forked from p15670423/monkey
Updated scenario docs once more, removed IDS/IPS test scenario.
This commit is contained in:
parent
f9f70febfc
commit
68b6efa8b6
|
@ -1,44 +1,38 @@
|
||||||
---
|
---
|
||||||
title: "ATT&CK techniques"
|
title: "MITRE ATT&CK assessment"
|
||||||
date: 2020-10-22T16:58:22+03:00
|
date: 2020-10-22T16:58:22+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Find issues related to Zero Trust Extended framework compliance."
|
description: "Assess your network security detection and prevention capabilities."
|
||||||
weight: 1
|
weight: 2
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you
|
Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network.
|
||||||
assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent
|
Use it to assess your security solutions’ detection and prevention capabilities. Infection Monkey will help you find
|
||||||
them.
|
which ATT&CK techniques go unnoticed and will provide recommendations about preventing them.
|
||||||
|
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind
|
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want the Monkey to simulate.
|
||||||
that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should
|
Leave default settings for the full simulation.
|
||||||
start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
|
|
||||||
post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldn’t be
|
|
||||||
modified.
|
|
||||||
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||||
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
and usernames, but feel free to adjust it according to the default passwords used in your network. Keep in mind that
|
||||||
lists means longer scanning times.
|
long lists means longer scanning times.
|
||||||
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in
|
||||||
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
the “Scan target list”.
|
||||||
network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will
|
|
||||||
make the scanning process substantially faster.
|
|
||||||
|
|
||||||
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
|
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
|
||||||
|
|
||||||
## Suggested run mode
|
## Suggested run mode
|
||||||
|
|
||||||
You should run the Monkey on network machines with defensive solutions you want to test.
|
Run the Infection Monkey on as many machines in your environment as you can to get a better assessment. This can be easily
|
||||||
|
achieved by selecting the “Manual” run option and executing the command shown on different machines in your environment
|
||||||
A lot of ATT&CK techniques have a scope of a single node, so it’s important to manually run monkeys for better coverage.
|
manually or with your deployment tool.
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
||||||
See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result
|
The **ATT&CK Report** shows the status of ATT&CK techniques simulations. Click on any technique to see more details
|
||||||
matrix is colour coated according to it’s status. Click on any technique to see more details about it and potential
|
about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that
|
||||||
mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the
|
will take you to the official documentation of ATT&CK technique, where you can learn more about it.
|
||||||
official documentation of ATT&CK technique, where you can learn more about it.
|
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
---
|
---
|
||||||
title: "Credential Leak"
|
title: "Credentials Leak"
|
||||||
date: 2020-08-12T13:04:25+03:00
|
date: 2020-08-12T13:04:25+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
|
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
|
||||||
weight: 4
|
weight: 5
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
@ -26,17 +26,12 @@ To make sure SSH keys were gathered successfully, refresh the page and check thi
|
||||||
|
|
||||||
## Suggested run mode
|
## Suggested run mode
|
||||||
|
|
||||||
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network
|
Execute the Monkey on a chosen machine in your network using the “Manual” run option.
|
||||||
from potentially problematic group of machines, such as the laptop of one of your heavy email users or
|
Run the Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
|
||||||
one of your strong IT users (think of people who are more likely to correspond with people outside of
|
|
||||||
your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu
|
|
||||||
and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a
|
|
||||||
privileged user. Doing so will make sure that Monkey gathers credentials from a local machine.
|
|
||||||
|
|
||||||
|
|
||||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
||||||
To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even
|
To assess the impact of leaked credentials see Security report. It's possible that credential leak resulted in even
|
||||||
more leaked credentials, for that look into **Security report -> Stolen credentials**.
|
more leaked credentials, for that look into **Security report -> Stolen credentials**.
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
---
|
|
||||||
title: "IDS/IPS Test"
|
|
||||||
date: 2020-08-12T13:07:47+03:00
|
|
||||||
draft: false
|
|
||||||
description: "Test your network defence solutions."
|
|
||||||
weight: 5
|
|
||||||
---
|
|
||||||
|
|
||||||
## Overview
|
|
||||||
|
|
||||||
The Infection Monkey can help you verify that your security solutions are working the way you expected them to.
|
|
||||||
These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
|
|
||||||
|
|
||||||
## Configuration
|
|
||||||
|
|
||||||
- **Monkey -> Post breach** simulate the actions an attacker would make on an infected system.
|
|
||||||
To test something not present on the tool, you can provide your own file or command to be run.
|
|
||||||
|
|
||||||
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
|
|
||||||
credentials is a good bet in any scenario.
