TRM Demo Script from August 30, 2013

Summary:

The TRM Demo explains how to use the "quarantine node" feature in TRM when an infected internal asset communicates with malicious domains. Here's a quick summary of the steps: 1. **Login**: Access the system and see that RepSM has detected an infection, triggering a rule and sending notifications about the internal asset interacting with malicious domains. 2. **View Event Triggering Rule**: Inspect the event to find out which internal asset is involved and the associated malicious domain from Attacker Address (Internal Asset) and Target Host Name (Malicious Domain). 3. **Call TRM Integration Commands**: Use the "Attacker Target Map" command to visualize attacker-target relationships and layer 2 information for blocking purposes. 4. **Investigate Node**: From the pop-up window, select "Investigate node". This opens the TRM UI displaying detailed info about the internal asset, showing associated Layer 2 and Layer 3 devices and more. 5. **Simulate Quarantine**: Click on "Simulate Quarantine" to see what would happen if you quarantine the node. Specify the switch (e.g., "cat_3524XL-a") and interface (like "FastEthernet0/6") that need to be disabled based on the simulated commands. 6. **Actual Quarantine**: Confirm the actual quarantine by clicking "Quarantine Node". Set an expiration time or choose not to specify one, setting a category for the quarantine action as needed. This demo shows how TRM helps identify and isolate infected assets efficiently through its user-friendly interface and integrated command capabilities. The process involves confirming the quarantine of the affected internal asset, viewing a command log detailing all specific commands executed for quarantine, and monitoring or removing quarantined nodes based on system evaluation.

Details:

The TRM Demo illustrates how the "quarantine node" feature in TRM works. It starts when RepSM triggers a rule and detects an infected internal asset communicating with malicious domains. This leads to running integration commands from Express/ESM to launch the TRM UI, allowing investigation and quarantine of the infected asset. **Steps:** 1. **Login**: Access the system where you see that Express & RepSM have detected an infection and triggered a rule sending notifications about the internal asset being in touch with malicious domains. 2. **View Event Triggering Rule**: Inspect the event to find out which internal asset is involved and the associated malicious domain from Attacker Address (Internal Asset) and Target Host Name (Malicious Domain). 3. **Call TRM Integration Commands**: Use the "Attacker Target Map" command to visualize attacker-target relationships and layer 2 information for blocking purposes. 4. **Investigate Node**: From the pop-up window, select "Investigate node". This opens the TRM UI displaying detailed info about the internal asset, showing associated Layer 2 and Layer 3 devices and more. 5. **Simulate Quarantine**: Click on "Simulate Quarantine" to see what would happen if you quarantine the node. Here, specify the switch (e.g., "cat_3524XL-a") and interface (like "FastEthernet0/6") that need to be disabled based on the simulated commands. 6. **Actual Quarantine**: Confirm the actual quarantine by clicking "Quarantine Node". You can set an expiration time or choose not to specify one, setting a category for the quarantine action as needed. This demo demonstrates how TRM helps in identifying and isolating infected assets efficiently through its user-friendly interface and integrated command capabilities. The text outlines a process for managing external malicious activity affecting an internal asset in a system. Initially, when external malicious activities are detected, the user is prompted to confirm the quarantine of the affected internal asset. Following this confirmation, a screen displays notification of the quarantine of the internal asset. The user has access to a command log which details all specific commands executed for the quarantine. To view all quarantined nodes, the user can click on "View Response Log" and review the list provided. This allows users to monitor and track the status of quarantined assets. Once the internal asset is deemed clean and free from malicious activities, it can be removed from quarantine by selecting the asset and clicking the option "Remove Quarantined Nodes." Post-removal, a confirmation is reflected in the Response Log with no currently quarantined nodes indicated. This process ensures that only properly vetted assets remain operational within the system, thereby safeguarding against potential threats posed by external malicious activities.