forked from p15670423/monkey
Added GA and some more pages
This commit is contained in:
parent
46dd6d30b7
commit
da740194d8
|
@ -64,7 +64,7 @@ These are the build output of `hugo` and should never be `commit`-ed to git.
|
||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
||||||
You have to [install `hugo`](https://gohugo.io/getting-started/installing/) and a text editor that's good for markdown (`vscode` and `vim` are good options).
|
You have to [install `hugo`](https://gohugo.io/getting-started/installing/), a text editor that's good for markdown (`vscode` and `vim` are good options), and `git`.
|
||||||
|
|
||||||
### Adding and editing content
|
### Adding and editing content
|
||||||
|
|
||||||
|
|
|
@ -9,3 +9,5 @@ pre = '<i class="fas fa-users-cog"></i> '
|
||||||
# Usage
|
# Usage
|
||||||
|
|
||||||
If you're just starting with Infection Monkey, check out our [Getting Started](getting-started) page.
|
If you're just starting with Infection Monkey, check out our [Getting Started](getting-started) page.
|
||||||
|
|
||||||
|
If you haven't downloaded Monkey yet, {{% button href="https://infectionmonkey.com/" icon="fas fa-download" %}}Get Infection Monkey here{{% /button %}}!
|
||||||
|
|
|
@ -6,20 +6,16 @@ draft: false
|
||||||
|
|
||||||
## Security in Infection Monkey
|
## Security in Infection Monkey
|
||||||
|
|
||||||
The first time you launch Monkey Island (Infection Monkey CC server), you'll be prompted to
|
The first time you launch Monkey Island (Infection Monkey CC server), you'll be prompted to create an account and secure your island. After your account is created, the server will only be accessible via the credentials you chose.
|
||||||
create an account and secure your island. After your account is created, the server will only
|
|
||||||
be accessible via the credentials you chose.
|
|
||||||
|
|
||||||
If you want island to be accessible without credentials press "I want anyone to access the island".
|
If you want island to be accessible without credentials press *I want anyone to access the island*. Please note that this option is insecure: you should only pick this for use in development environments.
|
||||||
This is an insecure option though and should only be used in development.
|
|
||||||
|
|
||||||
## Resetting account credentials
|
## Resetting account credentials
|
||||||
|
|
||||||
To reset credentials edit `monkey_island\cc\server_config.json`
|
To reset credentials edit `monkey_island\cc\server_config.json` by deleting `user` and `password_hash` variables. Then restart the Monkey Island server and you should be prompted with registration form again.
|
||||||
by deleting `user` and `password_hash` variables. Then restart Island server and you should be
|
|
||||||
prompted with registration form.
|
|
||||||
|
|
||||||
Example `server_config.json` for account reset:
|
Example `server_config.json` for account reset:
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"server_config": "password",
|
"server_config": "password",
|
||||||
|
|
|
@ -4,9 +4,12 @@ date: 2020-06-07T19:08:51+03:00
|
||||||
draft: false
|
draft: false
|
||||||
chapter: true
|
chapter: true
|
||||||
weight: 3
|
weight: 3
|
||||||
|
pre: "<i class='fas fa-sliders-h'></i> "
|
||||||
---
|
---
|
||||||
|
|
||||||
The Monkey is very configurable, nearly every part of it can be modified to turn it to a fast acting worm or into a port scanning and system information collecting machine.
|
# Configure the Monkey
|
||||||
|
|
||||||
|
The Monkey is highly configurable. Nearly every part of it can be modified to turn it to a fast acting worm or into a port scanning and system information collecting machine.
|
||||||
|
|
||||||
See these documentation pages for information on each configuration value:
|
See these documentation pages for information on each configuration value:
|
||||||
|
|
||||||
|
|
|
@ -7,16 +7,18 @@ weight: 1
|
||||||
|
|
||||||
## Using the Infection Monkey
|
## Using the Infection Monkey
|
||||||
|
|
||||||
After deploying the Monkey Island in your environment, navigate to `https://<server-ip>:5000`. You should see this screen:
|
After deploying the Monkey Island in your environment, navigate to `https://<server-ip>:5000`.
