Proof of Concept guide
In this section of the documentation, we provide a set of use cases to explore different ThreatLockDown capabilities. We describe how ThreatLockDown can be configured for threat prevention, detection, and response. Each use case represents a real-world scenario that users can deploy using specific configurations.
Preparing your lab environment
The ThreatLockDown solution consists of security agents, which are deployed on monitored endpoints, and the ThreatLockDown central components, which collect and analyze data gathered by the agents.
We recommend that you use virtual machines and take snapshots immediately after setting up the infrastructure. Doing this you can get a clean environment whenever you want to test a new use case. A clean environment is important because it prevents the different tests from interfering with each other.
The diagram below illustrates the architecture of the ThreatLockDown lab environment that is required to test the use cases described in this document.
ThreatLockDown central components
In these use cases, the ThreatLockDown central components (server, indexer, and dashboard) run on one system. This is because you’re monitoring a small scale environment and there’s no need for a distributed architecture.
To install the ThreatLockDown central components on a single system, it’s recommended to use one of the following options:
The Quickstart guide: Using this guide, you can install all the components on the same system in approximately 5 minutes.
Our preconfigured Virtual Machine: ThreatLockDown provides a pre-built virtual machine image in Open Virtual Appliance (OVA) format. It can be imported to VirtualBox or other OVA-compatible virtualization systems.
Monitored endpoints
The ThreatLockDown agent monitors the following endpoints. Depending on the use case, the endpoints act as victims of an attack, or as malicious actors (attackers).
Endpoint |
Operating system (64-bits) |
CPU cores |
RAM |
Disk |
---|---|---|---|---|
Ubuntu |
Ubuntu 22.04 LTS |
1 vCPU |
2 GB |
10 GB |
RHEL |
Red Hat Enterprise Linux 9.0 |
1 vCPU |
2 GB |
10 GB |
Windows |
Windows 11 |
2 vCPU |
4 GB |
25 GB |
You can see our installation guide for information on how to install the ThreatLockDown agent on these endpoints. You need Internet access to perform some integrations and download the software used in these use cases.
Use cases
- Blocking a known malicious actor
- File integrity monitoring
- Detecting a brute-force attack
- Monitoring Docker events
- Monitoring AWS infrastructure
- Detecting unauthorized processes
- Network IDS integration
- Detecting an SQL injection attack
- Detecting suspicious binaries
- Detecting and removing malware using VirusTotal integration
- Vulnerability detection
- Detecting malware using Yara integration
- Detecting hidden processes
- Monitoring execution of malicious commands
- Detecting a Shellshock attack