forked from p34709852/monkey
Updated scenario docs once more, removed IDS/IPS test scenario.
This commit is contained in:
parent
f9f70febfc
commit
68b6efa8b6
|
@ -1,44 +1,38 @@
|
|||
---
|
||||
title: "ATT&CK techniques"
|
||||
title: "MITRE ATT&CK assessment"
|
||||
date: 2020-10-22T16:58:22+03:00
|
||||
draft: false
|
||||
description: "Find issues related to Zero Trust Extended framework compliance."
|
||||
weight: 1
|
||||
description: "Assess your network security detection and prevention capabilities."
|
||||
weight: 2
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you
|
||||
assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent
|
||||
them.
|
||||
Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network.
|
||||
Use it to assess your security solutions’ detection and prevention capabilities. Infection Monkey will help you find
|
||||
which ATT&CK techniques go unnoticed and will provide recommendations about preventing them.
|
||||
|
||||
|
||||
## Configuration
|
||||
|
||||
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind
|
||||
that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should
|
||||
start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
|
||||
post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldn’t be
|
||||
modified.
|
||||
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want the Monkey to simulate.
|
||||
Leave default settings for the full simulation.
|
||||
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
||||
lists means longer scanning times.
|
||||
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
||||
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
||||
network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will
|
||||
make the scanning process substantially faster.
|
||||
and usernames, but feel free to adjust it according to the default passwords used in your network. Keep in mind that
|
||||
long lists means longer scanning times.
|
||||
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in
|
||||
the “Scan target list”.
|
||||
|
||||
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
|
||||
|
||||
## Suggested run mode
|
||||
|
||||
You should run the Monkey on network machines with defensive solutions you want to test.
|
||||
|
||||
A lot of ATT&CK techniques have a scope of a single node, so it’s important to manually run monkeys for better coverage.
|
||||
Run the Infection Monkey on as many machines in your environment as you can to get a better assessment. This can be easily
|
||||
achieved by selecting the “Manual” run option and executing the command shown on different machines in your environment
|
||||
manually or with your deployment tool.
|
||||
|
||||
## Assessing results
|
||||
|
||||
See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result
|
||||
matrix is colour coated according to it’s status. Click on any technique to see more details about it and potential
|
||||
mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the
|
||||
official documentation of ATT&CK technique, where you can learn more about it.
|
||||
|
||||
The **ATT&CK Report** shows the status of ATT&CK techniques simulations. Click on any technique to see more details
|
||||
about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that
|
||||
will take you to the official documentation of ATT&CK technique, where you can learn more about it.
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
title: "Credential Leak"
|
||||
title: "Credentials Leak"
|
||||
date: 2020-08-12T13:04:25+03:00
|
||||
draft: false
|
||||
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
|
||||
weight: 4
|
||||
weight: 5
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
@ -26,17 +26,12 @@ To make sure SSH keys were gathered successfully, refresh the page and check thi
|
|||
|
||||
## Suggested run mode
|
||||
|
||||
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network
|
||||
from potentially problematic group of machines, such as the laptop of one of your heavy email users or
|
||||
one of your strong IT users (think of people who are more likely to correspond with people outside of
|
||||
your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu
|
||||
and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a
|
||||
privileged user. Doing so will make sure that Monkey gathers credentials from a local machine.
|
||||
|
||||
Execute the Monkey on a chosen machine in your network using the “Manual” run option.
|
||||
Run the Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
|
||||
|
||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||
|
||||
## Assessing results
|
||||
|
||||
To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even
|
||||
To assess the impact of leaked credentials see Security report. It's possible that credential leak resulted in even
|
||||
more leaked credentials, for that look into **Security report -> Stolen credentials**.
