Live Scan

  • Updated on Mar 4, 2025
  • Published on Jul 10, 2024
  • 3 minute(s) read

Use Live Scan to analyze a specific website in real time and retrieve information associated with it to identify potential attack vectors and vulnerabilities in the website.

With the information from Live Scan, users can:

  • Protect networks
  • Prevent phishing
  • Address potential impersonation threats
  • Block malware distribution threats

How it works

To retrieve actionable intelligence, Live Scan uses the following methods:

  • Scanning: Use public URLs to perform scans, simulating how a user might interact with the website.
  • Emulation: Choose from emulation options to simulate different user experiences. For example, browser type or region.
  • Data Analysis: Retrieve detailed information, including a live screenshot of the scanned URL, which can be used for further analysis and threat identification.

Actionable intelligence

Use Live Scan to search for a single URL and retrieve the following actionable intelligence about it:

  • URL Redirection Chains: Intermediate sites within the URL path that often reveal malicious redirect layers.
  • Domain and IP Risk Scores: Risk levels for the domain and the IP that are associated with the URL.
  • SSL and Favicon Analysis: SSL certificates and favicon icons, which are common indicators of a site’s legitimacy.
  • HTML Content and Page Layout Hashes: Web page structure and content hashes to detect impersonations, clones, or similar phishing sites.

Benefits of Live Scan

Gain valuable and actionable intelligence about potential threats to:

  • Identify Risks Early: Detect malicious or compromised URLs and protect users before threats spread.
  • Streamline Incident Response: Use real-time information that supports a faster investigation and the containment of phishing and malware incidents.
  • Enhance Security Posture: Block high-risk URLs or take preventive measures to minimize the exposure of your teams to malicious domains and impersonation sites.

Features

Use the following features to identify and investigate:

  • Active Scanning: Investigate a live URL in real-time. This means it doesn't just analyze static content; it checks for potential threats as the website is being accessed.
  • Data Enrichment: Retrieve information from more than 90 categories about the URL to gain deeper insights its activity.
  • Early Detection Feed Integration: Integrate with Silent Push's Early Detection Feeds to store and manage the collected information for further analysis and threat hunting.
  • Redirect Chain Analysis: Identify hidden redirect layers that are frequently used in phishing and malware distribution tactics.
  • SSL Certificate and Favicon Monitoring: Confirm the legitimacy of certificates and favicons to spot phishing and impersonation risks.
  • Content and Layout Hashing: Compare page content and design against known phishing sites to help identify cloned or impersonated sites.
  • Risk Scores for Domains and IPs: Prioritize URLs based on associated risk to streamline triage and resource allocation.

Users and their reasons for use

  • Security Operations Center (SOC) Analysts: To track and assess URL-based threats and monitor for phishing, spoofing, and impersonation attacks.
  • Incident Response (IR) Teams: To investigate and remediate suspicious URLs in active security incidents, leveraging real-time insights for swift resolution.
  • Threat Intelligence Analysts: To map and investigate broader threat actor infrastructure by pivoting on identified malicious domains or IPs.

Use case examples

To understand how specific users benefit from our platform's Live Scan feature, refer to the following use cases:

Security Operations Center (SOC)

Scenario: A SOC team receives an alert about a suspicious email containing a potentially malicious link.

  • Action: SOC analysts use Live Scan to check the link, examining redirect chains, SSL data, and associated risk scores to identify potential impersonation or phishing elements.
  • Capabilities: Analysts can use the pivot feature in Live Scan to explore connected domains and IPs, building a more comprehensive picture of the threat.
  • Outcome: The SOC team blocks the URL, mitigating the threat and protecting users from phishing attempts while maintaining visibility on similar domains.

Incident Responder (IR)

Scenario: An IR team assesses the scope of a recent breach to understand methods used by threat actors and prevent future incidents.

  • Action: The IR team uses Live Scan to examine URLs and domains that were involved in the attack to track redirect chains and SSL data.
  • Capabilities: Responders can use the pivot feature in Live Scan to map attacker infrastructure by tracing related IPs and domains.
  • Outcome: The IR team compiles an incident report on attack vectors and tactics that enhances their future response plans and preventative measures.

Threat Intelligence Analyst

Scenario: A threat analyst aims to anticipate potential attacks and develop proactive defenses.

  • Action: The analyst use Live Scan to examine attacker infrastructure and behavior to identify potential attack vectors based on related domains and IPs.
  • Capabilities: An analyst can use the insights in Live Scan to support predictive modeling by mapping attacker techniques and infrastructure connections which helps to identify emerging threats.
  • Outcome: The team builds a proactive threat model that enhances defenses and reduces exposure to future attacks.