|
|
||||||
|
|
||||||
![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
|
|
||||||
|
|
||||||
## Suggested run mode
|
|
||||||
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
|
|
||||||
as it increases coverage and propagation rates.
|
|
||||||
|
|
||||||
## Assessing results
|
|
||||||
|
|
||||||
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
|
||||||
|
|
||||||
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security
|
|
||||||
solutions are identifying and correctly alerting on different attacks.
|
|
||||||
|
|
||||||
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as
|
|
||||||
exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
|
|
||||||
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities.
|
|
||||||
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
|
||||||
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
|
|
||||||
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
|
|
||||||
Check if your micro-segmentation / firewall solution identifies or reports anything.
|
|
||||||
|
|
||||||
While running this scenario, be on the lookout for the action that should arise:
|
|
||||||
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
|
|
||||||
into your security events aggregators? Are you getting emails from your IR teams?
|
|
||||||
Is the endpoint protection software you installed on machines in the network reporting on anything? Are your
|
|
||||||
compliance scanners detecting anything wrong?
|
|
||||||
|
|
||||||
Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to
|
|
||||||
fix it.
|
|
||||||
|
|
||||||
![Map](/images/usage/use-cases/map-full-cropped.png "Map")
|
|
||||||
|
|
|
@ -3,7 +3,7 @@ title: "Network Breach"
|
||||||
date: 2020-08-12T13:04:55+03:00
|
date: 2020-08-12T13:04:55+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Simulate an internal network breach and assess the potential impact."
|
description: "Simulate an internal network breach and assess the potential impact."
|
||||||
weight: 1
|
weight: 3
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
@ -35,9 +35,11 @@ all post breach actions. These actions simulate attacker's behaviour after getti
|
||||||
|
|
||||||
## Suggested run mode
|
## Suggested run mode
|
||||||
|
|
||||||
To simulate a foreign device you could introduce the Island server to the network and run monkey from it.
|
Decide which machines you want to simulate a breach on and use the “Manual” run option to start Monkeys there.
|
||||||
Alternatively, for a malicious agent simulation, you should run monkey manually on a machine that’s already running in
|
Use high privileges to run the Monkey to simulate an attacker that was able to elevate its privileges.
|
||||||
the network. Combining both, as always, will give you the best coverage.
|
You could also simulate an attack initiated from an unidentified machine connected to the network (a technician
|
||||||
|
laptop, 3rd party vendor machine, etc) by running the Monkey on a dedicated machine with an IP in the network you
|
||||||
|
wish to test.
|
||||||
|
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
|
@ -2,18 +2,18 @@
|
||||||
title: "Network Segmentation"
|
title: "Network Segmentation"
|
||||||
date: 2020-08-12T13:05:05+03:00
|
date: 2020-08-12T13:05:05+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation."
|
description: "Verify your network is properly segmented."
|
||||||
weight: 3
|
weight: 4
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
|
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
|
||||||
isolate workloads from one another and secure them individually, typically using policies. A useful way to test the
|
isolate workloads from one another and secure them individually, typically using policies. A useful way to test
|
||||||
effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
|
the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
|
||||||
Development is separated from your Production, your applications are separated from one another etc. To test the
|
Development is separated from your Production, your applications are separated from one another etc. Use the
|
||||||
security is to verify that your network segmentation is configured properly. This way you make sure that even if a
|
Infection Monkey to verify that your network segmentation is configured properly. This way you make sure that
|
||||||
certain attacker has breached your defenses, it can’t move laterally from point A to point B.
|
even if a certain attacker has breached your defenses, it can’t move laterally between segments.
|
||||||
|
|
||||||
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
|
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
|
||||||
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
|
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
|
||||||
|
@ -32,9 +32,7 @@ all post breach actions. These actions simulate attacker's behaviour after getti
|
||||||
|
|
||||||
## Suggested run mode
|
## Suggested run mode
|
||||||
|
|
||||||
Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar
|
Execute Monkeys on machines in different subnetworks using the “Manual” run option.
|
||||||
menu and clicking on “**Run on machine of your choice**”.
|
|
||||||
Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself.
|
|
||||||
|
|
||||||
Note that if Monkey can't communicate to the Island, it will
|
Note that if Monkey can't communicate to the Island, it will
|
||||||
not be able to send scan results, so make sure all machines can reach the island.
|
not be able to send scan results, so make sure all machines can reach the island.
|
||||||
|
|
|
@ -16,11 +16,11 @@ If you want Monkey to run some kind of script or a tool after it breaches a mach
|
||||||
**Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields.
|
**Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields.
|
||||||
You can also upload files and call them through commands you entered in command fields.
|
You can also upload files and call them through commands you entered in command fields.
