Threat Stack Intrusion Detection System

Introduction

This article will review some of the more technical aspects of Threat Stack. Threat Stack is a platform-independent intrusion detection system (IDS) designed to provide users with a unique view into various integrated server security functions. It monitors both Linux and Windows servers as well as Kubernetes or other container-based server infrastructures to observe behaviors and detect malicious, uncommon, and risky activity.

It is advantageous in many situations where Alert Logic may not be a good fit.

What is Threat Stack?

Threat Stack is a real-time, agent-based IDS for modern Linux and Windows Servers. The Threat Stack agent is designed to send event data for the user, process, network, and file behaviors to the Threat Stack Platform. Within the Threat Stack Platform, events are reviewed, processed, and compared against Rule Sets comprised of security detections that trigger alerts for review. The Threat Stack Security Operations Center (SOC), which operates 24/7/365, will triage high severity alerts, investigate the alerts, and then escalate to Liquid Web Support, who actively addresses the issue. Should proactive mitigation steps need to be taken on the server, we immediately notify the client to ensure a solution is provided while keeping the client informed of its progress.

Threat Stack operates via a monitoring agent installed by Liquid Web. Threat Stack actively monitors the following concerns:

• User logins/login attempts.
• Suspicious commands.
• Network connections.
• File access and modification.
• Privilege escalations.
• New processes and kernel modules.

It is implemented on servers where clients are looking to bolster server security, add increased visibility into suspect processes, and add real-time security monitoring for customers who also desire an IDS for HIPAA or PCI compliance.

Systems Integration

Threat Stack can be installed on the following Liquid Web server platforms:

• VPS Servers
• Dedicated Servers
• Cloud Dedicated Servers
• VMware Servers

Requirements

Threat Stack can be installed on the following operating systems.

Rulesets

Typically, Threat Stack security rules are broken down into three tiers. These tiers define the severity of the issue and the appropriate effort that is taken in response.

SEV 1 - Critical

A severity level one notification indicates a possible root-level server compromise. A noted process(s) is identified as being executed within the /tmp or /dev/shm folders or other known possible root compromise locations. These types of alerts will result in an immediate investigation, and if warranted, an administrator will open a ticket immediately with the client.

SEV 2 - Suspicious

A severity level two notification indicates questionable processes running as the root user. Suppose a service on the server runs a shell, or if a new user is created or other types of user privilege escalation, these alerts are logged. We may open a ticket with the client depending on the level of activity or active suppression.

SEV 3 - Logged

A severity level three notification implies that a suspect command-line tool (like wget or netstat) has been downloaded or used, a user has logged in from a LAN, or other odd GNU Compiler Collection (GCC) activity is seen. These alert types are logged for potential use during forensic analysis, but a ticket is not explicitly created for this activity type.

Additionally, if a security issue is found to be a false positive, it is whitelisted globally to prevent further false positives. Our version of Threat Stack does not include on-demand vulnerability scanning. However, because Threat Stack performs in real-time and continuously monitors your server, it immediately flags suspicious activity. A manual investigation is promptly started when a threat is detected, and appropriate remediation steps begin immediately. Clients are continually updated throughout the process. If desired, clients can purchase on-demand vulnerability and malware scans separately.

Verification

Agent Process

A client can verify that the Threat Stack agent is running using the following command in the terminal.

[root@host ~]# tsagent status
 UP Threat Stack Agent Daemon
 UP Threat Stack Backend Connection
 UP Threat Stack Heartbeat Service
 UP Threat Stack Login Collector
 UP Threat Stack Audit Collection
 UP Threat Stack Log Scan Service
 UP Threat Stack Vulnerability Scanner
 UP Threat Stack File Integrity Monitor

Confirmation Check

To verify the last time the agent completed a check-in, we can use the Threat Stack command-line tool and run the following command.

[root@host ~]# tsagent info
LastBackendConnection: 2021-03-05T21:09:37Z
ClientConfig:
ID: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf040001020304050607
Key: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf04
Protocol: ALv2
Backend: wss://cssensors.threatstack.com

Process Manipulation

If the agent needs to be started, stopped, or restarted, we can again use the Threat Stack command-line tool. Running any of the following commands will accomplish this task.

[root@host ~]# tsagent stop
[root@host ~]# tsagent start
[root@host ~]# tsagent restart

Threat Stack Advantages

Threat Stack offers multiple benefits to small and medium-sized businesses.

• Real-time detection from intrusion attempts on a server.
• Robust security that provides proactive, reactive, and interactive based responses to immediate server threats.
• Escalated analysis to Liquid Web from its dedicated Security Operations Center.
• Cost-conscious consumers are provided a genuinely competitive price point while delivering world-class protection similar to other higher-proceed alternatives.
• Intangible cost savings are realized via reduced timeframes spent investigating false positives, increased vigilance without the additional time investment, and it prevents costly business interruptions.
• Peace of mind in knowing that a fully managed product is hard at work protecting you all day, every day.

Threat Stack Disadvantages

• Despite all the advantages that Threat Stack offers, a few drawbacks may deter some clients from choosing this product.
• Server Agent Requirement: An agent must be installed on every server, which may be troublesome for clients with a larger clustered footprint as an agent only encompasses one server at a time.
• Additional Processes Increase Load: While the addition of a single agent process should not significantly impact server load, owners of heavily utilized servers must be aware of all resource usage. The agent runs continuously and interacts with an external source to provide data for the service.
  No Automated Mitigation: While Threat Stack actively monitors and logs current server events, it does not take proactive actions on any events besides reporting. A further remediation step is required to address any severe or critical issues seen. This being stated, the response times for said incidents are excellent.

Conclusion

Overall, Threat Stack provides significant benefits to clients for a small price. The uninterrupted protection it offers in monitoring, reporting, and subsequent action taken by Liquid Web support provides round-the-clock peace of mind to every security-conscious business owner.

Threat Stack is enhanced by its modest initial price point for high-level functionality. Its continuous active delivery of intrusion detection included with the system keeps your server safe from malicious actors who use various attack vectors to gain access. Overall, Threat Stack is a superb service that every security-conscious client needs.

If you have any questions about the information presented in this article., reach out to one of our Most Helpful Humans in Hosting via phone at 800.580.4985, support ticket, or LiveChat 24 hours a day, 7 days a week, 365 days per year