|
||||||
|
|
||||||
|
### First-time setup
|
||||||
|
|
||||||
|
On your first login, you'll be asked to set up a username and password for the Monkey Island server. [See this page for more details](../accounts-and-security).
|
||||||
|
|
||||||
|
### Run the Monkey
|
||||||
|
|
||||||
|
To get the Infection Monkey running as fast as possible, click **Run Monkey**. Optionally, you can configure the Monkey before you continue by clicking **Configuration** (see [how to configure the monkey](../configuration)).
|
||||||
|
|
||||||
- [ ] TODO put screenshot
|
- [ ] TODO put screenshot
|
||||||
|
|
||||||
To get the Infection Monkey running as fast as possible, click **Run Monkey**. Optionally, you can configure the Monkey before you continue by clicking **Configuration** (see [how to configure the monkey](../how-to-configure-the-monkey)).
|
|
||||||
|
|
||||||
- [ ] TODO put screenshot
|
|
||||||
|
|
||||||
### Run Monkey
|
|
||||||
|
|
||||||
To run the monkey, select one of the following options:
|
To run the monkey, select one of the following options:
|
||||||
|
|
||||||
1. Click **Run on C&C Server** to run the Infection Monkey on the Monkey Island server. This simulates an attacker trying to propagate from a machine in the Monkey Island subnet.
|
1. Click **Run on C&C Server** to run the Infection Monkey on the Monkey Island server. This simulates an attacker trying to propagate from a machine in the Monkey Island subnet.
|
||||||
|
@ -38,7 +40,7 @@ Within a few minutes, the Infection Monkey should be able to find and attack acc
|
||||||
|
|
||||||
- [ ] TODO put screenshot
|
- [ ] TODO put screenshot
|
||||||
|
|
||||||
As the Infection Monkey continues, the map should be filled with accessible and “hacked” machines. Once all the Infection Monkeys have finished propagating, click **Reports** (see [Infection Monkey Reports](../infection-monkey-reports)).
|
As the Infection Monkey continues, the map should be filled with accessible and “hacked” machines. Once all the Infection Monkeys have finished propagating, click **Reports** (see [Infection Monkey Reports](../reports)) to see the reports.
|
||||||
|
|
||||||
- [ ] TODO put screenshot
|
- [ ] TODO put screenshot
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
+++
|
||||||
|
title = "Reports"
|
||||||
|
date = 2020-06-24T21:16:03+03:00
|
||||||
|
weight = 5
|
||||||
|
chapter = true
|
||||||
|
pre = "<i class='fas fa-scroll'></i> "
|
||||||
|
+++
|
||||||
|
|
||||||
|
# Infection Monkey's Reports
|
||||||
|
|
||||||
|
The Monkey offers three reports:
|
||||||
|
|
||||||
|
{{% children %}}
|
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
title: "MITRE ATT&CK report"
|
||||||
|
date: 2020-06-24T21:17:18+03:00
|
||||||
|
draft: false
|
||||||
|
---
|
||||||
|
|
||||||
|
The Monkey maps its actions to the [MITRE ATT&CK](https://attack.mitre.org/) knowledge base: It provides a new report with the utilized techniques and recommended mitigations, to help you simulate an APT attack on your network and mitigate real attack paths intelligently.
|
||||||
|
|
||||||
|
Watch an overview video:
|
||||||
|
|
||||||
|
{{% youtube 3tNrlutqazQ %}}
|
||||||
|
|
||||||
|
## How to use the report
|
||||||
|
|
||||||
|
The MITRE ATT&CK report is centred around the ATT&CK matrix:
|
||||||
|
|
||||||
|
![MITRE Report](/images/usage/reports/mitre-report-0.jpg "MITRE Report")
|
||||||
|
|
||||||
|
The Monkey rates your network on the attack techniques it attempted. For each technique, you can get
|
||||||
|
|
||||||
|
- **Red**: The Monkey **successfully used** the technique in the simulation. That means your network is vulnerable to this technique being employed.
