are available by default.
Submitting feedback
Let us know your thoughts by using the Feedback button available in the upper right corner of the Health Dashboard page. Additionally, you can also use the feedback dialog form if you opt out of the program. We eagerly await and value your input on this feature.