Merge branch '400/zero-trust-mvp' into 400-zero-trust-mvp-venn-diagram

monkey/common/data/zero_trust_consts.py

@@ -27,11 +27,11 @@ TEST_DATA_ENDPOINT_HTTP = u"unencrypted_data_endpoint_http"
 TEST_MACHINE_EXPLOITED = u"machine_exploited"
 TEST_ENDPOINT_SECURITY_EXISTS = u"endpoint_security_exists"
 TEST_SCHEDULED_EXECUTION = u"scheduled_execution"
-TEST_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
+TEST_MALICIOUS_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
 TEST_SEGMENTATION = u"segmentation"
 TESTS = (
     TEST_SEGMENTATION,
-    TEST_ACTIVITY_TIMELINE,
+    TEST_MALICIOUS_ACTIVITY_TIMELINE,
     TEST_SCHEDULED_EXECUTION,
     TEST_ENDPOINT_SECURITY_EXISTS,
     TEST_MACHINE_EXPLOITED,
@@ -68,7 +68,7 @@ TESTS_MAP = {
         PILLARS_KEY: [NETWORKS],
         POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE]
     },
-    TEST_ACTIVITY_TIMELINE: {
+    TEST_MALICIOUS_ACTIVITY_TIMELINE: {
         TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.",
         FINDING_EXPLANATION_BY_STATUS_KEY: {
             STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts."

monkey/monkey_island/cc/models/zero_trust/event.py

@@ -23,9 +23,9 @@ class Event(EmbeddedDocument):
 
     # LOGIC
     @staticmethod
-    def create_event(title, message, event_type):
+    def create_event(title, message, event_type, timestamp=datetime.now()):
         event = Event(
-            timestamp=datetime.now(),
+            timestamp=timestamp,
             title=title,
             message=message,
             event_type=event_type

monkey/monkey_island/cc/services/reporting/test_zero_trust_service.py

@@ -165,7 +165,7 @@ class TestZeroTrustService(IslandTestCase):
                     "tests": [
                         {
                             "status": STATUS_UNEXECUTED,
-                            "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
+                            "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
                         }
                     ]
                 }
@@ -189,7 +189,7 @@ class TestZeroTrustService(IslandTestCase):
                     "tests": [
                         {
                             "status": STATUS_UNEXECUTED,
-                            "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
+                            "test": TESTS_MAP[TEST_MALICIOUS_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
                         }
                     ]
                 }

monkey/monkey_island/cc/services/telemetry/processing/scan.py

@@ -2,9 +2,15 @@ import copy
 
 from monkey_island.cc.database import mongo
 from monkey_island.cc.services.telemetry.processing.utils import get_edge_by_scan_or_exploit_telemetry
+from monkey_island.cc.services.telemetry.zero_trust_tests.data_endpoints import test_open_data_endpoints
 
 
 def process_scan_telemetry(telemetry_json):
+    update_edges_and_nodes_based_on_scan_telemetry(telemetry_json)
+    test_open_data_endpoints(telemetry_json)
+
+
+def update_edges_and_nodes_based_on_scan_telemetry(telemetry_json):
     edge = get_edge_by_scan_or_exploit_telemetry(telemetry_json)
     data = copy.deepcopy(telemetry_json['data']['machine'])
     ip_address = data.pop("ip_addr")
@@ -19,7 +25,6 @@ def process_scan_telemetry(telemetry_json):
         {"$push": {"scans": new_scan},
          "$set": {"ip_address": ip_address, 'domain_name': domain_name}}
     )
-
     node = mongo.db.node.find_one({"_id": edge["to"]})
     if node is not None:
         scan_os = new_scan["data"]["os"]

monkey/monkey_island/cc/services/telemetry/zero_trust_tests/data_endpoints.py

@@ -0,0 +1,55 @@
+import json
+
+from common.data.zero_trust_consts import *
+from monkey_island.cc.models import Monkey
+from monkey_island.cc.models.zero_trust.event import Event
+from monkey_island.cc.models.zero_trust.finding import Finding
+
+HTTP_SERVERS_SERVICES_NAMES = ['tcp-80']
+
+
+def test_open_data_endpoints(telemetry_json):
+    services = telemetry_json["data"]["machine"]["services"]
+    current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
+    found_http_server_status = STATUS_POSITIVE
+
+    events = [
+        Event.create_event(
+            title="Scan Telemetry",
+            message="Monkey on {} tried to perform a network scan, the target was {}.".format(
+                current_monkey.hostname,
+                telemetry_json["data"]["machine"]["ip_addr"]),
+            event_type=EVENT_TYPE_MONKEY_NETWORK,
+            timestamp=telemetry_json["timestamp"]
+        )
+    ]
+
+    for service_name, service_data in services.items():
+        events.append(Event.create_event(
+            title="Scan telemetry analysis",
+            message="Scanned service: {}.".format(service_name),
+            event_type=EVENT_TYPE_ISLAND
+        ))
+        if service_name in HTTP_SERVERS_SERVICES_NAMES:
+            found_http_server_status = STATUS_CONCLUSIVE
+            events.append(Event.create_event(
+                title="Scan telemetry analysis",
+                message="Service {} on {} recognized as an open data endpoint! Service details: {}".format(
+                    service_data["display_name"],
+                    telemetry_json["data"]["machine"]["ip_addr"],
+                    json.dumps(service_data)
+                ),
+                event_type=EVENT_TYPE_ISLAND
+            ))
+
+    Finding.save_finding(
+        test=TEST_DATA_ENDPOINT_HTTP,
+        status=found_http_server_status,
+        events=events
+    )
+
+    Finding.save_finding(
+        test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
+        status=STATUS_INCONCLUSIVE,
+        events=events
+    )

monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/EventsTimeline.js

@@ -15,10 +15,10 @@ export default class EventsTimeline extends Component {
       <div>
         <Timeline>
           {
-            this.props.events.map(event => {
+            this.props.events.map((event, index) => {
               const event_time = new Date(event.timestamp['$date']).toString();
               return (<TimelineEvent
-                key={event.timestamp['$date']}
+                key={index}
                 createdAt={event_time}
                 title={event.title}
                 icon={<i className={eventTypeToIcon[event.event_type]} />}>

monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/PillarOverview.js

@@ -21,7 +21,7 @@ const columns = [
 class PillarOverview extends Component {
   render() {
     const data = this.props.grades.map((grade) => {
-      const newGrade = grade;
+      const newGrade = JSON.parse(JSON.stringify(grade));
       newGrade.pillar = {name: grade.pillar, status: this.props.pillarsToStatuses[grade.pillar]};
       return newGrade;
     });