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
---
|
||||
title: "IDS/IPS Test"
|
||||
date: 2020-08-12T13:07:47+03:00
|
||||
draft: false
|
||||
description: "Test your network defence solutions."
|
||||
weight: 5
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
The Infection Monkey can help you verify that your security solutions are working the way you expected them to.
|
||||
These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
|
||||
|
||||
## Configuration
|
||||
|
||||
- **Monkey -> Post breach** simulate the actions an attacker would make on an infected system.
|
||||
To test something not present on the tool, you can provide your own file or command to be run.
|
||||
|
||||
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
|
||||
credentials is a good bet in any scenario.
|
||||
|
||||
![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
|
||||
|
||||
## Suggested run mode
|
||||
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
|
||||
as it increases coverage and propagation rates.
|
||||
|
||||
## Assessing results
|
||||
|
||||
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
||||
|
||||
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security
|
||||
solutions are identifying and correctly alerting on different attacks.
|
||||
|
||||
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as
|
||||
exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
|
||||
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities.
|
||||
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
||||
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
|
||||
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
|
||||
Check if your micro-segmentation / firewall solution identifies or reports anything.
|
||||
|
||||
While running this scenario, be on the lookout for the action that should arise:
|
||||
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
|
||||
into your security events aggregators? Are you getting emails from your IR teams?
|
||||
Is the endpoint protection software you installed on machines in the network reporting on anything? Are your
|
||||
compliance scanners detecting anything wrong?
|
||||
|
||||
Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to
|
||||
fix it.
|
||||
|
||||
![Map](/images/usage/use-cases/map-full-cropped.png "Map")
|
||||
|
|
@ -3,7 +3,7 @@ title: "Network Breach"
|
|||
date: 2020-08-12T13:04:55+03:00
|
||||
draft: false
|
||||
description: "Simulate an internal network breach and assess the potential impact."
|
||||
weight: 1
|
||||
weight: 3
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
@ -35,9 +35,11 @@ all post breach actions. These actions simulate attacker's behaviour after getti
|
|||
|
||||
## Suggested run mode
|
||||
|
||||
To simulate a foreign device you could introduce the Island server to the network and run monkey from it.
|
||||
Alternatively, for a malicious agent simulation, you should run monkey manually on a machine that’s already running in
|
||||
the network. Combining both, as always, will give you the best coverage.
|
||||
Decide which machines you want to simulate a breach on and use the “Manual” run option to start Monkeys there.
|
||||
Use high privileges to run the Monkey to simulate an attacker that was able to elevate its privileges.
|
||||
You could also simulate an attack initiated from an unidentified machine connected to the network (a technician
|
||||
laptop, 3rd party vendor machine, etc) by running the Monkey on a dedicated machine with an IP in the network you
|
||||
wish to test.
|
||||
|
||||
|
||||
## Assessing results
|
||||
|
|
|
@ -2,18 +2,18 @@
|
|||
title: "Network Segmentation"
|
||||
date: 2020-08-12T13:05:05+03:00
|
||||
draft: false
|
||||
description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation."
|
||||
weight: 3
|
||||
description: "Verify your network is properly segmented."
|
||||
weight: 4
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
|
||||
isolate workloads from one another and secure them individually, typically using policies. A useful way to test the
|
||||
effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
|
||||
Development is separated from your Production, your applications are separated from one another etc. To test the
|
||||
security is to verify that your network segmentation is configured properly. This way you make sure that even if a
|
||||
certain attacker has breached your defenses, it can’t move laterally from point A to point B.
|
||||
isolate workloads from one another and secure them individually, typically using policies. A useful way to test
|
||||
the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
|
||||
Development is separated from your Production, your applications are separated from one another etc. Use the
|
||||
Infection Monkey to verify that your network segmentation is configured properly. This way you make sure that
|
||||
even if a certain attacker has breached your defenses, it can’t move laterally between segments.
|
||||
|
||||
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
|
||||
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
|
||||
|
@ -32,9 +32,7 @@ all post breach actions. These actions simulate attacker's behaviour after getti
|
|||
|
||||
## Suggested run mode
|
||||
|
||||
Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar
|
||||
menu and clicking on “**Run on machine of your choice**”.
|
||||
Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself.
|
||||
Execute Monkeys on machines in different subnetworks using the “Manual” run option.
|
||||
|
||||
Note that if Monkey can't communicate to the Island, it will
|
||||
not be able to send scan results, so make sure all machines can reach the island.
|
||||
|
|
|
@ -16,11 +16,11 @@ If you want Monkey to run some kind of script or a tool after it breaches a mach
|
|||
**Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields.
|
||||
You can also upload files and call them through commands you entered in command fields.
