diff --git a/docs/content/usage/use-cases/_index.md b/docs/content/usage/use-cases/_index.md new file mode 100644 index 000000000..3054d9ad7 --- /dev/null +++ b/docs/content/usage/use-cases/_index.md @@ -0,0 +1,28 @@ ++++ +title = "Use Cases" +date = 2020-08-12T12:52:59+03:00 +weight = 3 +chapter = true +pre = " " ++++ + +# Use cases + +This section describes possible use cases for the "Infection Monkey" and helps to +understand how this tool can be configured. +You can also refer to [our FAQ](../../faq) for more specific questions and answers. + +{{% notice note %}} +No worries! The Monkey uses safe exploiters and does not cause any permanent system modifications that impact security or operations. [See our FAQ for more details](../faq). +{{% /notice %}} + +Section contains: +- [Your network has been breached via internet facing servers](#your-network-has-been-breached-via-internet-facing-servers) + - [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey) +- [You are the newest victim of a phishing fraud! 🎣](#you-are-the-newest-victim-of-a-phishing-fraud) + - [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-1) +- [You want to test your network segmentation](#you-want-to-test-your-network-segmentation) + - [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-2) +- [You want to verify your security solutions, procedures and teams are working as intended](#you-want-to-verify-your-security-solutions-procedures-and-teams-are-working-as-intended) + - [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-3) +- [Other useful tips](#other-useful-tips) diff --git a/docs/content/usage/use-cases/credential-leak.md b/docs/content/usage/use-cases/credential-leak.md new file mode 100644 index 000000000..77acd8d31 --- /dev/null +++ b/docs/content/usage/use-cases/credential-leak.md @@ -0,0 +1,39 @@ +--- +title: "Credential Leak" +date: 2020-08-12T13:04:25+03:00 +draft: true +weight: 4 +--- + +## Overview + +Numerous attack techniques(from phishing to dumpster diving) might result in a credential leak, +which can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/). + +Infection Monkey can help assess the impact of stolen credentials by automatically searching +where these credentials can be reused. + +## Configuration + +#### Important configuration values: + +- **Exploits -> Credentials** After setting up the Island add the users’ **real** credentials +(usernames and passwords) to the Monkey’s configuration (Don’t worry, this sensitive data is not accessible and is not + distributed or used in any way other than being sent to the monkeys, and can be easily eliminated by resetting the Monkey Island’s configuration). +- **Internal -> Exploits -> SSH keypair list** Monkey automatically gathers SSH keys on the current system. +For this to work, Monkey Island or initial Monkey needs to have access to SSH key files(grant permission or run Monkey as root). +To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Monkey +(content of keys will not be displayed, it will appear as ``). + +To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network +from potentially problematic group of machines, such as the laptop of one of your heavy email users or +one of your strong IT users (think of people who are more likely to correspond with people outside of +your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu + and choosing “**Run on machine of your choice**”. + +![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists") + +## Assessing results + +To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even +more leaked credentials, for that look into **Security report -> Stolen credentials**. diff --git a/docs/content/usage/use-cases/ids-test.md b/docs/content/usage/use-cases/ids-test.md new file mode 100644 index 000000000..9d5cbb154 --- /dev/null +++ b/docs/content/usage/use-cases/ids-test.md @@ -0,0 +1,54 @@ +--- +title: "IDS/IPS Test" +date: 2020-08-12T13:07:47+03:00 +draft: true +weight: 5 +--- + +## Overview + +The Infection Monkey can help you verify that your security solutions are working the way you expected them to. + These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more. + +## Configuration + +#### Important configuration values: + +- **Monkey -> Post breach** Post breach actions simulate the actions an attacker would make on infected system. + To test something not present on the tool, you can provide your own file or command to be ran. + +The default configuration is good enough for many cases, but configuring testing scope and adding brute-force + credentials is a good bet in any scenario. + +Running the Monkey on both the Island and on a few other machines in the network manually is also recommended, + as it increases coverage and propagation rates. + + +![Post breach configuration](/images/usage/scenarios/ids-test.png "Post breach configuration") + +## Assessing results + +After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map. + +Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security + solutions are identifying and correctly alerting on different attacks. + +- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as + exploitation attempts, so check whether you are receiving alerts from your security systems as expected. +- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities. + If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations). +- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from + the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network? + Check if your micro-segmentation / firewall solution identify or report anything. + +While running this scenario, be on the lookout for the action that should arise: + Did you get a phone call telling you about suspicious activity inside your network? Are events flowing + into your security events aggregators? Are you getting emails from your IR teams? + Is the endpoint protection software you installed on machines in the network reporting on anything? Are your + compliance scanners detecting anything wrong? + +Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to + fix it. + + ![Map](/images/usage/scenarios/map-full-cropped.png "Map") + diff --git a/docs/content/usage/use-cases/network-breach.md b/docs/content/usage/use-cases/network-breach.md new file mode 100644 index 000000000..6f8a801b8 --- /dev/null +++ b/docs/content/usage/use-cases/network-breach.md @@ -0,0 +1,42 @@ +--- +title: "Network Breach" +date: 2020-08-12T13:04:55+03:00 +draft: true +weight: 1 +--- + +## Overview + +Whether it was the [Hex-men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit your +Internet-facing DB server, a [cryptomining operation that attacked your WordPress site](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) +or any other malicious campaign – the attackers are now trying to go deeper into your network. + +Infection Monkey will help you assess the impact of internal network breach, by trying to propagate within it + using service vulnerabilities, brute-forcing and other safe attack methods. + +## Configuration + +#### Important configuration values: +- **Exploits -> Exploits** You can review the exploits Infection Monkey will be using. By default all +safe exploiters are selected. +- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords + and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long + lists means longer scanning times. +- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select **Local network scan** + and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached or you can fine tune it by providing + specific network ranges in **Scan target list**. Scanning local network is more realistic, but providing specific + targets will make scanning process substantially faster. +- **(Optional)Internal -> Network -> TCP scanner** You can add custom ports your organization is using. +- **(Optional)Monkey -> Post Breach Actions** If you only want to test propagation in the network, you can turn off +all post breach actions. These actions simulate attacker's behaviour after getting access to a new system, but in no + way helps to exploit new machines. + +![Exploiter selector](/images/usage/use-cases/network-breach.PNG "Exploiter selector") + +## Assessing results + +Check infection map and security report to see how far monkey managed to propagate in the network and which +vulnerabilities it used in doing so. If you left post breach actions selected, you should also check ATT&CK and +Zero Trust reports. + +![Map](/images/usage/use-cases/map-full-cropped.png "Map") diff --git a/docs/content/usage/use-cases/network-segmentation.md b/docs/content/usage/use-cases/network-segmentation.md new file mode 100644 index 000000000..2f45f6343 --- /dev/null +++ b/docs/content/usage/use-cases/network-segmentation.md @@ -0,0 +1,50 @@ +--- +title: "Network Segmentation" +date: 2020-08-12T13:05:05+03:00 +draft: true +weight: 3 +--- + +## Overview + +Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to + isolate workloads from one another and secure them individually, typically using policies. + A useful way to test the effectiveness of your segmentation is to ensure that your network segments are + properly separated, e,g, your Development is separated from your Production, your applications are separated from one + another etc. To security test is to verify that your network segmentation is configured properly. This way you make + sure that even if a certain attacker has breached your defenses, it can’t move laterally from point A to point B. + +[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing +the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with +its cross-segment traffic testing feature. + +## Configuration + +#### Important configuration values: + +- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define + subnets that should be segregated from each other. If any of provided networks can reach each other, you'll see it + in security report. +- **(Optional)Network -> Scope** You can disable **Local network scan** and leave other options by default if you only want to + test for network segmentation without any lateral movement. +- **(Optional)Monkey -> Post Breach Actions** If you only want to test segmentation in the network, you can turn off +all post breach actions. These actions simulate attacker's behaviour after getting access to a new system, so they + might trigger your defence solutions which will interrupt segmentation test. + +Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar menu + and clicking on “**Run on machine of your choice**”. + Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself. + + Note that if Monkey can't communicate to the Island, it will + not be able to send scan results, so make sure all machines can reach the island. + +![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing") + + +## Assessing results + +Check infection map and security report for segmentation problems. Ideally, all scanned nodes should only have + edges with the Island Server. + +![Map](/images/usage/use-cases/segmentation-map.PNG "Map") + diff --git a/docs/content/usage/use-cases/other.md b/docs/content/usage/use-cases/other.md new file mode 100644 index 000000000..cb43ac553 --- /dev/null +++ b/docs/content/usage/use-cases/other.md @@ -0,0 +1,47 @@ +--- +title: "Other" +date: 2020-08-12T13:07:55+03:00 +draft: true +weight: 100 +--- + +## Overview + +This page provides additional information about configuring monkeys, tips and tricks and creative usage scenarios. + +## Tips and tricks + +- Every network has its old “skeleton keys” that should have long been discarded. Configure the Monkey with old and stale passwords, but make sure that they were really discarded using the Monkey. To add the old passwords, in the island’s configuration, go to the “Exploit password list” under “Basic - Credentials” and use the “+” button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration: + +![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists") + +- To see the Monkey executing in real-time on your servers, add the **post-breach action** command: `wall “Infection Monkey was here”`. This post breach command will broadcast a message across all open terminals on the servers the Monkey breached, to achieve the following: Let you know the Monkey ran successfully on the server. let you follow the breach “live” alongside the infection map, and check which terminals are logged and monitored inside your network. See below: + +![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.") + + +## Assessing results + +After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map. + +Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security + solutions are identifying and correctly alerting on different attacks. + +- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as + exploitation attempts, so check whether you are receiving alerts from your security systems as expected. +- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities. + If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations). +- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from + the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network? + Check if your micro-segmentation / firewall solution identify or report anything. + +While running this scenario, be on the lookout for the action that should arise: + Did you get a phone call telling you about suspicious activity inside your network? Are events flowing + into your security events aggregators? Are you getting emails from your IR teams? + Is the endpoint protection software you installed on machines in the network reporting on anything? Are your + compliance scanners detecting anything wrong? + +Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to + fix it. + + ![Map](/images/usage/scenarios/map-full-cropped.png "Map") diff --git a/docs/static/images/usage/use-cases/ids-test.PNG b/docs/static/images/usage/use-cases/ids-test.PNG new file mode 100644 index 000000000..1def39ff7 Binary files /dev/null and b/docs/static/images/usage/use-cases/ids-test.PNG differ diff --git a/docs/static/images/usage/use-cases/map-full-cropped.png b/docs/static/images/usage/use-cases/map-full-cropped.png new file mode 100644 index 000000000..eea42412b Binary files /dev/null and b/docs/static/images/usage/use-cases/map-full-cropped.png differ diff --git a/docs/static/images/usage/use-cases/network-breach.PNG b/docs/static/images/usage/use-cases/network-breach.PNG new file mode 100644 index 000000000..5dfd38ffb Binary files /dev/null and b/docs/static/images/usage/use-cases/network-breach.PNG differ diff --git a/docs/static/images/usage/use-cases/segmentation-map.PNG b/docs/static/images/usage/use-cases/segmentation-map.PNG new file mode 100644 index 000000000..9aba16060 Binary files /dev/null and b/docs/static/images/usage/use-cases/segmentation-map.PNG differ