diff --git a/docs/content/usage/scenarios/_index.md b/docs/content/usage/scenarios/_index.md new file mode 100644 index 000000000..dedaf554c --- /dev/null +++ b/docs/content/usage/scenarios/_index.md @@ -0,0 +1,29 @@ ++++ +title = "Scenarios" +date = 2020-08-12T12:52:59+03:00 +weight = 3 +chapter = true +pre = " " ++++ + +# Scenarios + +This section describes the different attack scenarios that the Infection Monkey can simulate. + +{{% notice note %}} +Don't worry! The Infection Monkey uses safe exploiters and does not cause any permanent system modifications that could impact security or operations. +{{% /notice %}} + +The Infection Monkey has pre-built scenarios to simulate common types of attacks that take place. These scenarios, when selected, manipulate the configuration to only show you what you need to see for that scenario. This makes it possible for you to quickly run the Monkey on your network in order to accomplish a specific objective. + +Choosing the "Custom" scenario will allow you to fine-tune your simulation and access all available features. [Read more about configuring a custom simulation.](/custom-scenario/_index.md) + +![Choose scenario](/images/usage/scenarios/choose-scenario.png "Choose a scenario") + +To exit a scenario and select another one, click on "Start Over". + +![Start over](/images/usage/scenarios/start-over.png "Start over") + +## Section contents + +{{% children description=True style="p"%}} diff --git a/docs/content/usage/scenarios/custom-scenario/_index.md b/docs/content/usage/scenarios/custom-scenario/_index.md new file mode 100644 index 000000000..43d79c9c4 --- /dev/null +++ b/docs/content/usage/scenarios/custom-scenario/_index.md @@ -0,0 +1,18 @@ +--- +title: " Custom" +date: 2021-07-28T14:36:02+05:30 +description: "Configure a custom scenario to test your network's defenses." +weight: 100 +pre: "" +chapter: true +--- + +# Custom + +The Infection Monkey is a versatile breach and attack simulation tool. Choosing the "Custom" scenario will allow you to access all of its capabilities and configure the simulation exactly according to your needs. You can enhance, optimize, and fine-tune the Monkey's behavior. + +![Custom scenario](/images/usage/scenarios/custom-scenario.png "Custom scenario") + +Below are some examples with instructions on how to configure them. + +{{% children description=True style="p"%}} diff --git a/docs/content/usage/use-cases/attack.md b/docs/content/usage/scenarios/custom-scenario/attack.md similarity index 98% rename from docs/content/usage/use-cases/attack.md rename to docs/content/usage/scenarios/custom-scenario/attack.md index bc13181cc..476a8183e 100644 --- a/docs/content/usage/use-cases/attack.md +++ b/docs/content/usage/scenarios/custom-scenario/attack.md @@ -6,14 +6,14 @@ description: "Assess your network security detection and prevention capabilities weight: 2 --- -## Overview +## Overview The Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network. Use it to assess your security solutions' detection and prevention capabilities. The Infection Monkey will help you find which ATT&CK techniques go unnoticed and provide specific details along with suggested mitigations. ## Configuration -- **ATT&CK matrix** You can use the ATT&CK configuration section to select which techniques you want the Infection Monkey to simulate. +- **ATT&CK matrix** You can use the ATT&CK configuration section to select which techniques you want the Infection Monkey to simulate. For the full simulation, use the default settings. - **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times. - **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”. diff --git a/docs/content/usage/use-cases/credential-leak.md b/docs/content/usage/scenarios/custom-scenario/credential-leak.md similarity index 91% rename from docs/content/usage/use-cases/credential-leak.md rename to docs/content/usage/scenarios/custom-scenario/credential-leak.md index fa740b3a9..a2cc0b8ce 100644 --- a/docs/content/usage/use-cases/credential-leak.md +++ b/docs/content/usage/scenarios/custom-scenario/credential-leak.md @@ -6,30 +6,30 @@ description: "Assess the impact of a successful phishing attack, insider threat, weight: 5 --- -## Overview +## Overview -Numerous attack techniques (from phishing to dumpster diving) might result in a credential leak, +Numerous attack techniques (from phishing to dumpster diving) might result in a credential leak, which can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/). -The