p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Now returning full text data to the website

This commit is contained in:
Shay Nehmad 2019-08-15 12:27:21 +03:00
parent 7006a2332f
commit 21c3c9bf4d
5 changed files with 64 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
monkey/common/data/zero_trust_consts.py
View File

@ -47,54 +47,73 @@ DIRECTIVES = {
POSSIBLE_STATUSES_KEY = u"possible_statuses" POSSIBLE_STATUSES_KEY = u"possible_statuses"
PILLARS_KEY = u"pillars" PILLARS_KEY = u"pillars"
DIRECTIVE_KEY = u"directive_key" DIRECTIVE_KEY = u"directive_key"
FINDING_FORMAT_KEY = u"finding_format" FINDING_EXPLANATION_BY_STATUS_KEY = u"finding_explanation"
EXPLANATION_KEY = u"explanation" TEST_EXPLANATION_KEY = u"explanation"
TESTS_MAP = { TESTS_MAP = {
TEST_SEGMENTATION: { TEST_SEGMENTATION: {
EXPLANATION_KEY: u"The Monkey tried to scan and find machines that it can communicate with from the machine it's running on, that belong to different network segments.", TEST_EXPLANATION_KEY: u"The Monkey tried to scan and find machines that it can communicate with from the machine it's running on, that belong to different network segments.",
FINDING_FORMAT_KEY: u"The Monkey from {ORIGIN} communicated with a machine on a different segment.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey performed cross-segment communication. Check firewall rules and logs.",
STATUS_POSITIVE: "Monkey couldn't perform cross-segment communication. If relevant, check firewall logs."
},
DIRECTIVE_KEY: DIRECTIVE_SEGMENTATION, DIRECTIVE_KEY: DIRECTIVE_SEGMENTATION,
PILLARS_KEY: [NETWORKS], PILLARS_KEY: [NETWORKS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_POSITIVE, STATUS_CONCLUSIVE]
}, },
TEST_ACTIVITY_TIMELINE: { TEST_ACTIVITY_TIMELINE: {
EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.", TEST_EXPLANATION_KEY: u"The Monkeys in the network performed malicious-looking actions, like scanning and attempting exploitation.",
FINDING_FORMAT_KEY: u"Malicious activity performed by the Monkeys. See 'events' for detailed information.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_INCONCLUSIVE: "Monkey performed malicious actions in the network. Check SOC logs and alerts."
},
DIRECTIVE_KEY: DIRECTIVE_ANALYZE_NETWORK_TRAFFIC, DIRECTIVE_KEY: DIRECTIVE_ANALYZE_NETWORK_TRAFFIC,
PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS], PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE]
}, },
TEST_ENDPOINT_SECURITY_EXISTS: { TEST_ENDPOINT_SECURITY_EXISTS: {
EXPLANATION_KEY: u"The Monkey checked if there is an active process of an endpoint security software.", TEST_EXPLANATION_KEY: u"The Monkey checked if there is an active process of an endpoint security software.",
FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found no active endpoint security processes.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey didn't find ANY active endpoint security processes. Install and activate anti-virus software on endpoints.",
STATUS_POSITIVE: "Monkey found active endpoint security processes. Check their logs to see if Monkey was a security concern."
},
DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY, DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
PILLARS_KEY: [DEVICES], PILLARS_KEY: [DEVICES],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE]
}, },
TEST_MACHINE_EXPLOITED: { TEST_MACHINE_EXPLOITED: {
EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.", TEST_EXPLANATION_KEY: u"The Monkey tries to exploit machines in order to breach them and propagate in the network.",
FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} attempted to exploit a machine on {TARGET}.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey successfully exploited endpoints. Check IDS/IPS logs to see activity recognized and see which endpoints were compromised.",
STATUS_INCONCLUSIVE: "Monkey tried exploiting endpoints. Check IDS/IPS logs to see activity recognized."
},
DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY, DIRECTIVE_KEY: DIRECTIVE_ENDPOINT_SECURITY,
PILLARS_KEY: [DEVICES], PILLARS_KEY: [DEVICES],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE]
}, },
TEST_SCHEDULED_EXECUTION: { TEST_SCHEDULED_EXECUTION: {
EXPLANATION_KEY: "The Monkey was executed in a scheduled manner.", TEST_EXPLANATION_KEY: "The Monkey was executed in a scheduled manner.",
FINDING_FORMAT_KEY: "The Monkey on {ORIGIN} started running in an executed manner.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_INCONCLUSIVE: "Monkey was executed in a scheduled manner. Locate this activity in User-Behavior security software."
},
DIRECTIVE_KEY: DIRECTIVE_USER_BEHAVIOUR, DIRECTIVE_KEY: DIRECTIVE_USER_BEHAVIOUR,
PILLARS_KEY: [PEOPLE, NETWORKS], PILLARS_KEY: [PEOPLE, NETWORKS],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_INCONCLUSIVE]
}, },
TEST_DATA_ENDPOINT_ELASTIC: { TEST_DATA_ENDPOINT_ELASTIC: {
EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to ElasticSearch instances.", TEST_EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to ElasticSearch instances.",
FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found an open ElasticSearch instance.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey accessed ElasticSearch instances. Limit access to data by encrypting it in in-transit.",
STATUS_POSITIVE: "Monkey didn't find open ElasticSearch instances. If you have such instances, look for alerts that indicate attempts to access them."
},
DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT, DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT,
PILLARS_KEY: [DATA], PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE]
}, },
TEST_DATA_ENDPOINT_HTTP: { TEST_DATA_ENDPOINT_HTTP: {
EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to HTTP servers.", TEST_EXPLANATION_KEY: u"The Monkey scanned for unencrypted access to HTTP servers.",
FINDING_FORMAT_KEY: u"The Monkey on {ORIGIN} found an open HTTP server.", FINDING_EXPLANATION_BY_STATUS_KEY: {
STATUS_CONCLUSIVE: "Monkey accessed HTTP servers. Limit access to data by encrypting it in in-transit.",
STATUS_POSITIVE: "Monkey didn't find open HTTP servers. If you have such servers, look for alerts that indicate attempts to access them."
},
DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT, DIRECTIVE_KEY: DIRECTIVE_DATA_TRANSIT,
PILLARS_KEY: [DATA], PILLARS_KEY: [DATA],
POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE] POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_CONCLUSIVE, STATUS_POSITIVE]

