p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Updated scenario docs once more, removed IDS/IPS test scenario.

This commit is contained in:
VakarisZ 2020-10-23 17:46:23 +03:00
parent f9f70febfc
commit 68b6efa8b6
7 changed files with 59 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
docs/content/usage/use-cases/attack.md
View File

@ -1,44 +1,38 @@
---
title: "ATT&CK techniques"
title: "MITRE ATT&CK assessment"
date: 2020-10-22T16:58:22+03:00
draft: false
description: "Find issues related to Zero Trust Extended framework compliance."
weight: 1
description: "Assess your network security detection and prevention capabilities."
weight: 2
---
## Overview
Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you
assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent
them.
Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network.
Use it to assess your security solutions detection and prevention capabilities. Infection Monkey will help you find
which ATT&CK techniques go unnoticed and will provide recommendations about preventing them.
## Configuration
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind
that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should
start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldnt be
modified.
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want the Monkey to simulate.
Leave default settings for the full simulation.
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
lists means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will
make the scanning process substantially faster.
and usernames, but feel free to adjust it according to the default passwords used in your network. Keep in mind that
long lists means longer scanning times.
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in
the “Scan target list”.
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
## Suggested run mode
You should run the Monkey on network machines with defensive solutions you want to test.
A lot of ATT&CK techniques have a scope of a single node, so its important to manually run monkeys for better coverage.
Run the Infection Monkey on as many machines in your environment as you can to get a better assessment. This can be easily
achieved by selecting the “Manual” run option and executing the command shown on different machines in your environment
manually or with your deployment tool.
## Assessing results
See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result
matrix is colour coated according to its status. Click on any technique to see more details about it and potential
mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the
official documentation of ATT&CK technique, where you can learn more about it.
The **ATT&CK Report** shows the status of ATT&CK techniques simulations. Click on any technique to see more details
about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that
will take you to the official documentation of ATT&CK technique, where you can learn more about it.

15
docs/content/usage/use-cases/credential-leak.md
View File

@ -1,9 +1,9 @@
---
title: "Credential Leak"
title: "Credentials Leak"
date: 2020-08-12T13:04:25+03:00
draft: false
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
weight: 4
weight: 5
---
## Overview
@ -26,17 +26,12 @@ To make sure SSH keys were gathered successfully, refresh the page and check thi
## Suggested run mode
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network
from potentially problematic group of machines, such as the laptop of one of your heavy email users or
one of your strong IT users (think of people who are more likely to correspond with people outside of
your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu
and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a
privileged user. Doing so will make sure that Monkey gathers credentials from a local machine.
Execute the Monkey on a chosen machine in your network using the “Manual” run option.
Run the Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Assessing results
To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even
To assess the impact of leaked credentials see Security report. It's possible that credential leak resulted in even
more leaked credentials, for that look into **Security report -> Stolen credentials**.

53
docs/content/usage/use-cases/ids-test.md
View File

@ -1,53 +0,0 @@
---
title: "IDS/IPS Test"
date: 2020-08-12T13:07:47+03:00
draft: false
description: "Test your network defence solutions."
weight: 5
---
## Overview
The Infection Monkey can help you verify that your security solutions are working the way you expected them to.
These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
## Configuration
- **Monkey -> Post breach** simulate the actions an attacker would make on an infected system.
To test something not present on the tool, you can provide your own file or command to be run.
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
credentials is a good bet in any scenario.
![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
## Suggested run mode
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
as it increases coverage and propagation rates.
## Assessing results
After running the Monkey, follow the Monkeys actions on the Monkey Islands infection map.
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security
solutions are identifying and correctly alerting on different attacks.
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as
exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities.
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
Check if your micro-segmentation / firewall solution identifies or reports anything.
While running this scenario, be on the lookout for the action that should arise:
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
into your security events aggregators? Are you getting emails from your IR teams?
Is the endpoint protection software you installed on machines in the network reporting on anything? Are your
compliance scanners detecting anything wrong?
Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to
fix it.
![Map](/images/usage/use-cases/map-full-cropped.png "Map")

10
docs/content/usage/use-cases/network-breach.md
View File

@ -3,7 +3,7 @@ title: "Network Breach"
date: 2020-08-12T13:04:55+03:00
draft: false
description: "Simulate an internal network breach and assess the potential impact."
weight: 1
weight: 3
---
## Overview
@ -35,9 +35,11 @@ all post breach actions. These actions simulate attacker's behaviour after getti
## Suggested run mode
To simulate a foreign device you could introduce the Island server to the network and run monkey from it.
Alternatively, for a malicious agent simulation, you should run monkey manually on a machine thats already running in
the network. Combining both, as always, will give you the best coverage.
Decide which machines you want to simulate a breach on and use the “Manual” run option to start Monkeys there.
Use high privileges to run the Monkey to simulate an attacker that was able to elevate its privileges.
You could also simulate an attack initiated from an unidentified machine connected to the network (a technician
laptop, 3rd party vendor machine, etc) by running the Monkey on a dedicated machine with an IP in the network you
wish to test.
## Assessing results

