Exercise Overview:

Working with Quarantine

In the event of a security breach, Tachyon can quarantine devices. This will cut off the device from all network traffic except for the Tachyon Switch. This can contain an outbreak while the device is remediated. In this exercise, we will target a specific system and quarantine it. We with then remove it from quarantine.

It is recommended that due to the powerful nature of the 3 quarantine instructions you permission them thoughtfully in Tachyon.

Checking Quarantine State

1ETRNW102

  1. Logged into 1ETRNW102 as 1ETRN\Tachyon_AdminPP
  2. Open Google Chrome and Navigate to the Explorer Application
  3. From the Home screen click All Instructions
  4. Expand Quarantine
  5. Click Are my devices quarantined?
  6. Read the warning here – this is a very powerful feature and can take all your devices off the network if the coverage is not correct.
  7. Click Ask this question
  8. This is a simple query to see if the devices are actually quarantined. As you can see none of our devices are in quarantine

Quarantine a Device

In this task we are going to quarantine 1ETRNW72

1ETRNW71

  1. Navigate to Explorer application – Home screen
  2. In the I want to know field type in Quarantine
  3. Click on Quarantine Selected Devices. Click Edit on parameters
  4. It is possible to quarantine the Tachyon server so be extremely careful with your coverage.
  5. Click coverage
  6. Expand Device. Choose in the first field and type in 1ETRNW72.1ETRN.local in the second field
  7. Use the FQDN here to ensure you don't quarantine the wrong machine.
  8. Click Set
  9. Click Perform this Action
  10. Type in your Password
  11. Open LiveMail and enter your authentication code

1ETRNW73

  1. Open LiveMail and Launch the Notification Page or refresh Chrome and navigate to Notifications
  2. Approve the Request

Checking the Quarantined Device

1ETRNW71

  1. In the Explorer application check the results from the instruction
  2. Notice there is now 1 device quarantined
  3. Click on Quarantined in Status and see the device name
  4. Launch a Command Prompt and type in ping 1etrnw72. Your request will time out without a response

1ETRNW72

  1. Launch a command prompt and ping 1ETRNDC
  2. Ping 1ETRNCM
  3. These should both time out without a response. Once placed in quarantine a device can only be accessed from the Tachyon server.
  4. Ping Tachyon (our alias for 1ETRNAP)
  5. This should ping as normal – all remediation efforts will have to originate from the Tachyon server for this device that is quarantined. This will greatly stop the propagation of any malware that gets introduced into your environment.
  6. Launch a new browser window and navigate to Google.com
  7. Notice that our device cannot get to other devices or the internet

Removing a Device from Quarantine

Now we will issue the instruction that will remove the device from quarantine. The device can only communicate with the Tachyon Switch at this time.

1ETRNW71

  1. Still logged in as 1ETRN\Tachyon_Admin1
  2. Open Google Chrome – the Explorer Application should still be open
  3. Navigate to Home and in the I want to know field type in Quaran and Select Releases Selected devices from Quarantine
  4. Click Edit on the Parameters
  5. Expand Coverage – Expand Device
  6. In the contains field select =
  7. In the next field type in 1ETRNW72.1ETRN.Local click Set
  8. Type in the entire FQDN or the instruction will fail
  9. Click Perform this action
  10. Type in Passw0rd and click Confirm and Send
  11. Open LiveMail and copy the authentication code for Instruction X
  12. Paste the code into the Authentication Code box. Click Submit

1ETRNW73

  1. Still logged in as 1ETRN\Tachyon_AdminG
  2. Open Chrome and refresh the page
  3. In the Explorer Application navigate to Notifications
  4. Approve Instruction X from above

1ETRNW71

  1. In the Explorer Application – Navigate to Instructions – History
  2. Select our Releases selected devices from quarantine
  3. Wait for this one to complete
  4. Move back to Instructions – History. Select Are my devices quarantined?
  5. Rerun this instruction
  6. Wait for it to complete and see that all 7 devices are now NotQuarantined
  7. Open a command prompt and Ping 1ETRNW72. Device should respond

1ETRNW72

  1. Ping any of the other devices in the lab
  2. All the devices should now respond to the ping request
  3. Browse to the Internet
  4. The device should be able to get to the internet
  5. The ability to quarantine devices is critical to be able to combat a security emergency. This functionality is also dangerous as the devices are only able to communicate with the Tachyon server to enable the ability to remediate the issue and the remove the quarantine. It is possible to quarantine the Tachyon Server, and this would prevent you from removing the quarantine.

Lab Summary

In this lab, We learned how to use Quarantine to help us remediate security issues and prevent further spread. 

Next Page

Ex 7 - Tachyon v5.2 - Using - Using Explorer - The Device View