4
monkey/monkey_island/cc/models/finding.py
View File

@ -4,7 +4,7 @@ Define a Document Schema for Zero Trust findings.
from mongoengine import Document, StringField, EmbeddedDocumentListField from mongoengine import Document, StringField, EmbeddedDocumentListField
from common.data.zero_trust_consts import ORDERED_TEST_STATUSES, TESTS, TESTS_MAP, EXPLANATION_KEY, PILLARS_KEY from common.data.zero_trust_consts import ORDERED_TEST_STATUSES, TESTS, TESTS_MAP, TEST_EXPLANATION_KEY, PILLARS_KEY
# Dummy import for mongoengine. # Dummy import for mongoengine.
# noinspection PyUnresolvedReferences # noinspection PyUnresolvedReferences
from event import Event from event import Event
@ -24,7 +24,7 @@ class Finding(Document):
# LOGIC # LOGIC
def get_test_explanation(self): def get_test_explanation(self):
return TESTS_MAP[self.test][EXPLANATION_KEY] return TESTS_MAP[self.test][TEST_EXPLANATION_KEY]
def get_pillars(self): def get_pillars(self):
return TESTS_MAP[self.test][PILLARS_KEY] return TESTS_MAP[self.test][PILLARS_KEY]

46
monkey/monkey_island/cc/services/reporting/test_zeroTrustService.py
View File

@ -110,88 +110,88 @@ class TestZeroTrustService(IslandTestCase):
AUTOMATION_ORCHESTRATION: [], AUTOMATION_ORCHESTRATION: [],
DATA: [ DATA: [
{ {
"directive": DIRECTIVE_DATA_TRANSIT, "directive": DIRECTIVES[DIRECTIVE_DATA_TRANSIT],
"status": STATUS_CONCLUSIVE, "status": STATUS_CONCLUSIVE,
"tests": [ "tests": [
{ {
"status": STATUS_UNEXECUTED, "status": STATUS_UNEXECUTED,
"test": TEST_DATA_ENDPOINT_ELASTIC "test": TESTS_MAP[TEST_DATA_ENDPOINT_ELASTIC][TEST_EXPLANATION_KEY]
}, },
{ {
"status": STATUS_CONCLUSIVE, "status": STATUS_CONCLUSIVE,
"test": TEST_DATA_ENDPOINT_HTTP "test": TESTS_MAP[TEST_DATA_ENDPOINT_HTTP][TEST_EXPLANATION_KEY]
} }
] ]
} }
], ],
DEVICES: [ DEVICES: [
{ {
"directive": "endpoint_security", "directive": DIRECTIVES[DIRECTIVE_ENDPOINT_SECURITY],
"status": "Conclusive", "status": STATUS_CONCLUSIVE,
"tests": [ "tests": [
{ {
"status": "Conclusive", "status": STATUS_CONCLUSIVE,
"test": "endpoint_security_exists" "test": TESTS_MAP[TEST_ENDPOINT_SECURITY_EXISTS][TEST_EXPLANATION_KEY]
}, },
{ {
"status": "Unexecuted", "status": STATUS_UNEXECUTED,
"test": "machine_exploited" "test": TESTS_MAP[TEST_MACHINE_EXPLOITED][TEST_EXPLANATION_KEY]
} }
] ]
} }
], ],
NETWORKS: [ NETWORKS: [
{ {
"directive": "segmentation", "directive": DIRECTIVES[DIRECTIVE_SEGMENTATION],
"status": "Unexecuted", "status": STATUS_UNEXECUTED,
"tests": [ "tests": [
{ {
"status": "Unexecuted", "status": STATUS_UNEXECUTED,
"test": "segmentation" "test": TESTS_MAP[TEST_SEGMENTATION][TEST_EXPLANATION_KEY]
} }
] ]
}, },
{ {
"directive": "user_behaviour", "directive": DIRECTIVES[DIRECTIVE_USER_BEHAVIOUR],
"status": STATUS_INCONCLUSIVE, "status": STATUS_INCONCLUSIVE,
"tests": [ "tests": [
{ {
"status": STATUS_INCONCLUSIVE, "status": STATUS_INCONCLUSIVE,
"test": TEST_SCHEDULED_EXECUTION "test": TESTS_MAP[TEST_SCHEDULED_EXECUTION][TEST_EXPLANATION_KEY]
} }
] ]
}, },
{ {
"directive": "analyze_network_traffic", "directive": DIRECTIVES[DIRECTIVE_ANALYZE_NETWORK_TRAFFIC],