|
||||||
|
- **Yellow**: The Monkey **tried to use** the technique, but didn’t manage to. That means your network isn’t vulnerable to the way Monkey employs this technique.
|
||||||
|
|
||||||
|
Then, you can see exactly HOW the technique was used in this attack, and also what you should do to mitigate it, by clicking on the technique and seeing the details. For example, let’s look at the “Private keys” technique that’s a part of employing the “Credentials Access” tactic:
|
||||||
|
|
||||||
|
![MITRE Report Credentials Access technique](/images/usage/reports/mitre-report-cred-access.jpg "MITRE Report Credentials Access technique")
|
||||||
|
|
||||||
|
In this example, you can see **from which machines** the Monkey was able to steal SSH keys, and the mitigations recommended, including **Restricting File and Directory access** and implementing **Network Segmentation**.
|
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
title: "Security report"
|
||||||
|
date: 2020-06-24T21:16:10+03:00
|
||||||
|
draft: false
|
||||||
|
---
|
||||||
|
|
||||||
|
The report is split into 3 categories:
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
The overview section of the report provides high-level information about the Monkey execution and the main security findings that the Monkey has found.
|
||||||
|
|
||||||
|
- [ ] TODO add screenshot
|
||||||
|
|
||||||
|
## Recommendations
|
||||||
|
|
||||||
|
This section contains the Monkey's recommendations for improving your security - what mitigations you need to implement.
|
||||||
|
|
||||||
|
- [ ] TODO add screenshot
|
||||||
|
|
||||||
|
## The network from the Monkey's eyes
|
||||||
|
|
||||||
|
This section contains the Infection Map and some summary tables on servers the Monkey has found.
|
||||||
|
|
||||||
|
- [ ] TODO add screenshot
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
title: "Zero Trust report"
|
||||||
|
date: 2020-06-24T21:16:18+03:00
|
||||||
|
draft: false
|
||||||
|
---
|
||||||
|
|
||||||
|
The Guardicore Infection Monkey runs different tests to evaluate your network adherence to key components of the Zero Trust framework as established by Forrester, such as whether you have applied segmentation, user identity, encryption and more. Then, the Monkey generates a status report with detailed explanations of security gaps and prescriptive instructions on how to rectify them.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
This diagram provides a quick glance at how your organization scores on each component of the Forrester’s Zero Trust model with **Failed**, **Verify**, **Passed** and **Unexecuted** verdicts.
|
||||||
|
|
||||||
|
- **Failed**: At least one of the tests related to this component failed. This means that the Infection Monkey detected an unmet Zero Trust requirement.
|
||||||
|
- **Verify**: At least one of the tests’ results related to this component requires further manual verification.
|
||||||
|
- **Passed**: All Tests related to this pillar passed. No violation of a Zero Trust guiding principle was detected.
|
||||||
|
- **Unexecuted**: This status means no tests were executed for this pillar.
|
|
@ -5,4 +5,96 @@ draft: true
|
||||||
weight: 2
|
weight: 2
|
||||||
---
|
---
|
||||||
|
|
||||||
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
|
In this page we show how you can use the Infection Monkey to simulate breach and attack scenarios as well as to share some cool tips and tricks you can use to up your Infection Monkey game. This page is aimed at both novice and experienced Monkey users. You can also refer to [our FAQ](../../faq) for more specific questions and answers.
|
||||||
|
|
||||||
|
Here are a few scenarios that can be replicated in your own environment by executing the Monkey from different locations within the network, or with some tweaks to the Monkey’s configuration.
|
||||||
|
|
||||||
|
{{% notice note %}}
|
||||||
|
No worries! The Monkey does not cause any permanent system modifications that impact security or operations. You will be able to track the Monkey using the log files it leaves in well defined locations. [See our FAQ for more details](../faq).
