Updated scenario docs once more, removed IDS/IPS test scenario.

2020-10-23 17:46:23 +03:00 · 2020-10-23 17:46:23 +03:00 · 68b6efa8b6
parent f9f70febfc
commit 68b6efa8b6
7 changed files with 59 additions and 149 deletions
--- a/docs/content/usage/use-cases/attack.md
+++ b/docs/content/usage/use-cases/attack.md
@ -1,44 +1,38 @@
 ---
-title: "ATT&CK techniques"
+title: "MITRE ATT&CK assessment"
 date: 2020-10-22T16:58:22+03:00
 draft: false
-description: "Find issues related to Zero Trust Extended framework compliance."
+description: "Assess your network security detection and prevention capabilities."
-weight: 1
+weight: 2
 ---
 ## Overview 
-Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you 
+Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network. 
-assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent 
+Use it to assess your security solutions’ detection and prevention capabilities. Infection Monkey will help you find 
-them.
+which ATT&CK techniques go unnoticed and will provide recommendations about preventing them.
 ## Configuration
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind 
+- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want the Monkey to simulate. 
-that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should 
+Leave default settings for the full simulation.
 start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters, 
 post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldn’t be 
 modified.
 - **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords 
-and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long 
+and usernames, but feel free to adjust it according to the default passwords used in your network. Keep in mind that 
-lists means longer scanning times.
+long lists means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and 
+- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in 
-allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific 
+the “Scan target list”.
 network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will 
 make the scanning process substantially faster.
 ![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
 ## Suggested run mode
-You should run the Monkey on network machines with defensive solutions you want to test.
+Run the Infection Monkey on as many machines in your environment as you can to get a better assessment. This can be easily 
-
+achieved by selecting the “Manual” run option and executing the command shown on different machines in your environment 
-A lot of ATT&CK techniques have a scope of a single node, so it’s important to manually run monkeys for better coverage.
+manually or with your deployment tool.
 ## Assessing results
-See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result 
+The **ATT&CK Report** shows the status of ATT&CK techniques simulations. Click on any technique to see more details 
-matrix is colour coated according to it’s status. Click on any technique to see more details about it and potential 
+about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that 
-mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the 
+will take you to the official documentation of ATT&CK technique, where you can learn more about it.
 official documentation of ATT&CK technique, where you can learn more about it.
--- a/docs/content/usage/use-cases/credential-leak.md
+++ b/docs/content/usage/use-cases/credential-leak.md
@ -1,9 +1,9 @@
 ---
-title: "Credential Leak"
+title: "Credentials Leak"
 date: 2020-08-12T13:04:25+03:00
 draft: false
 description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
-weight: 4
+weight: 5
 ---
 ## Overview 
@ -26,17 +26,12 @@ To make sure SSH keys were gathered successfully, refresh the page and check thi
 ## Suggested run mode
-To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network 
+Execute the Monkey on a chosen machine in your network using the “Manual” run option. 
-from potentially problematic group of machines, such as the laptop of one of your heavy email users or 
+Run the Monkey as a privileged user to make sure it gathers as many credentials from the system as possible.
 one of your strong IT users (think of people who are more likely to correspond with people outside of 
 your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu 
 and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a 
 privileged user. Doing so will make sure that Monkey gathers credentials from a local machine.
 ![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
 ## Assessing results
-To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even
+To assess the impact of leaked credentials see Security report. It's possible that credential leak resulted in even
 more leaked credentials, for that look into **Security report -> Stolen credentials**. 
--- a/docs/content/usage/use-cases/ids-test.md
+++ b/docs/content/usage/use-cases/ids-test.md
@ -1,53 +0,0 @@
 ---
 title: "IDS/IPS Test"
 date: 2020-08-12T13:07:47+03:00
 draft: false
 description: "Test your network defence solutions."
 weight: 5
 ---
 ## Overview 
 The Infection Monkey can help you verify that your security solutions are working the way you expected them to.
 These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
 ## Configuration
 - **Monkey -> Post breach** simulate the actions an attacker would make on an infected system. 
 To test something not present on the tool, you can provide your own file or command to be run.
 The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
 credentials is a good bet in any scenario. 
 ![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
 ## Suggested run mode
 Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
 as it increases coverage and propagation rates.
 ## Assessing results
 After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
 Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security
 solutions are identifying and correctly alerting on different attacks.
 - The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as
 exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
 - The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities.
 If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
 - The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
 the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
 Check if your micro-segmentation / firewall solution identifies or reports anything.
 While running this scenario, be on the lookout for the action that should arise:
 Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
 into your security events aggregators? Are you getting emails from your IR teams?
 Is the endpoint protection software you installed on machines in the network reporting on anything? Are your
 compliance scanners detecting anything wrong?
 Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to
 fix it.
 ![Map](/images/usage/use-cases/map-full-cropped.png "Map")
--- a/docs/content/usage/use-cases/network-breach.md
+++ b/docs/content/usage/use-cases/network-breach.md
@ -3,7 +3,7 @@ title: "Network Breach"
 date: 2020-08-12T13:04:55+03:00
 draft: false
 description: "Simulate an internal network breach and assess the potential impact."
-weight: 1
+weight: 3
 ---
 ## Overview 
@ -35,9 +35,11 @@ all post breach actions. These actions simulate attacker's behaviour after getti
 ## Suggested run mode
-To simulate a foreign device you could introduce the Island server to the network and run monkey from it. 
+Decide which machines you want to simulate a breach on and use the “Manual” run option to start Monkeys there. 