Infection Monkey can help you assess the impact of stolen credentials by automatically searching +The Infection Monkey can help you assess the impact of stolen credentials by automatically searching where bad actors can reuse these credentials in your network. ## Configuration -- **Exploits -> Credentials** After setting up the Monkey Island, add your users' **real** credentials +- **Exploits -> Credentials** After setting up the Monkey Island, add your users' **real** credentials (usernames and passwords) here. Don't worry; this sensitive data is not accessible, distributed or used in any way other than being sent to the Infection Monkey agents. You can easily eliminate it by resetting the configuration of your Monkey Island. -- **Internal -> Exploits -> SSH keypair list** When enabled, the Infection Monkey automatically gathers SSH keys on the current system. +- **Internal -> Exploits -> SSH keypair list** When enabled, the Infection Monkey automatically gathers SSH keys on the current system. For this to work, the Monkey Island or initial agent needs to access SSH key files. To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Infection Monkey (content of keys will not be displayed, it will appear as ``). ## Suggested run mode -Execute the Infection Monkey on a chosen machine in your network using the “Manual” run option. +Execute the Infection Monkey on a chosen machine in your network using the “Manual” run option. Run the Infection Monkey as a privileged user to make sure it gathers as many credentials from the system as possible. ![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists") ## Assessing results -To assess the impact of leaked credentials see the Security report. Examine **Security report -> Stolen credentials** to confirm. +To assess the impact of leaked credentials see the Security report. Examine **Security report -> Stolen credentials** to confirm. diff --git a/docs/content/usage/use-cases/network-breach.md b/docs/content/usage/scenarios/custom-scenario/network-breach.md similarity index 82% rename from docs/content/usage/use-cases/network-breach.md rename to docs/content/usage/scenarios/custom-scenario/network-breach.md index ff6885100..22fc3b9dc 100644 --- a/docs/content/usage/use-cases/network-breach.md +++ b/docs/content/usage/scenarios/custom-scenario/network-breach.md @@ -6,7 +6,7 @@ description: "Simulate an internal network breach and assess the potential impac weight: 3 --- -## Overview +## Overview From the [Hex-Men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit internet-facing DB servers to a [cryptomining operation that attacks WordPress sites](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) or any other malicious campaign – attackers are now trying to go deeper into your network. @@ -15,15 +15,15 @@ Infection Monkey will help you assess the impact of a future breach by attemptin ## Configuration -- **Exploits -> Exploits** Here you can review the exploits the Infection Monkey will be using. By default all +- **Exploits -> Exploits** Here you can review the exploits the Infection Monkey will be using. By default all safe exploiters are selected. - **Exploits -> Credentials** This configuration value will be used for brute-forcing. The Infection Monkey uses the most popular default passwords and usernames, but feel free to adjust it according to the default passwords common in your network. Keep in mind a longer list means longer scanning times. - **Network -> Scope** Make sure to properly configure the scope of the scan. You can select **Local network scan** - and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached, or you can fine tune it by providing - specific network ranges in **Scan target list**. Scanning a local network is more realistic, but providing specific + and allow Monkey to propagate until maximum **Scan depth**(hop count) is reached, or you can fine tune it by providing + specific network ranges in **Scan target list**. Scanning a local network is more realistic, but providing specific targets will make the scanning process substantially faster. - **(Optional) Internal -> Network -> TCP scanner** Here you can add custom ports your organization is using. -- **(Optional) Monkey -> Post-Breach Actions** If you only want to test propagation in the network, you can turn off +- **(Optional) Monkey -> Post-Breach Actions** If you only want to test propagation in the network, you can turn off