|
||||||
|
|
||||||
## Speed and coverage
|
## Accelerate the test
|
||||||
|
|
||||||
There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since
|
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
|
||||||
it’s safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
|
|
||||||
The following configuration values have a significant impact on speed/coverage:
|
The following configuration values also have an impact on scanning speed:
|
||||||
- **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having
|
- **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having
|
||||||
remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with
|
remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with
|
||||||
loud conventional tools.
|
loud conventional tools.
|
||||||
|
@ -37,7 +37,7 @@ Security, ATT&CK and Zero Trust reports will be waiting for you!
|
||||||
|
|
||||||
## Persistent scanning
|
## Persistent scanning
|
||||||
|
|
||||||
Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of
|
Use **Monkey -> Persistent** scanning configuration section to either have periodic scans or to increase reliability of
|
||||||
exploitations by running consecutive Infection Monkey scans.
|
exploitations by running consecutive Infection Monkey scans.
|
||||||
|
|
||||||
## Credentials
|
## Credentials
|
||||||
|
@ -50,7 +50,6 @@ configuration:
|
||||||
|
|
||||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
|
|
||||||
## Check logged and monitored terminals
|
## Check logged and monitored terminals
|
||||||
|
|
||||||
To see the Monkey executing in real-time on your servers, add the **post-breach action** command:
|
To see the Monkey executing in real-time on your servers, add the **post-breach action** command:
|
||||||
|
@ -60,27 +59,3 @@ Let you follow the breach “live” alongside the infection map, and check whic
|
||||||
inside your network. See below:
|
inside your network. See below:
|
||||||
|
|
||||||
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
||||||
|
|
||||||
## ATT&CK & Zero Trust scanning
|
|
||||||
|
|
||||||
You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
|
|
||||||
matrix configuration just changes the overall configuration by modifying related fields, thus you should start by
|
|
||||||
modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
|
|
||||||
post breach actions and other configuration values will be already chosen based on ATT&CK matrix and shouldn't be
|
|
||||||
modified.
|
|
||||||
|
|
||||||
There's currently no way to configure monkey using Zero Trust framework, but regardless of configuration options,
|
|
||||||
you'll always be able to see ATT&CK and Zero Trust reports.
|
|
||||||
|
|
||||||
## Tips and tricks
|
|
||||||
|
|
||||||
- Use **Monkey -> Persistent scanning** configuration section to either have periodic scans or to increase
|
|
||||||
reliability of exploitations.
|
|
||||||
|
|
||||||
- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
|
|
||||||
on current system and use them to move laterally.
|
|
||||||
|
|
||||||
|
|
||||||
- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
|
|
||||||
long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.
|
|
||||||
|
|
||||||
|
|
|
@ -2,24 +2,22 @@
|
||||||
title: "Zero Trust assessment"
|
title: "Zero Trust assessment"
|
||||||
date: 2020-10-22T16:58:09+03:00
|
date: 2020-10-22T16:58:09+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "See where you are in your Zero Trust journey."
|
description: "See where you stand in your Zero Trust journey."
|
||||||
weight: 0
|
weight: 1
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various
|
Infection Monkey will help you assess your progress on your journey to achieve Zero Trust network.
|
||||||
violations of Zero Trust principles.
|
The Infection Monkey will automatically assess your readiness across the different
|
||||||
|
[Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||||
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
and usernames, but feel free to adjust it according to the default passwords used in your network.
|
||||||
lists means longer scanning times.
|
Keep in mind that long lists means longer scanning times.
|
||||||
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.
|
||||||
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
|
||||||
network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make
|
|
||||||
the scanning process substantially faster.
|
|
||||||
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
||||||
subnets that should be segregated from each other.
|
subnets that should be segregated from each other.
|
||||||
|
|
||||||
|
@ -30,14 +28,15 @@ for tips and tricks about other features and in-depth configuration parameters y
|
||||||
|
|
||||||
## Suggested run mode
|
## Suggested run mode
|
||||||
|
|
||||||
Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation
|
Run the Monkey on as many machines as you can. This can be easily achieved by selecting the “Manual” run option and
|
||||||
and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey
|
executing the command shown on different machines in your environment manually or with your deployment tool.
|
||||||
runs on, the better the coverage.
|
In addition, you can use any other run options you see fit.
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
||||||
See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust
|
See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust
|
||||||
pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results”
|
pillars were tested, how many tests were done and test statuses. Specific tests are described in the “Test Results”
|
||||||
section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did,
|
section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to
|
||||||
go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly
|
observe what exactly Infection Monkey did and when it was done. This should make it easy to cross reference events
|
||||||
Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions.
|
with your security solutions and alerts/logs.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue