Getting Started with NodeZero Tripwires™
Tripwire deployment can be enabled in any Internal, External, Phishing Impact, or Rapid Response pentest, giving you the power to integrate early threat detection seamlessly into your existing security tests.
Enabling Tripwires in a Pentest
To activate tripwire deployment, follow these steps:
- In the configuration or template for any Internal, External, Phishing Impact, or Rapid Response pentest, scroll to the new Tripwires section.
- Click the toggle to enable NodeZero to deploy tripwires once the test begins.
NodeZero RAT
Note: Enabling Tripwires also activates the NodeZero Remote Access Tool (RAT), which is essential for deploying tripwires in your environment. Only Rapid Response tests that make use of the RAT are able to drop tripwires.
Injecting a credential
Note: If you inject one or more credentials as part of the pentest, NodeZero will also leverage those credentials to deploy tripwires where the credential grants write access.
Viewing and Managing Deployed Tripwires
After tripwires have been deployed in your environment, you'll be able to monitor them in the Portal, even while the test is still running. From the top navigation bar, select Tripwires and go to the Manage page.
On the Manage page, you can:
- View all deployed tripwires.
- See details such as the exact location of each tripwire in your network, the pentest during which it was deployed, and instructions on how to remove it.
- Use search and filter options to find specific tripwires.
- Test tripwires to simulate alerting and understand how the system will respond to an actual attack.
For more information on managing tripwires, visit the Tripwire Management page.
Testing a Tripwire
Testing a tripwire simulates an action that a malicious actor might take to trigger the tripwire. The simulation may take a few minutes to complete. Once the test is finished, you'll see a new alert indicated by red dots on the Tripwires in the top nav and in Alerts within the sub nav.
When an alert is triggered, users with access to NodeZero Tripwires™ will also receive an email notification. If you’ve configured webhook integrations, an alert event will be sent to the connected system as well.
Viewing and Managing Alerts
All tripwire alerts, whether from tests or real incidents, are shown on the Alerts page, accessible under Tripwires in the top navigation bar. Each alert includes comprehensive details, such as:
- Information on the actor and the specific activity detected.
- Relevant tripwire information to help your incident response team act quickly.
For details on alert management, check out the Alerts page.