all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system but in no way helps the Infection Monkey exploit new machines. @@ -31,17 +31,17 @@ all post-breach actions. These actions simulate an attacker's behavior after get ## Suggested run mode -Decide which machines you want to simulate a breach on and use the “Manual” run option to start the Infection Monkey on them. -Use administrative privileges to run the Infection Monkey to simulate an attacker that was able to elevate their privileges. -You could also simulate an attack initiated from an unidentified machine connected to the network (e.g., a technician -laptop or third-party vendor machine) by running the Infection Monkey on a dedicated machine with an IP in the network you +Decide which machines you want to simulate a breach on and use the “Manual” run option to start the Infection Monkey on them. +Use administrative privileges to run the Infection Monkey to simulate an attacker that was able to elevate their privileges. +You could also simulate an attack initiated from an unidentified machine connected to the network (e.g., a technician +laptop or third-party vendor machine) by running the Infection Monkey on a dedicated machine with an IP in the network you wish to test. ## Assessing results -Check the infection map and Security report to see how far The Infection Monkey managed to propagate in your network and which -vulnerabilities it successfully exploited. If you left post-breach actions selected, you should also check the MITRE ATT&CK and +Check the infection map and Security report to see how far The Infection Monkey managed to propagate in your network and which +vulnerabilities it successfully exploited. If you left post-breach actions selected, you should also check the MITRE ATT&CK and Zero Trust reports for more details. ![Map](/images/usage/use-cases/map-full-cropped.png "Map") diff --git a/docs/content/usage/use-cases/network-segmentation.md b/docs/content/usage/scenarios/custom-scenario/network-segmentation.md similarity index 95% rename from docs/content/usage/use-cases/network-segmentation.md rename to docs/content/usage/scenarios/custom-scenario/network-segmentation.md index 0f03b66a1..87fe24f24 100644 --- a/docs/content/usage/use-cases/network-segmentation.md +++ b/docs/content/usage/scenarios/custom-scenario/network-segmentation.md @@ -6,7 +6,7 @@ description: "Verify your network is properly segmented." weight: 4 --- -## Overview +## Overview Segmentation is a method of creating secure zones in data centers and cloud deployments. It allows organizations to isolate workloads from one another and secure them individually, typically using policies. A useful way to test your company's segmentation effectiveness is to ensure that your network segments are properly separated (e.g., your development environment is isolated from your production environment and your applications are isolated from one another). @@ -18,15 +18,15 @@ You can use the Infection Monkey's cross-segment traffic feature to verify that ## Configuration - **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define - subnets that should be segregated from each other. If any of the provided networks can reach each other, you'll see it + subnets that should be segregated from each other. If any of the provided networks can reach each other, you'll see it in the security report. - **(Optional) Network -> Scope** You can disable **Local network scan** and leave all other options at the default setting if you only want to test for network segmentation without any lateral movement. - **(Optional) Monkey -> Post-Breach Actions** If you only want to test segmentation in the network, you can turn off all post-breach actions. These actions simulate an attacker's behavior after getting access to a new system, so they might trigger your defense solutions and interrupt the segmentation test. ## Suggested run mode -Execute The Infection Monkey on machines in different subnetworks using the “Manual” run option. - +Execute The Infection Monkey on machines in different subnetworks using the “Manual” run option. + Note that if the Infection Monkey can't communicate to the Monkey Island, it will not be able to send scan results, so make sure all machines can reach the the Monkey Island. diff --git a/docs/content/usage/use-cases/other.md b/docs/content/usage/scenarios/custom-scenario/other.md similarity index 88% rename from docs/content/usage/use-cases/other.md rename to