|
||||||
|
{{% /notice %}}
|
||||||
|
|
||||||
|
- [Your network has been breached via internet facing servers](#your-network-has-been-breached-via-internet-facing-servers)
|
||||||
|
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey)
|
||||||
|
- [You are the newest victim of a phishing fraud! 🎣](#you-are-the-newest-victim-of-a-phishing-fraud)
|
||||||
|
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-1)
|
||||||
|
- [You want to test your network segmentation](#you-want-to-test-your-network-segmentation)
|
||||||
|
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-2)
|
||||||
|
- [You want to verify your security solutions, procedures and teams are working as intended](#you-want-to-verify-your-security-solutions-procedures-and-teams-are-working-as-intended)
|
||||||
|
- [Simulate this scenario using the Monkey](#simulate-this-scenario-using-the-monkey-3)
|
||||||
|
- [Other useful tips](#other-useful-tips)
|
||||||
|
|
||||||
|
## Your network has been breached via internet facing servers
|
||||||
|
|
||||||
|
Whether it was the [Hex-men campaign](https://www.guardicore.com/2017/12/beware-the-hex-men/) that hit your Internet-facing DB server, a [cryptomining operation that attacked your WordPress site](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining-2/) or any other malicious campaign – the attackers are now trying to go deeper into your network.
|
||||||
|
|
||||||
|
### Simulate this scenario using the Monkey
|
||||||
|
|
||||||
|
To simulate this breach scenario, execute the Infection Monkey on different machines that host internet-facing services such as your web servers (Apache, Tomcat, NGINX…) or your VPN servers. To see how to execute the Monkey on these servers, [refer to this FAQ question](../../faq#after-ive-set-up-monkey-island-how-can-i-execute-the-monkey).
|
||||||
|
|
||||||
|
{{% notice tip %}}
|
||||||
|
If you want to simulate a very “deep” attack into your network, see our [configuration documentation](../configuration).
|
||||||
|
{{% /notice %}}
|
||||||
|
|
||||||
|
After executing the Monkey, evaluate the results of this simulation using the information in the Report page. There you will find a summary of the most important things the simulation has discovered, a detailed report of all the Monkey’s findings and more. You can also use the Infection Map to analyze the Monkey’s progress through the network, and to see each Monkey’s detailed telemetry and logs.
|
||||||
|
|
||||||
|
## You are the newest victim of a phishing fraud! 🎣
|
||||||
|
|
||||||
|
Almost everyone is prone to phishing attacks. Results of a successful phishing attempt can be **extremely costly** as demonstrated in our report [IResponse to IEncrypt](https://www.guardicore.com/2019/04/iresponse-to-iencrypt/).
|
||||||
|
|
||||||
|
This scenario begins in a section of the network which is a potential phishing spot. Phishing attacks target human users - as such, these types of attacks try to penetrate the network via a service an employee is using, such as an email with an attached malware or social media message with a link redirecting to a malicious website. These are just two examples of where and how an attacker may choose to launch their campaign.
|
||||||
|
|
||||||
|
### Simulate this scenario using the Monkey
|
||||||
|
|
||||||
|
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network from potentially problematic group of machines, such as the laptop of one of your heavy email users or one of your strong IT users (think of people who are more likely to correspond with people outside of your organization).
|
||||||
|
|
||||||
|
- After setting up the Island add the users’ **real** credentials (usernames and passwords) to the Monkey’s configuration (Don’t worry, this sensitive data is not accessible and is not distributed or used in any way other than being sent to the monkeys, and can be easily eliminated by resetting the Monkey Island’s configuration). Now you can simulate an attacker attempting to probe deeper in the network with credentials “successfully” phished.
|
||||||
|
- You can configure these credentials for the Monkey as follows:
|
||||||
|
From the **“Basic - Credentials”** tab of the Island’s configuration, under the **“Exploit password list”** press the ‘+’ button and add the passwords you would like the Monkey to use. Do the same with usernames in the **“Exploit user list”**.
|
||||||
|
|
||||||
|
After supplying the Monkey with the passwords and usernames, execute the Monkey from the simulated “victim” machines. To do this, click “**2. Run Monkey**” from the left sidebar menu and choose “**Run on machine of your choice**”.
