From 68b6efa8b654c70fa8ed69653009f6671e062a89 Mon Sep 17 00:00:00 2001 From: VakarisZ Date: Fri, 23 Oct 2020 17:46:23 +0300 Subject: [PATCH] Updated scenario docs once more, removed IDS/IPS test scenario. --- docs/content/usage/use-cases/attack.md | 44 +++++++-------- .../usage/use-cases/credential-leak.md | 15 ++---- docs/content/usage/use-cases/ids-test.md | 53 ------------------- .../content/usage/use-cases/network-breach.md | 10 ++-- .../usage/use-cases/network-segmentation.md | 18 +++---- docs/content/usage/use-cases/other.md | 35 ++---------- docs/content/usage/use-cases/zero-trust.md | 33 ++++++------ 7 files changed, 59 insertions(+), 149 deletions(-) delete mode 100644 docs/content/usage/use-cases/ids-test.md diff --git a/docs/content/usage/use-cases/attack.md b/docs/content/usage/use-cases/attack.md index 88041aae4..ee2e002c7 100644 --- a/docs/content/usage/use-cases/attack.md +++ b/docs/content/usage/use-cases/attack.md @@ -1,44 +1,38 @@ --- -title: "ATT&CK techniques" +title: "MITRE ATT&CK assessment" date: 2020-10-22T16:58:22+03:00 draft: false -description: "Find issues related to Zero Trust Extended framework compliance." -weight: 1 +description: "Assess your network security detection and prevention capabilities." +weight: 2 --- ## Overview -Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you -assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent -them. +Infection Monkey can simulate various [ATT&CK](https://attack.mitre.org/matrices/enterprise/) techniques on the network. +Use it to assess your security solutions’ detection and prevention capabilities. Infection Monkey will help you find +which ATT&CK techniques go unnoticed and will provide recommendations about preventing them. + ## Configuration -- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind -that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should -start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters, -post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldn’t be -modified. +- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want the Monkey to simulate. +Leave default settings for the full simulation. - **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords -and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long -lists means longer scanning times. -- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and -allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific -network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will -make the scanning process substantially faster. +and usernames, but feel free to adjust it according to the default passwords used in your network. Keep in mind that +long lists means longer scanning times. +- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in +the “Scan target list”. ![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix") ## Suggested run mode -You should run the Monkey on network machines with defensive solutions you want to test. - -A lot of ATT&CK techniques have a scope of a single node, so it’s important to manually run monkeys for better coverage. +Run the Infection Monkey on as many machines in your environment as you can to get a better assessment. This can be easily +achieved by selecting the “Manual” run option and executing the command shown on different machines in your environment +manually or with your deployment tool. ## Assessing results -See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result -matrix is colour coated according to it’s status. Click on any technique to see more details about it and potential -mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the -official documentation of ATT&CK technique, where you can learn more about it. - +The **ATT&CK Report** shows the status of ATT&CK techniques simulations. Click on any technique to see more details +about it and potential mitigations. Keep in mind that each technique display contains a question mark symbol that +will take you to the official documentation of ATT&CK technique, where you can learn more about it. diff --git a/docs/content/usage/use-cases/credential-leak.md b/docs/content/usage/use-cases/credential-leak.md index 93c1a27c9..923335e34 100644 --- a/docs/content/usage/use-cases/credential-leak.md +++ b/docs/content/usage/use-cases/credential-leak.md @@ -1,9 +1,9 @@ --- -title: "Credential Leak" +title: "Credentials Leak" date: 2020-08-12T13:04:25+03:00 draft: false description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak." -weight: 4 +weight: 5 --- ## Overview @@ -26,17 +26,12 @@ To make sure SSH keys were gathered successfully, refresh the page and check thi ## Suggested run mode -To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network -from potentially problematic group of machines, such as the laptop of one of your heavy email users or -one of your strong IT users (think of people who are more likely to correspond with people outside of -your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu -and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a -privileged user. Doing so will make sure that Monkey gathers credentials from a local machine. - +Execute the Monkey on a chosen machine in your network using the “Manual” run option. +Run the Monkey as a privileged user to make sure it gathers as many credentials from the system as possible. ![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists") ## Assessing results -To assess the impact of leaked credentials see Security report. It's possible, that credential leak resulted in even +To assess the impact of leaked credentials see Security report. It's possible that credential leak resulted in even more leaked credentials, for that look into **Security report -> Stolen credentials**. diff --git a/docs/content/usage/use-cases/ids-test.md b/docs/content/usage/use-cases/ids-test.md deleted file mode 100644 index 2dfcda1cd..000000000 --- a/docs/content/usage/use-cases/ids-test.