docs/content/usage/scenarios/custom-scenario/other.md index c22bb0296..456b0486c 100644 --- a/docs/content/usage/use-cases/other.md +++ b/docs/content/usage/scenarios/custom-scenario/other.md @@ -6,23 +6,23 @@ description: "Tips and tricks about configuring Monkeys for your needs." weight: 100 --- -## Overview +## Overview This page provides additional information about configuring the Infection Monkey, tips and tricks and creative usage scenarios. ## Custom behaviour -If you want the Infection Monkey to run a specific script or tool after it breaches a machine, you can configure it in -**Configuration -> Monkey -> Post-breach**. Input commands you want to execute in the corresponding fields. +If you want the Infection Monkey to run a specific script or tool after it breaches a machine, you can configure it in +**Configuration -> Monkey -> Post-breach**. Input commands you want to execute in the corresponding fields. You can also upload files and call them through the commands you entered. ## Accelerate the test -To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. +To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. The following configuration values also have an impact on scanning speed: - **Credentials** - The more usernames and passwords you input, the longer it will take the Infection Monkey to scan machines that have remote access services. The Infection Monkey agents try to stay elusive and leave a low impact, and thus brute-forcing takes longer than with loud conventional tools. -- **Network scope** - Scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your +- **Network scope** - Scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your networks bit by bit with multiple runs. - **Post-breach actions** - If you only care about propagation, you can disable most of these. - **Internal -> TCP scanner** - Here you can trim down the list of ports the Infection Monkey tries to scan, improving performance. @@ -37,7 +37,7 @@ Use **Monkey -> Persistent** scanning configuration section to either run period ## Credentials -Every network has its old "skeleton keys" that it should have long discarded. Configuring the Infection Monkey with old and stale passwords will enable you to ensure they were really discarded. +Every network has its old "skeleton keys" that it should have long discarded. Configuring the Infection Monkey with old and stale passwords will enable you to ensure they were really discarded. To add the old passwords, go to the Monkey Island's **Exploit password list** under **Basic - Credentials** and use the "+" button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration: @@ -45,9 +45,9 @@ To add the old passwords, go to the Monkey Island's **Exploit password list** un ## Check logged and monitored terminals -To see the Infection Monkey executing in real-time on your servers, add the **post-breach action** command: -`wall “Infection Monkey was here”`. This post-breach command will broadcast a message across all open terminals on the servers the Infection Monkey breached to achieve the following: -- Let you know the Monkey ran successfully on the server. +To see the Infection Monkey executing in real-time on your servers, add the **post-breach action** command: +`wall “Infection Monkey was here”`. This post-breach command will broadcast a message across all open terminals on the servers the Infection Monkey breached to achieve the following: +- Let you know the Monkey ran successfully on the server. - Let you follow the breach “live” alongside the infection map. - Check which terminals are logged and monitored inside your network. diff --git a/docs/content/usage/use-cases/zero-trust.md b/docs/content/usage/scenarios/custom-scenario/zero-trust.md similarity index 100% rename from docs/content/usage/use-cases/zero-trust.md rename to docs/content/usage/scenarios/custom-scenario/zero-trust.md diff --git a/docs/content/usage/use-cases/ransomware-simulation.md b/docs/content/usage/scenarios/ransomware-simulation.md similarity index 88% rename from docs/content/usage/use-cases/ransomware-simulation.md rename to docs/content/usage/scenarios/ransomware-simulation.md index 7aaccb9d1..48ebc3ec5 100644 --- a/docs/content/usage/use-cases/ransomware-simulation.md +++ b/docs/content/usage/scenarios/ransomware-simulation.md @@ -1,33 +1,15 @@ --- -title: "Ransomware Simulation" +title: " Ransomware Simulation" date: 2021-06-23T18:13:59+05:30 draft: true -weight: 10 +description: "Simulate a ransomware attack