"status": "Unexecuted", "status": STATUS_UNEXECUTED,
"tests": [ "tests": [
{ {
"status": "Unexecuted", "status": STATUS_UNEXECUTED,
"test": "malicious_activity_timeline" "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
} }
] ]
} }
], ],
PEOPLE: [ PEOPLE: [
{ {
"directive": "user_behaviour", "directive": DIRECTIVES[DIRECTIVE_USER_BEHAVIOUR],
"status": STATUS_INCONCLUSIVE, "status": STATUS_INCONCLUSIVE,
"tests": [ "tests": [
{ {
"status": STATUS_INCONCLUSIVE, "status": STATUS_INCONCLUSIVE,
"test": TEST_SCHEDULED_EXECUTION "test": TESTS_MAP[TEST_SCHEDULED_EXECUTION][TEST_EXPLANATION_KEY]
} }
] ]
} }
], ],
"Visibility & Analytics": [ "Visibility & Analytics": [
{ {
"directive": DIRECTIVE_ANALYZE_NETWORK_TRAFFIC, "directive": DIRECTIVES[DIRECTIVE_ANALYZE_NETWORK_TRAFFIC],
"status": STATUS_UNEXECUTED, "status": STATUS_UNEXECUTED,
"tests": [ "tests": [
{ {
"status": STATUS_UNEXECUTED, "status": STATUS_UNEXECUTED,
"test": TEST_ACTIVITY_TIMELINE "test": TESTS_MAP[TEST_ACTIVITY_TIMELINE][TEST_EXPLANATION_KEY]
} }
] ]
} }

6
monkey/monkey_island/cc/services/reporting/zero_trust_service.py
View File

@ -50,7 +50,7 @@ class ZeroTrustService(object):
for pillar in DIRECTIVES_TO_PILLARS[directive]: for pillar in DIRECTIVES_TO_PILLARS[directive]:
all_directive_statuses[pillar].append( all_directive_statuses[pillar].append(
{ {
"directive": directive, "directive": DIRECTIVES[directive],
"tests": ZeroTrustService.__get_tests_status(directive_tests), "tests": ZeroTrustService.__get_tests_status(directive_tests),
"status": ZeroTrustService.__get_directive_status(directive_tests) "status": ZeroTrustService.__get_directive_status(directive_tests)
} }
@ -78,7 +78,7 @@ class ZeroTrustService(object):
test_findings = Finding.objects(test=test) test_findings = Finding.objects(test=test)
results.append( results.append(
{ {
"test": test, "test": TESTS_MAP[test][TEST_EXPLANATION_KEY],
"status": ZeroTrustService.__get_lcd_worst_status_for_test(test_findings) "status": ZeroTrustService.__get_lcd_worst_status_for_test(test_findings)
} }
) )
@ -104,7 +104,7 @@ class ZeroTrustService(object):
test_info = TESTS_MAP[finding.test] test_info = TESTS_MAP[finding.test]
enriched_finding = { enriched_finding = {
# TODO add test explanation per status. # TODO add test explanation per status.
"test": test_info[EXPLANATION_KEY], "test": test_info[FINDING_EXPLANATION_BY_STATUS_KEY][finding.status],
"pillars": test_info[PILLARS_KEY], "pillars": test_info[PILLARS_KEY],
"status": finding.status, "status": finding.status,
"events": ZeroTrustService.__get_events_as_dict(finding.events) "events": ZeroTrustService.__get_events_as_dict(finding.events)

1
monkey/monkey_island/cc/ui/src/components/report-components/zerotrust/DirectivesStatusTable.js
View File

@ -19,6 +19,7 @@ const columns = [
} }
}, },
{ Header: 'Tests', id: 'tests', { Header: 'Tests', id: 'tests',
style: {'whiteSpace': 'unset'}, // This enables word wrap
accessor: x => { accessor: x => {
return <TestsStatus tests={x.tests} />; return <TestsStatus tests={x.tests} />;
} }