|
||||
|
||||
## Speed and coverage
|
||||
## Accelerate the test
|
||||
|
||||
There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since
|
||||
it’s safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
|
||||
The following configuration values have a significant impact on speed/coverage:
|
||||
To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
|
||||
|
||||
The following configuration values also have an impact on scanning speed:
|
||||
- **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having
|
||||
remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with
|
||||
loud conventional tools.
|
||||
|
@ -37,7 +37,7 @@ Security, ATT&CK and Zero Trust reports will be waiting for you!
|
|||
|
||||
## Persistent scanning
|
||||
|
||||
Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of
|
||||
Use **Monkey -> Persistent** scanning configuration section to either have periodic scans or to increase reliability of
|
||||
exploitations by running consecutive Infection Monkey scans.
|
||||
|
||||
## Credentials
|
||||
|
@ -50,7 +50,6 @@ configuration:
|
|||
|
||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||
|
||||
|
||||
## Check logged and monitored terminals
|
||||
|
||||
To see the Monkey executing in real-time on your servers, add the **post-breach action** command:
|
||||
|
@ -60,27 +59,3 @@ Let you follow the breach “live” alongside the infection map, and check whic
|
|||
inside your network. See below:
|
||||
|
||||
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
||||
|
||||
## ATT&CK & Zero Trust scanning
|
||||
|
||||
You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
|
||||
matrix configuration just changes the overall configuration by modifying related fields, thus you should start by
|
||||
modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
|
||||
post breach actions and other configuration values will be already chosen based on ATT&CK matrix and shouldn't be
|
||||
modified.
|
||||
|
||||
There's currently no way to configure monkey using Zero Trust framework, but regardless of configuration options,
|
||||
you'll always be able to see ATT&CK and Zero Trust reports.
|
||||
|
||||
## Tips and tricks
|
||||
|
||||
- Use **Monkey -> Persistent scanning** configuration section to either have periodic scans or to increase
|
||||
reliability of exploitations.
|
||||
|
||||
- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
|
||||
on current system and use them to move laterally.
|
||||
|
||||
|
||||
- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
|
||||
long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.
|
||||
|
||||
|
|
|
@ -2,24 +2,22 @@
|
|||
title: "Zero Trust assessment"
|
||||
date: 2020-10-22T16:58:09+03:00
|
||||
draft: false
|
||||
description: "See where you are in your Zero Trust journey."
|
||||
weight: 0
|
||||
description: "See where you stand in your Zero Trust journey."
|
||||
weight: 1
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various
|
||||
violations of Zero Trust principles.
|
||||
Infection Monkey will help you assess your progress on your journey to achieve Zero Trust network.
|
||||
The Infection Monkey will automatically assess your readiness across the different
|
||||
[Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles.
|
||||
|
||||
## Configuration
|
||||
|
||||
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
||||
lists means longer scanning times.
|
||||
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
||||
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
||||
network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make
|
||||
the scanning process substantially faster.
|
||||
and usernames, but feel free to adjust it according to the default passwords used in your network.
|
||||
Keep in mind that long lists means longer scanning times.
|
||||
- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.
|
||||
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
||||
subnets that should be segregated from each other.
|
||||
|
||||
|
@ -30,14 +28,15 @@ for tips and tricks about other features and in-depth configuration parameters y
|
|||
|
||||
## Suggested run mode
|
||||
|
||||
Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation
|
||||
and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey
|
||||
runs on, the better the coverage.
|
||||
Run the Monkey on as many machines as you can. This can be easily achieved by selecting the “Manual” run option and
|
||||
executing the command shown on different machines in your environment manually or with your deployment tool.
|
||||
In addition, you can use any other run options you see fit.
|
||||
|
||||
## Assessing results
|
||||
|
||||
See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust
|
||||
pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results”
|
||||
section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did,
|
||||
go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly
|
||||
Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions.
|
||||
pillars were tested, how many tests were done and test statuses. Specific tests are described in the “Test Results”
|
||||
section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to
|
||||
observe what exactly Infection Monkey did and when it was done. This should make it easy to cross reference events
|
||||
with your security solutions and alerts/logs.
|
||||
|
||||
|
|
Loading…
Reference in New Issue