Threat Stack Trial Guide

Follow

 

Welcome to Threat Stack!

Thank you for choosing to evaluate the Threat Stack Cloud Security Platform.

By this time, you should have received access to Threat Stack application. If not contact the Sales Team.

Introduction

Threat Stack gives in depth visibility into user, process, network, and file activities on the host, so we recommend installing the agent on a high-traffic host such as a jump host. Alternately, you can install the agent on a test host that you can throw away.

Install & Configure

We have many methods to help you get started using the Threat Stack Agent including:

Evaluate the Product

We recognize that selecting a cloud security vender is difficult, to ease this we created an Evaluation Document. This is a google document that you can copy, fill out, to help you summarize findings for your team.

Step 1 Step 2 Step 3 Step 4

Host Testing

Log into the host as a regular user and execute a few commands, including a few which require privileged access. Try triggering an alert by:

  • scp a file back and forth from the host
  • Change permissions of a file on the host
  • Perform some login failures for SSH or sudo
  • Commands which require privilege escalations:
    1. sudo tcpdump
    2. sudo chown ubuntu /home
    3. sudo apt-get install htop (or package of your choice)
  • Imitate the behavior of malware:
    1. Install a kernel module to imitate the exploit/rootkit phase
    2. Ping or wget to a known malicious host (e.g. - ping 222.186.56.102 or 222.186.56.45) to imitate command and control
    3. Download and execute some shell scrips out of /tmp directory

Results

Click on Alerts on the left menu. You will see alerts for each of the actions above, organized into 3 severities:

  • Severity 1: Critical alert (inform me immediately)
  • Severity 2: Warn alert (review every other day or weekly)
  • Severity 3: Log (review every month)
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.