forked from p15670423/monkey
55 lines
2.6 KiB
Markdown
55 lines
2.6 KiB
Markdown
---
|
||
title: "IDS/IPS Test"
|
||
date: 2020-08-12T13:07:47+03:00
|
||
draft: true
|
||
weight: 5
|
||
---
|
||
|
||
## Overview
|
||
|
||
The Infection Monkey can help you verify that your security solutions are working the way you expected them to.
|
||
These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more.
|
||
|
||
## Configuration
|
||
|
||
#### Important configuration values:
|
||
|
||
- **Monkey -> Post breach** Post breach actions simulate the actions an attacker would make on infected system.
|
||
To test something not present on the tool, you can provide your own file or command to be ran.
|
||
|
||
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
|
||
credentials is a good bet in any scenario.
|
||
|
||
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
|
||
as it increases coverage and propagation rates.
|
||
|
||
|
||
![Post breach configuration](/images/usage/scenarios/ids-test.png "Post breach configuration")
|
||
|
||
## Assessing results
|
||
|
||
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
||
|
||
Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security
|
||
solutions are identifying and correctly alerting on different attacks.
|
||
|
||
- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as
|
||
exploitation attempts, so check whether you are receiving alerts from your security systems as expected.
|
||
- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities.
|
||
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
||
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
|
||
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
|
||
Check if your micro-segmentation / firewall solution identify or report anything.
|
||
|
||
While running this scenario, be on the lookout for the action that should arise:
|
||
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
|
||
into your security events aggregators? Are you getting emails from your IR teams?
|
||
Is the endpoint protection software you installed on machines in the network reporting on anything? Are your
|
||
compliance scanners detecting anything wrong?
|
||
|
||
Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to
|
||
fix it.
|
||
|
||
![Map](/images/usage/scenarios/map-full-cropped.png "Map")
|
||
|