Introducing Proactive Hardening and Attack Surface Reduction (PHASR)
April 29, 2025
Attackers frequently gain initial access through compromised credentials or unmanaged devices, essentially 'logging in' rather than 'breaking in.' Once inside, relying on playbooks, they prioritize stealth, using Living off the Land (LOTL) tactics, which mask malicious activities as normal system operations.
To proactively identify and close attack entry points, effectively combating Living off the Land (LOTL) attacks, Bitdefender released Proactive Hardening and Attack Surface Reduction (PHASR) on April 23rd.
In this article, we detail PHASR's functionality and its role in LOTL attack mitigation.
PHASR Overview
PHASR is a revolutionary technology that proactively analyzes user and application behavior, comparing it against known threat actor playbooks to not only detect, but also prevent malicious activities. Unlike static policy-based systems that require constant manual updates, PHASR actively blocks suspicious actions, stopping attacks before they start.
PHASR learns and adapts to your environment through a 20 to 60 day learning phase, depending on the monitored application. However, for GravityZone EDR and XDR customers the learning is accelerated, enabling PHASR immediate use.
During the learning phase, PHASR not only creates but also continuously adapts unique behavioral profiles for each machine-user combination, establishing a dynamic baseline of normal activity for precise threat detection. Through self-learning algorithms, PHASR continuously adapts to new user behaviors. For instance, a privileged user will have one profile for their regular workstation activities and another separate profile for their server administration tasks.
PHASR offers flexibility with two operational modes: Autopilot, for automated management of restrictions, or Direct Control mode, providing your security teams with actionable recommendations for granular review and precise execution. You can specify which operational mode is assigned to monitored activity types described below.
PHASR monitors processes within five key activity types, each representing common attack vectors:
- Living off the land binaries – tools, such as PowerShell.exe, WMIC.exe, and Ftp.exe, are pre-installed within an operating system for administrative and operational purposes. Attackers abuse these tools to perform malicious activities and blend them with normal system activity, allowing for stealthy lateral movement and data exfiltration.
- Tampering tools – tools, such as procexp.exe, vmmap.exe, and LiveKd.exe, are utilities used to modify software applications. Attackers leverage these tools to bypass security controls, enabling them to disable security measures.
- Piracy tools - software piracy tools such as keygen and crack are used to bypass software licensing and activation.
- Miners – tools such as PhoenixMiner, XMRig, and CCMiner, use a computer's processing power to generate cryptocurrency. Attackers abuse these tools for cryptojacking through unauthorized installation on the victim's system, allowing for unauthorized resource usage and financial gain.
- Remote admin tools - often used for legitimate systems management, these enable remote access and control of computer systems. Attackers use these tools to gain unauthorized access, deploy malware, and facilitate remote control and data theft.
PHASR Interface
PHASR Dashboard, located within the GravityZone Platform under Monitoring > ASM dashboard, provides a centralized view of your attack surface, enabling you to quickly assess risk and prioritize mitigation efforts. It allows you to pivot and view detailed information about key metrics such as Attack surface exposure, top recommendations by impact, and detected incidents for monitored attack vector categories.
PHASR's Recommendation located within the GravityZone Platform under Risk Management, provides a centralized view of your attack surface, enabling you to quickly assess risk and prioritize mitigation efforts. It allows you not only to take action but also to view detailed information about key metrics such as attack surface reduction score, targeted activity type, monitored rules, behavioral profiles, and actions already taken.
For teams that require granular control, PHASR displays the monitored rules directly within GravityZone. This allows you to directly control the recommendations PHASR generates for your specific environment and security requirements, ensuring optimal protection. You can access PHASR monitored rules (300+ rules) used in Direct Control mode directly from GravityZone within the PHASR monitored rules section, for a broad rule management. Another option is to click on the rule name in the PHASR recommendations section, for a contextual rule edit.
PHASR in action
Imagine an employee who needs temporary access to PowerShell for a specific task. An administrator grants this access but forgets to revoke it later. PHASR would detect the user's lack of PowerShell activity and recommend revoking access, preemptively eliminating a potential attack vector. For administrators, directly blocking PowerShell is not an option; you may want to block specific actions within it.
PHASR provides granular blocking strategies, including standard application blocking, which restricts entire applications like Process Explorer and PowerShell, and action-level blocking, which focuses on specific malicious behaviors within applications, such as using PowerShell for downloading. PHASR uses learned behavioral profiles to inform these blocking decisions, ensuring that legitimate user activity is not disrupted. Depending on the chosen operation mode, PHASR will either automatically apply policies restrictions or provide a prioritized list of recommendations for manual review and action. By providing both automated and manual options, PHASR offers flexibility and granular control, effectively reducing attack surfaces by targeting anomalies specific to your environment.
Summary
PHASR significantly enhances proactive security, transitioning from reactive to proactive defense by delivering attack surface reduction and proactive prevention of Living off the Land (LOTL) and targeted attacks. Through behavioral analysis and action-level blocking, PHASR empowers your security team to effectively mitigate risks with minimal disruption, ultimately reducing alert fatigue by focusing on anomalies and minimizing unnecessary notifications.
For general information about PHASR and its benefits, please visit the official Bitdefender GravityZone PHASR page, here.
For a more in-depth technical understanding of PHASR's capabilities, please visit our Bitdefender TechZone, here.
tags
Author
Grzegorz Nocon is a graduate of the Faculty of Physics at the University of Silesia. With over 16 years of experience in the IT industry, he currently works as a Technical Marketing Engineer at Bitdefender. A strong supporter of a holistic approach to security and passionate about solving security problems in a comprehensive and integrated way. Outside of work, an avid CrossFit enthusiast and a lover of fantasy literature.
View all postsRight now Top posts
FOLLOW US ON SOCIAL MEDIA
SUBSCRIBE TO OUR NEWSLETTER
Don’t miss out on exclusive content and exciting announcements!
You might also like
Bookmarks
