Welcome to Threat Stack!
Thank you for choosing to evaluate the Threat Stack Cloud Security Platform.
By this time, you should have received access to Threat Stack application. If not contact the Sales Team.
Threat Stack gives in depth visibility into user, process, network, and file activities on the host, so we recommend installing the agent on a high-traffic host such as a jump host. Alternately, you can install the agent on a test host that you can throw away.
Install & Configure
We have many methods to help you get started using the Threat Stack Agent including:
Evaluate the Product
We recognize that selecting a cloud security vender is difficult, to ease this we created an Evaluation Document. This is a google document that you can copy, fill out, to help you summarize findings for your team.
Log into the host as a regular user and execute a few commands, including a few which require privileged access. Try triggering an alert by:
- scp a file back and forth from the host
- Change permissions of a file on the host
- Perform some login failures for SSH or sudo
- Commands which require privilege escalations:
- sudo tcpdump
- sudo chown ubuntu /home
- sudo apt-get install htop (or package of your choice)
- Install a kernel module to imitate the exploit/rootkit phase
- Ping or wget to a known malicious host (e.g. - ping 126.96.36.199 or 188.8.131.52) to imitate command and control
- Download and execute some shell scrips out of /tmp directory
Click on Alerts on the left menu. You will see alerts for each of the actions above, organized into 3 severities:
- Severity 1: Critical alert (inform me immediately)
- Severity 2: Warn alert (review every other day or weekly)
- Severity 3: Log (review every month)
Alert Notification Configuration
You can set up to receive email for alerts and receive daily reports.
Next follow the setup instructions to configure CloudTrail events and AWS Configuration Audit.
To confirm that Cloud Trail events are triggering in Threat Stack, go to Events page and enter
event_type = "cloudtrail" into the search field. You should see CloudTrial events display. You can record what your infrastructure and software teams are doing. To trigger other CloudTrial events, try adding and deleting some IAM users and stop and start CloudTrail.
Threat Stack did the hard work for you. We scouted through each AWS service and created alerts for events that fall into the severity levels listed above. You can verify this by navigating to the CloudTrial tab on the Alerts page. You will see the CloudTrail alerts neatly organized into various severities.
At this point we recommend, that you review the alerts reports and the email notifications.
Alert management is where Threat Stack can help you shine. You can search for a specific alert, perhaps for a specific user you know who has logged in yesterday on the host using the search box at the top of the page.
You can also select specific alerts to dismiss or suppress. These will be alerts that are based on normal and expected user, process, network, or file activities.
If you want more information about other use cases that Threat Stack can help you with, review the Base Rule Set Use Case article.