Thank you for choosing to evaluate the Threat Stack Cloud Security Platform.
Before you Start -
By this time, you should have received access to Threat Stack application. If not contact firstname.lastname@example.org.
Threat Stack gives deep visibility into user, process, network, and file activities on the host, so we recommend installing the agent on a high-traffic host such as a jump host. Alternately, you can install the agent on a test host that you can throw away.
Installation, Configuration etc -
We put together a Quick Start Guide for you. Of course, you can use Chef, Puppet, Ansible, and Salt as well via manual means using the available package manager. This where the Threat Stack platform shines. You do not have to do anything other than install the agent with no reboot required. The agent will start up, get added to the built-in Base Rule Set, by default, and you will start to see alerts almost immediately.
Summarizing Your Findings to the Team -
We've created an evaluation document based on some of the common and popular use cases which will allow you to easily summarize your findings to your team. Feel free to copy it, use it for your evaluation, and share it with your team and the SE assigned to you (so we can review along with you). Reach out to the assigned SE or email@example.com if you have any further questions.
Now let’s jump right into the evaluation. It only takes a few minutes.
Step 1 (Host - Testing time approximately 10 minutes)
Log into the host as a regular user and execute a few commands, including a few which require privileged access. A few examples might be;
- scp a file back and forth from the host
- Change permissions of a file on the host
- Commands which require privilege escalations
1. sudo tcpdump
2. sudo chown ubuntu /home
3. sudo apt-get install htop (or package of your choice)
- Perform some login failures for SSH or sudo
- Imitate the behavior of malware
1. Install a kernel module to imitate the exploit/rootkit phase
2. Ping or wget to a known malicious host (e.g. - ping 22.214.171.124 or 126.96.36.199) to imitate command and control
3. Download and execute some shell scrips out of /tmp directory
What You Will See
Click on Alerts on the left menu panel. You will see alerts for each of the actions above, organized into 3 severities
- Severity 1: Critical alert (Inform me immediately)
- Severity 2: Warn alert (Reviewed every other day or weekly)
- Severity 3: Log (Reviewed every month)
Step 2 (Alert Notification Configuration):
- Set up to receive email for alerts (Settings -> General Settings -> Receive email for Sev 1 or Sev 2)
- Set up to receive daily reports (Settings - General Settings - Receive daily alert report)
Step 3 (Infrastructure - Testing time approximately 10 minutes):
Follow the setup instructions here to configure CloudTrail events into the system, as well as AWS Configuration Audit.
To make sure what Cloud Trail events are coming up, go to events page and type event_type = "cloudtrail" and you will see events. Let it record what your infrastructure and dev folks are doing, may be add and delete some IAM users and stop and start CloudTrail.
What You Will See
We have already done the hard work for you. We scouted through each AWS service and created alerts for events that fall into the severity levels listed above.
Just click on Alerts and then the CloudTrail tab on and you will see the CloudTrail alerts neatly organized into various severities.
Step 4 (Alert Workflow - Up to 30 mins)
Review the alerts reports, email notifications. Dig a bit deeper into the use cases.
- Review Alerts and acknowledge : Become familiar with the workflow of how you would actually use Threat Stack.
- Become familiar with the Alerts page tabs. Additionally you can search for a specific alert, perhaps for a specific user you know who has logged in yesterday on the host using the search box at the top of the page.
- Select specific alerts to dismiss. These will be alerts that are based on normal and expected user, process, network and/or file activities.