|
||||||
|
|
||||||
|
## You want to test your network segmentation
|
||||||
|
|
||||||
|
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually, typically using policies. A useful way to test the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your Development is separated from your Production, your applications are separated from one another etc. "to security test is to verify that your network segmentation is configured properly. This way you make sure that even if a certain attacker has breached your defenses, it can’t move laterally from point A to point B.
|
||||||
|
|
||||||
|
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with its cross-segment traffic testing feature.
|
||||||
|
|
||||||
|
### Simulate this scenario using the Monkey
|
||||||
|
|
||||||
|
As an example, the following configuration makes sure machines in the “10.0.0.0/24” segment (segment A) and the “11.0.0.2/32” segment (segment B) can’t communicate with each other, along with an additional machine in 13.37.41.50.
|
||||||
|
|
||||||
|
![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing")
|
||||||
|
|
||||||
|
## You want to verify your security solutions, procedures and teams are working as intended
|
||||||
|
|
||||||
|
The Infection Monkey can help you verify that your security solutions are working the way you expected them to. These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
|
||||||
|
|
||||||
|
### Simulate this scenario using the Monkey
|
||||||
|
|
||||||
|
Run the Monkey with whichever configuration you prefer. The default is good enough for many cases; but for example, you can add some old users and passwords. Running the Monkey on both the Island and on a few other machines in the network is also recommended, as it increases coverage and propagation rates.
|
||||||
|
|
||||||
|
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
||||||
|
|
||||||
|
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security solutions are identifying and correctly alerting on different attacks.
|
||||||
|
|
||||||
|
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
|
||||||
|
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities. If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
||||||
|
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network? Check if your micro-segmentation / firewall solution identify or report anything.
|
||||||
|
|
||||||
|
While running this scenario, be on the lookout for the action that should arise: Did you get a phone call telling you about suspicious activity inside your network? Are events flowing into your security events aggregators? Are you getting emails from your IR teams? Is the endpoint protection software you installed on machines in the network reporting on anything? Are your compliance scanners detecting anything wrong?
|
||||||
|
|
||||||
|
## Other useful tips
|
||||||
|
|
||||||
|
Here are a few tips which can help you push the Infection Monkey even further:
|
||||||
|
|
||||||
|
- Make sure the Monkey is configured to scan its local network but in addition, configure it with specific targets. To add these targets, add their IP addresses (or the IP ranges in which they reside) to the Scan IP/subnet list using the `+` button. Here’s an example of how this is achieved:
|
||||||
|
|
||||||
|
![How to configure Scan IP/subnet list](/images/usage/scenarios/scan-list-config.png "How to configure Scan IP/subnet list")
|
||||||
|
|
||||||
|
- Every network has its old “skeleton keys” that should have long been discarded. Configure the Monkey with old and stale passwords, but make sure that they were really discarded using the Monkey. To add the old passwords, in the island’s configuration, go to the “Exploit password list” under “Basic - Credentials” and use the “+” button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration:
|
||||||
|
|
||||||
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
|
- To see the Monkey executing in real-time on your servers, add the **post-breach action** command: `wall “Infection Monkey was here”`. This post breach command will broadcast a message across all open terminals on the servers the Monkey breached, to achieve the following: Let you know the Monkey ran successfully on the server. let you follow the breach “live” alongside the infection map, and check which terminals are logged and monitored inside your network. See below:
|
||||||
|
|
||||||
|
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 172 KiB |
Binary file not shown.
After Width: | Height: | Size: 27 KiB |
Binary file not shown.
After Width: | Height: | Size: 96 KiB |
Binary file not shown.
After Width: | Height: | Size: 89 KiB |
Binary file not shown.
After Width: | Height: | Size: 109 KiB |
Binary file not shown.
After Width: | Height: | Size: 74 KiB |
|
@ -1 +1 @@
|
||||||
Subproject commit e0d87b1ae1ca7e01c2dde8ac3eadb12ec9f9f528
|
Subproject commit 1b3d77f86ee9d22c7a515d2a0a54e1ce4287f0c4
|
Loading…
Reference in New Issue