18
docs/content/usage/use-cases/network-segmentation.md
View File

@ -2,18 +2,18 @@
title: "Network Segmentation"
date: 2020-08-12T13:05:05+03:00
draft: false
description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation."
weight: 3
description: "Verify your network is properly segmented."
weight: 4
---
## Overview
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
isolate workloads from one another and secure them individually, typically using policies. A useful way to test the
effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
Development is separated from your Production, your applications are separated from one another etc. To test the
security is to verify that your network segmentation is configured properly. This way you make sure that even if a
certain attacker has breached your defenses, it cant move laterally from point A to point B.
isolate workloads from one another and secure them individually, typically using policies. A useful way to test
the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
Development is separated from your Production, your applications are separated from one another etc. Use the
Infection Monkey to verify that your network segmentation is configured properly. This way you make sure that
even if a certain attacker has breached your defenses, it cant move laterally between segments.
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
@ -32,9 +32,7 @@ all post breach actions. These actions simulate attacker's behaviour after getti
## Suggested run mode
Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar
menu and clicking on “**Run on machine of your choice**”.
Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself.
Execute Monkeys on machines in different subnetworks using the “Manual” run option.
Note that if Monkey can't communicate to the Island, it will
not be able to send scan results, so make sure all machines can reach the island.

35
docs/content/usage/use-cases/other.md
View File

@ -16,11 +16,11 @@ If you want Monkey to run some kind of script or a tool after it breaches a mach
**Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields.
You can also upload files and call them through commands you entered in command fields.
## Speed and coverage
## Accelerate the test
There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since
its safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
The following configuration values have a significant impact on speed/coverage:
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
The following configuration values also have an impact on scanning speed:
- **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having
remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with
loud conventional tools.
@ -37,7 +37,7 @@ Security, ATT&CK and Zero Trust reports will be waiting for you!
## Persistent scanning
Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of
Use **Monkey -> Persistent** scanning configuration section to either have periodic scans or to increase reliability of
exploitations by running consecutive Infection Monkey scans.
## Credentials
@ -50,7 +50,6 @@ configuration:
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
## Check logged and monitored terminals
To see the Monkey executing in real-time on your servers, add the **post-breach action** command:
@ -60,27 +59,3 @@ Let you follow the breach “live” alongside the infection map, and check whic
inside your network. See below:
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
## ATT&CK & Zero Trust scanning
You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
matrix configuration just changes the overall configuration by modifying related fields, thus you should start by
modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
post breach actions and other configuration values will be already chosen based on ATT&CK matrix and shouldn't be
modified.
There's currently no way to configure monkey using Zero Trust framework, but regardless of configuration options,
you'll always be able to see ATT&CK and Zero Trust reports.
## Tips and tricks
- Use **Monkey -> Persistent scanning** configuration section to either have periodic scans or to increase
reliability of exploitations.
- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
on current system and use them to move laterally.
- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.

33
docs/content/usage/use-cases/zero-trust.md
View File

@ -2,24 +2,22 @@
title: "Zero Trust assessment"
date: 2020-10-22T16:58:09+03:00
draft: false
description: "See where you are in your Zero Trust journey."
weight: 0
description: "See where you stand in your Zero Trust journey."
weight: 1
---
## Overview
Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various
violations of Zero Trust principles.
Infection Monkey will help you assess your progress on your journey to achieve Zero Trust network.
The Infection Monkey will automatically assess your readiness across the different
[Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles.
## Configuration
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
lists means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make
the scanning process substantially faster.
and usernames, but feel free to adjust it according to the default passwords used in your network.
Keep in mind that long lists means longer scanning times.
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
subnets that should be segregated from each other.
@ -30,14 +28,15 @@ for tips and tricks about other features and in-depth configuration parameters y
## Suggested run mode
Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation
and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey
runs on, the better the coverage.
Run the Monkey on as many machines as you can. This can be easily achieved by selecting the “Manual” run option and
executing the command shown on different machines in your environment manually or with your deployment tool.
In addition, you can use any other run options you see fit.
## Assessing results
See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust
pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results”
section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did,
go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly
Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions.
pillars were tested, how many tests were done and test statuses. Specific tests are described in the “Test Results”
section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to
observe what exactly Infection Monkey did and when it was done. This should make it easy to cross reference events
with your security solutions and alerts/logs.