This article will review some of the more technical aspects of Threat Stack. Threat Stack is a platform-independent intrusion detection system (IDS) designed to provide users with a unique view into various integrated server security functions. It monitors both Linux and Windows servers as well as Kubernetes or other container-based server infrastructures to observe behaviors and detect malicious, uncommon, and risky activity.
It is advantageous in many situations where Alert Logic may not be a good fit.
What is Threat Stack?
Threat Stack is a real-time, agent-based IDS for modern Linux and Windows Servers. The Threat Stack agent is designed to send event data for the user, process, network, and file behaviors to the Threat Stack Platform. Within the Threat Stack Platform, events are reviewed, processed, and compared against Rule Sets comprised of security detections that trigger alerts for review. The Threat Stack Security Operations Center (SOC), which operates 24/7/365, will triage high severity alerts, investigate the alerts, and then escalate to Liquid Web Support, who actively addresses the issue. Should proactive mitigation steps need to be taken on the server, we immediately notify the client to ensure a solution is provided while keeping the client informed of its progress.
Threat Stack operates via a monitoring agent installed by Liquid Web. Threat Stack actively monitors the following concerns:
- User logins/login attempts.
- Suspicious commands.
- Network connections.
- File access and modification.
- Privilege escalations.
- New processes and kernel modules.
It is implemented on servers where clients are looking to bolster server security, add increased visibility into suspect processes, and add real-time security monitoring for customers who also desire an IDS for HIPAA or PCI compliance.
Threat Stack can be installed on the following Liquid Web server platforms:
Threat Stack can be installed on the following operating systems.
|CentOS||Minimum Kernel Version|
|Ubuntu||Minimum Kernel Version|
|Debian||Minimum Kernal Version|
|10||4.19 LTS (only supported in the Agent 2.x series)|
|Only currently supports LW versions.||Threat Stack will not function on any outdated OSs.|
|Windows||Windows Server OSs|
|Windows Server||2012 R2|
Typically, Threat Stack security rules are broken down into three tiers. These tiers define the severity of the issue and the appropriate effort that is taken in response.
SEV 1 - Critical
A severity level one notification indicates a possible root-level server compromise. A noted process(s) is identified as being executed within the /tmp or /dev/shm folders or other known possible root compromise locations. These types of alerts will result in an immediate investigation, and if warranted, an administrator will open a ticket immediately with the client.
SEV 2 - Suspicious
A severity level two notification indicates questionable processes running as the root user. Suppose a service on the server runs a shell, or if a new user is created or other types of user privilege escalation, these alerts are logged. We may open a ticket with the client depending on the level of activity or active suppression.
SEV 3 - Logged
A severity level three notification implies that a suspect command-line tool (like wget or netstat) has been downloaded or used, a user has logged in from a LAN, or other odd GNU Compiler Collection (GCC) activity is seen. These alert types are logged for potential use during forensic analysis, but a ticket is not explicitly created for this activity type.
Additionally, if a security issue is found to be a false positive, it is whitelisted globally to prevent further false positives. Our version of Threat Stack does not include on-demand vulnerability scanning. However, because Threat Stack performs in real-time and continuously monitors your server, it immediately flags suspicious activity. A manual investigation is promptly started when a threat is detected, and appropriate remediation steps begin immediately. Clients are continually updated throughout the process. If desired, clients can purchase on-demand vulnerability and malware scans separately.
A client can verify that the Threat Stack agent is running using the following command in the terminal.
[root@host ~]# tsagent status UP Threat Stack Agent Daemon UP Threat Stack Backend Connection UP Threat Stack Heartbeat Service UP Threat Stack Login Collector UP Threat Stack Audit Collection UP Threat Stack Log Scan Service UP Threat Stack Vulnerability Scanner UP Threat Stack File Integrity Monitor
To verify the last time the agent completed a check-in, we can use the Threat Stack command-line tool and run the following command.
[root@host ~]# tsagent info LastBackendConnection: 2021-03-05T21:09:37Z ClientConfig: ID: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf040001020304050607 Key: 5f735f85c137554511ca3a51-19beebd0-6fd2-11eb-9997-a11e888adf04 Protocol: ALv2 Backend: wss://cssensors.threatstack.com
If the agent needs to be started, stopped, or restarted, we can again use the Threat Stack command-line tool. Running any of the following commands will accomplish this task.
[root@host ~]# tsagent stop [root@host ~]# tsagent start [root@host ~]# tsagent restart
Threat Stack Advantages
Threat Stack offers multiple benefits to small and medium-sized businesses.
- Real-time detection from intrusion attempts on a server.
- Robust security that provides proactive, reactive, and interactive based responses to immediate server threats.
- Escalated analysis to Liquid Web from its dedicated Security Operations Center.
- Cost-conscious consumers are provided a genuinely competitive price point while delivering world-class protection similar to other higher-proceed alternatives.
- Intangible cost savings are realized via reduced timeframes spent investigating false positives, increased vigilance without the additional time investment, and it prevents costly business interruptions.
- Peace of mind in knowing that a fully managed product is hard at work protecting you all day, every day.
Threat Stack Disadvantages
- Despite all the advantages that Threat Stack offers, a few drawbacks may deter some clients from choosing this product.
- Server Agent Requirement: An agent must be installed on every server, which may be troublesome for clients with a larger clustered footprint as an agent only encompasses one server at a time.
- Additional Processes Increase Load: While the addition of a single agent process should not significantly impact server load, owners of heavily utilized servers must be aware of all resource usage. The agent runs continuously and interacts with an external source to provide data for the service.
No Automated Mitigation: While Threat Stack actively monitors and logs current server events, it does not take proactive actions on any events besides reporting. A further remediation step is required to address any severe or critical issues seen. This being stated, the response times for said incidents are excellent.
Overall, Threat Stack provides significant benefits to clients for a small price. The uninterrupted protection it offers in monitoring, reporting, and subsequent action taken by Liquid Web support provides round-the-clock peace of mind to every security-conscious business owner.
Threat Stack is enhanced by its modest initial price point for high-level functionality. Its continuous active delivery of intrusion detection included with the system keeps your server safe from malicious actors who use various attack vectors to gain access. Overall, Threat Stack is a superb service that every security-conscious client needs.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.