-Alternatively, for a malicious agent simulation, you should run monkey manually on a machine that’s already running in 
+Use high privileges to run the Monkey to simulate an attacker that was able to elevate its privileges. 
-the network. Combining both, as always, will give you the best coverage.
+You could also simulate an attack initiated from an unidentified machine connected to the network (a technician 
 laptop, 3rd party vendor machine, etc) by running the Monkey on a dedicated machine with an IP in the network you 
 wish to test.
 ## Assessing results
--- a/docs/content/usage/use-cases/network-segmentation.md
+++ b/docs/content/usage/use-cases/network-segmentation.md
@ -2,18 +2,18 @@
 title: "Network Segmentation"
 date: 2020-08-12T13:05:05+03:00
 draft: false
-description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation."
+description: "Verify your network is properly segmented."
-weight: 3
+weight: 4
 ---
 ## Overview 
 Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to 
-isolate workloads from one another and secure them individually, typically using policies. A useful way to test the 
+isolate workloads from one another and secure them individually, typically using policies. A useful way to test 
-effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your 
+the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your 
-Development is separated from your Production, your applications are separated from one another etc. To test the 
+Development is separated from your Production, your applications are separated from one another etc. Use the 
-security is to verify that your network segmentation is configured properly. This way you make sure that even if a 
+Infection Monkey to verify that your network segmentation is configured properly. This way you make sure that 
-certain attacker has breached your defenses, it can’t move laterally from point A to point B.
+even if a certain attacker has breached your defenses, it can’t move laterally between segments.
 [Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing 
 the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with 
@ -32,9 +32,7 @@ all post breach actions. These actions simulate attacker's behaviour after getti
 ## Suggested run mode
-Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar 
+Execute Monkeys on machines in different subnetworks using the “Manual” run option. 
 menu and clicking on “**Run on machine of your choice**”. 
 Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself. 
 Note that if Monkey can't communicate to the Island, it will
 not be able to send scan results, so make sure all machines can reach the island.
--- a/docs/content/usage/use-cases/other.md
+++ b/docs/content/usage/use-cases/other.md
@ -16,11 +16,11 @@ If you want Monkey to run some kind of script or a tool after it breaches a mach
 **Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields. 
 You can also upload files and call them through commands you entered in command fields.
-## Speed and coverage
+## Accelerate the test
-There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since 
+To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. 
-it’s safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. 
+
-The following configuration values have a significant impact on speed/coverage:
+The following configuration values also have an impact on scanning speed:
 - **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having 
 remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with 
 loud conventional tools.
@ -37,7 +37,7 @@ Security, ATT&CK and Zero Trust reports will be waiting for you!
 ## Persistent scanning
-Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of 
+Use **Monkey -> Persistent** scanning configuration section to either have periodic scans or to increase reliability of 
 exploitations by running consecutive Infection Monkey scans.
 ## Credentials
@ -50,7 +50,6 @@ configuration:
 ![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
 ## Check logged and monitored terminals
 To see the Monkey executing in real-time on your servers, add the **post-breach action** command: 
@ -60,27 +59,3 @@ Let you follow the breach “live” alongside the infection map, and check whic
 inside your network. See below:
 ![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
 ## ATT&CK & Zero Trust scanning
 You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
 matrix configuration just changes the overall configuration by modifying related fields, thus you should start by
 modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
 post breach actions and other configuration values will be already chosen based on ATT&CK matrix and shouldn't be
 modified.
 There's currently no way to configure monkey using Zero Trust framework, but regardless of configuration options,
 you'll always be able to see ATT&CK and Zero Trust reports.
 ## Tips and tricks
 - Use **Monkey -> Persistent scanning** configuration section to either have periodic scans or to increase
 reliability of exploitations.
 - To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
 on current system and use them to move laterally.
 - If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
 long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.
--- a/docs/content/usage/use-cases/zero-trust.md
+++ b/docs/content/usage/use-cases/zero-trust.md
@ -2,24 +2,22 @@
 title: "Zero Trust assessment"
 date: 2020-10-22T16:58:09+03:00
 draft: false
-description: "See where you are in your Zero Trust journey."
+description: "See where you stand in your Zero Trust journey."
-weight: 0
+weight: 1
 ---
 ## Overview 
-Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various 
+Infection Monkey will help you assess your progress on your journey to achieve Zero Trust network. 
-violations of Zero Trust principles.
+The Infection Monkey will automatically assess your readiness across the different 
 [Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles.
 ## Configuration
 - **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords 
-and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long 
+and usernames, but feel free to adjust it according to the default passwords used in your network. 
-lists means longer scanning times.
+Keep in mind that long lists means longer scanning times.
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and 
+- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”.
 allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific 
 network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make 
 the scanning process substantially faster.
 - **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define 
 subnets that should be segregated from each other.
@ -30,14 +28,15 @@ for tips and tricks about other features and in-depth configuration parameters y
 ## Suggested run mode
-Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation 
+Run the Monkey on as many machines as you can. This can be easily achieved by selecting the “Manual” run option and 
-and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey 
+executing the command shown on different machines in your environment manually or with your deployment tool. 
-runs on, the better the coverage.
+In addition, you can use any other run options you see fit. 
 ## Assessing results
 See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust 
-pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results” 
+pillars were tested, how many tests were done and test statuses. Specific tests are described in the “Test Results” 
-section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did,
+section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to 
- go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly 
+observe what exactly Infection Monkey did and when it was done. This should make it easy to cross reference events 
- Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions.
+with your security solutions and alerts/logs.