Added tunneling zero trust test

2019-09-01 15:40:29 +03:00 · 2019-09-01 15:40:29 +03:00 · 1550742d4d
parent 146c87c338
commit 1550742d4d
4 changed files with 55 additions and 3 deletions
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@ -29,6 +29,7 @@ TEST_ENDPOINT_SECURITY_EXISTS = u"endpoint_security_exists"
 TEST_SCHEDULED_EXECUTION = u"scheduled_execution"
 TEST_MALICIOUS_ACTIVITY_TIMELINE = u"malicious_activity_timeline"
 TEST_SEGMENTATION = u"segmentation"
+TEST_TUNNELING = u"tunneling"
 TESTS = (
    TEST_SEGMENTATION,
    TEST_MALICIOUS_ACTIVITY_TIMELINE,
@ -36,7 +37,8 @@ TESTS = (
    TEST_ENDPOINT_SECURITY_EXISTS,
    TEST_MACHINE_EXPLOITED,
    TEST_DATA_ENDPOINT_HTTP,
-    TEST_DATA_ENDPOINT_ELASTIC
+    TEST_DATA_ENDPOINT_ELASTIC,
+    TEST_TUNNELING
 )

 RECOMMENDATION_DATA_TRANSIT = u"data_transit"
@ -44,12 +46,14 @@ RECOMMENDATION_ENDPOINT_SECURITY = u"endpoint_security"
 RECOMMENDATION_USER_BEHAVIOUR = u"user_behaviour"
 RECOMMENDATION_ANALYZE_NETWORK_TRAFFIC = u"analyze_network_traffic"
 RECOMMENDATION_SEGMENTATION = u"segmentation"
+RECOMMENDATION_RESTRICTIVE_NETWORK_POLICIES = u"network_policies"
 RECOMMENDATIONS = {
    RECOMMENDATION_SEGMENTATION: u"Apply segmentation and micro-segmentation inside your network.",
    RECOMMENDATION_ANALYZE_NETWORK_TRAFFIC: u"Analyze network traffic for malicious activity.",
    RECOMMENDATION_USER_BEHAVIOUR: u"Adopt security user behavior analytics.",
    RECOMMENDATION_ENDPOINT_SECURITY: u"Use anti-virus and other traditional endpoint security solutions.",
-    RECOMMENDATION_DATA_TRANSIT: u"Secure data at transit by encrypting it."
+    RECOMMENDATION_DATA_TRANSIT: u"Secure data at transit by encrypting it.",
+    RECOMMENDATION_RESTRICTIVE_NETWORK_POLICIES: u"Configure network policies to be as restrictive as possible."
 }

 POSSIBLE_STATUSES_KEY = u"possible_statuses"
@ -127,6 +131,15 @@ TESTS_MAP = {
        PILLARS_KEY: [DATA],
        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED, STATUS_PASSED]
    },
+    TEST_TUNNELING: {
+        TEST_EXPLANATION_KEY: u"The Monkey tried to tunnel traffic using other monkeys.",
+        FINDING_EXPLANATION_BY_STATUS_KEY: {
+            STATUS_FAILED: "Monkey was tunneled its traffic using other monkeys. Your network policies are too permissive - restrict them."
+        },
+        RECOMMENDATION_KEY: RECOMMENDATION_RESTRICTIVE_NETWORK_POLICIES,
+        PILLARS_KEY: [NETWORKS, VISIBILITY_ANALYTICS],
+        POSSIBLE_STATUSES_KEY: [STATUS_UNEXECUTED, STATUS_FAILED]
+    },
 }

 EVENT_TYPE_ISLAND = "island"
--- a/monkey/monkey_island/cc/services/telemetry/processing/tunnel.py
+++ b/monkey/monkey_island/cc/services/telemetry/processing/tunnel.py
@ -1,10 +1,13 @@
 from monkey_island.cc.services.node import NodeService
+from monkey_island.cc.services.telemetry.processing.utils import get_tunnel_host_ip_from_proxy_field
+from monkey_island.cc.services.telemetry.zero_trust_tests.tunneling import test_tunneling_violation


 def process_tunnel_telemetry(telemetry_json):
+    test_tunneling_violation(telemetry_json)
    monkey_id = NodeService.get_monkey_by_guid(telemetry_json['monkey_guid'])["_id"]
    if telemetry_json['data']['proxy'] is not None:
-        tunnel_host_ip = telemetry_json['data']['proxy'].split(":")[-2].replace("//", "")
+        tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(telemetry_json)
        NodeService.set_monkey_tunnel(monkey_id, tunnel_host_ip)
    else:
        NodeService.unset_all_monkey_tunnels(monkey_id)
--- a/monkey/monkey_island/cc/services/telemetry/processing/utils.py
+++ b/monkey/monkey_island/cc/services/telemetry/processing/utils.py
@ -11,3 +11,8 @@ def get_edge_by_scan_or_exploit_telemetry(telemetry_json):
        dst_node = NodeService.get_or_create_node(dst_ip, dst_domain_name)

    return EdgeService.get_or_create_edge(src_monkey["_id"], dst_node["_id"])
+
+
+def get_tunnel_host_ip_from_proxy_field(telemetry_json):
+    tunnel_host_ip = telemetry_json['data']['proxy'].split(":")[-2].replace("//", "")
+    return tunnel_host_ip
--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/tunneling.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/tunneling.py
@ -0,0 +1,31 @@
+from common.data.zero_trust_consts import TEST_TUNNELING, STATUS_FAILED, EVENT_TYPE_MONKEY_NETWORK, STATUS_INCONCLUSIVE, \
+    TEST_MALICIOUS_ACTIVITY_TIMELINE
+from monkey_island.cc.models import Monkey
+from monkey_island.cc.models.zero_trust.aggregate_finding import AggregateFinding
+from monkey_island.cc.models.zero_trust.event import Event
+from monkey_island.cc.services.telemetry.processing.utils import get_tunnel_host_ip_from_proxy_field
+
+
+def test_tunneling_violation(tunnel_telemetry_json):
+    if tunnel_telemetry_json['data']['proxy'] is not None:
+        # Monkey is tunneling, create findings
+        tunnel_host_ip = get_tunnel_host_ip_from_proxy_field(tunnel_telemetry_json)
+        current_monkey = Monkey.get_single_monkey_by_guid(tunnel_telemetry_json['monkey_guid'])
+        tunneling_events = [Event.create_event(
+            title="Tunneling event",
+            message="Monkey on {hostname} tunneled traffic through {proxy}.".format(
+                hostname=current_monkey.hostname, proxy=tunnel_host_ip),
+            event_type=EVENT_TYPE_MONKEY_NETWORK,
+            timestamp=tunnel_telemetry_json['timestamp']
+        )]
+        AggregateFinding.create_or_add_to_existing(
+            test=TEST_TUNNELING,
+            status=STATUS_FAILED,
+            events=tunneling_events
+        )
+
+        AggregateFinding.create_or_add_to_existing(
+            test=TEST_MALICIOUS_ACTIVITY_TIMELINE,
+            status=STATUS_INCONCLUSIVE,
+            events=tunneling_events
+        )