Tripwire Management
Dropping Tripwires
Tripwire deployment can be enabled during any Internal, External, Phishing Impact, or Rapid Response pentest. If you’re running an ongoing scheduled test, you can update the test template to enable tripwire deployment.
Directions
- Go to the configuration or template for an Internal, External, Phishing Impact, or Rapid Response pentest.
- Scroll to the Tripwires section.
- Click the toggle to enable Tripwires. Enabling Tripwires will also activate the NodeZero Remote Access Tool (RAT), which is required for tripwire deployment.
- Optional: Select the specific types of tripwires you want in your environment; NodeZero will only drop the selected types. By default, NodeZero will drop all types as appropriate.
- Save your changes or start the pentest.
Rapid Response pentest
Note: Only Rapid Response tests that make use of the RAT are able to drop tripwires.
During the pentest, NodeZero will attempt to drop tripwires on hosts that it successfully compromised and deployed the RAT to. If NodeZero gains write access to a network share, it will also attempt to drop tripwires on that share.
After the pentest is complete, the test results will show the number of tripwires deployed, and the person who initiated the pentest will receive an email notification with details about the newly dropped tripwires, along with the pentest completion summary.
Injecting a credential
Note: If you inject one or more credentials as part of the pentest, NodeZero will also leverage those credentials to deploy tripwires where the credential grants write access.
Managing Tripwires
All tripwires deployed by NodeZero can be viewed and managed in the Manage page under Tripwires in the top navigation.
The table on this page provides detailed information about each tripwire, including:
- The type of tripwire.
- When it was deployed.
- The asset it was deployed to.
- Its current status.
- Links to the pentest during which the tripwire was dropped.
You can filter tripwires by Status or Type, or use the search functionality to find specific tripwires, such as by the pentest in which they were deployed.
Clicking on a tripwire's name will bring up a details page with additional information, such as the tripwire’s location and links to the impacts related to the asset from the pentest during which the tripwire was dropped.
The details page also includes instructions on how to delete the tripwire.
Removing Tripwires
If you want to remove tripwires, there are two actions to take to fully remove a tripwire: delete and deactivate. Just deleting a tripwire will not automatically set the tripwire as inactive from NodeZero's perspective.
Deleting Tripwires
NodeZero is an agentless solution, so it does not have the capability to delete tripwires after deployment. Once dropped, the tripwire is active and will trigger alerts if any activity is detected on it.
Each tripwire details page includes instructions on how to delete the tripwire. Follow the instructions to delete the tripwire.
Deactivating Tripwires
Deactivating a tripwire means NodeZero will no longer listen for activity on the tripwire. It does not mean your tripwire has been deleted from your environment.
Active, or "live", tripwires will have the Active status, and deactivated tripwires will have the Inactive status.
To deactivate one or more tripwires: 1. Click the checkbox next to the name(s) of the desired tripwire. 2. Click Deactivate Tripwires button at the top right of the table.
To deactivate all tripwires: 1. Click the checkbox in the top left of the tripwires table 2. Click Deactivate Tripwires button at the top right of the table.
Deactivation is permanent
Note: Once you deactivate a tripwire, you will not be able to reactivate it.
Testing Tripwires
From a tripwire’s details page, you can simulate an attacker's behavior by testing the tripwire. This test is run within Horizon3.ai’s infrastructure and simulates the kind of action that would trigger the tripwire in a real scenario.
The test may take a few minutes to complete. Once finished, a test alert will be generated, appearing in the Portal. Notifications will also be sent via email, and a webhook event (if configured with a vendor) will be triggered. Test alerts are clearly labeled as such in the Portal, email, and webhook event.