on your network and assess the potential damage." +weight: 1 +pre: "" --- The Infection Monkey is capable of simulating a ransomware attack on your network using a set of configurable behaviors. -## Leaving a README.txt file - -Many ransomware packages leave a README.txt file on the victim machine with an -explanation of what has occurred and instructions for paying the attacker. -The Infection Monkey can also leave a README.txt file in the target directory on -the victim machine in order to replicate this behavior. This can be enabled or -disabled by checking the box on the configuration screen. Note that if no -target directory is specified for encryption, the Infection Monkey will not -leave a README.txt file. - - - -The README.txt file informs the user that a ransomware simulation has taken -place and that they should contact their administrator. The contents of the -file can be found -[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt). - - - - ## Encryption @@ -55,7 +37,7 @@ To ensure minimum interference and easy recoverability, the ransomware simulation will only encrypt files contained in a user-specified directory. If no directory is specified, no files will be encrypted. - +![Ransomware configuration](/images/usage/scenarios/ransomware-config.png "Ransomware configuration") ### How are the files encrypted? @@ -164,3 +146,16 @@ BitDefender](https://labs.bitdefender.com/2017/07/a-technical-look-into-the-gold - .xlsx - .xvd - .zip + + +## Leaving a README.txt file + +Many ransomware packages leave a README.txt file on the victim machine with an +explanation of what has occurred and instructions for paying the attacker. +The Infection Monkey will also leave a README.txt file in the target directory on +the victim machine in order to replicate this behavior. + +The README.txt file informs the user that a ransomware simulation has taken +place and that they should contact their administrator. The contents of the +file can be found +[here](https://github.com/guardicore/monkey/tree/develop/monkey/infection_monkey/ransomware/ransomware_readme.txt). diff --git a/docs/content/usage/use-cases/_index.md b/docs/content/usage/use-cases/_index.md deleted file mode 100644 index d15d6b3c6..000000000 --- a/docs/content/usage/use-cases/_index.md +++ /dev/null @@ -1,20 +0,0 @@ -+++ -title = "Use Cases" -date = 2020-08-12T12:52:59+03:00 -weight = 3 -chapter = true -pre = " " -+++ - -# Use cases - -This section describes possible use cases for the Infection Monkey and how you can configure the tool. -You can also refer to [our FAQ](../../faq) for more specific questions and answers. - -{{% notice note %}} -Don't worry! The Infection Monkey uses safe exploiters and does not cause any permanent system modifications that could impact security or operations. -{{% /notice %}} - -## Section contents - -{{% children description=True style="p"%}} diff --git a/docs/static/images/usage/scenarios/choose-scenario.png b/docs/static/images/usage/scenarios/choose-scenario.png new file mode 100644 index 000000000..31966486d Binary files /dev/null and b/docs/static/images/usage/scenarios/choose-scenario.png differ diff --git a/docs/static/images/usage/scenarios/custom-scenario.png b/docs/static/images/usage/scenarios/custom-scenario.png new file mode 100644 index 000000000..64426db7b Binary files /dev/null and b/docs/static/images/usage/scenarios/custom-scenario.png differ diff --git a/docs/static/images/usage/scenarios/ransomware-config.png b/docs/static/images/usage/scenarios/ransomware-config.png new file mode 100644 index 000000000..5fe00841b Binary files /dev/null and b/docs/static/images/usage/scenarios/ransomware-config.png differ diff --git a/docs/static/images/usage/scenarios/start-over.png b/docs/static/images/usage/scenarios/start-over.png new file mode 100644 index 000000000..60deecfa1 Binary files /dev/null and b/docs/static/images/usage/scenarios/start-over.png differ diff --git a/monkey/monkey_island/cc/ui/src/components/pages/LandingPage.tsx b/monkey/monkey_island/cc/ui/src/components/pages/LandingPage.tsx index cd3d73d8c..156489c22 100644 --- a/monkey/monkey_island/cc/ui/src/components/pages/LandingPage.tsx +++ b/monkey/monkey_island/cc/ui/src/components/pages/LandingPage.tsx @@ -91,12 +91,11 @@ function MonkeyInfo() { } function ScenarioInfo() { - // TODO change link when scenarios are added to documentation return ( <>
Check the Infection Monkey documentation hub for more information - on + on scenarios .