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: "IDS/IPS Test" -date: 2020-08-12T13:07:47+03:00 -draft: false -description: "Test your network defence solutions." -weight: 5 ---- - -## Overview - -The Infection Monkey can help you verify that your security solutions are working the way you expected them to. - These may include your IR and SOC teams, your SIEM, your firewall, your endpoint security solution, and more. - -## Configuration - -- **Monkey -> Post breach** simulate the actions an attacker would make on an infected system. -To test something not present on the tool, you can provide your own file or command to be run. - -The default configuration is good enough for many cases, but configuring testing scope and adding brute-force - credentials is a good bet in any scenario. - -![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration") - -## Suggested run mode -Running the Monkey on both the Island and on a few other machines in the network manually is also recommended, - as it increases coverage and propagation rates. - -## Assessing results - -After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map. - -Now you can match this activity from the Monkey timeline display to your internal SIEM and make sure your security - solutions are identifying and correctly alerting on different attacks. - -- The red arrows indicate successful exploitations. If you see red arrows, those incidents ought to be reported as - exploitation attempts, so check whether you are receiving alerts from your security systems as expected. -- The orange arrows indicate scanning activity, usually used by attackers to locate potential vulnerabilities. - If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations). -- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from - the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network? - Check if your micro-segmentation / firewall solution identifies or reports anything. - -While running this scenario, be on the lookout for the action that should arise: - Did you get a phone call telling you about suspicious activity inside your network? Are events flowing - into your security events aggregators? Are you getting emails from your IR teams? - Is the endpoint protection software you installed on machines in the network reporting on anything? Are your - compliance scanners detecting anything wrong? - -Lastly, check Zero Trust and Mitre ATT&CK reports, to see which attacks can be executed on the network and how to - fix it. - - ![Map](/images/usage/use-cases/map-full-cropped.png "Map") - diff --git a/docs/content/usage/use-cases/network-breach.md b/docs/content/usage/use-cases/network-breach.md index e315e49ad..962878ea6 100644 --- a/docs/content/usage/use-cases/network-breach.md +++ b/docs/content/usage/use-cases/network-breach.md @@ -3,7 +3,7 @@ title: "Network Breach" date: 2020-08-12T13:04:55+03:00 draft: false description: "Simulate an internal network breach and assess the potential impact." -weight: 1 +weight: 3 --- ## Overview @@ -35,9 +35,11 @@ all post breach actions. These actions simulate attacker's behaviour after getti ## Suggested run mode -To simulate a foreign device you could introduce the Island server to the network and run monkey from it. -Alternatively, for a malicious agent simulation, you should run monkey manually on a machine that’s already running in -the network. Combining both, as always, will give you the best coverage. +Decide which machines you want to simulate a breach on and use the “Manual” run option to start Monkeys there. +Use high privileges to run the Monkey to simulate an attacker that was able to elevate its privileges. +You could also simulate an attack initiated from an unidentified machine connected to the network (a technician +laptop, 3rd party vendor machine, etc) by running the Monkey on a dedicated machine with an IP in the network you +wish to test. ## Assessing results diff --git a/docs/content/usage/use-cases/network-segmentation.md b/docs/content/usage/use-cases/network-segmentation.md index 4cea4002c..543b6e645 100644 --- a/docs/content/usage/use-cases/network-segmentation.md +++ b/docs/content/usage/use-cases/network-segmentation.md @@ -2,18 +2,18 @@ title: "Network Segmentation" date: 2020-08-12T13:05:05+03:00 draft: false -description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation." -weight: 3 +description: "Verify your network is properly segmented." +weight: 4 --- ## Overview Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to -isolate workloads from one another and secure them individually, typically using policies. A useful way to test the -effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your -Development is separated from your Production, your applications are separated from one another etc. To test the -security is to verify that your network segmentation is configured properly. This way you make sure that even if a -certain attacker has breached your defenses, it can’t move laterally from point A to point B. +isolate workloads from one another and secure them individually, typically using policies. A useful way to test +the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your +Development is separated from your Production, your applications are separated from one another etc. Use the +Infection Monkey to verify that your network segmentation is configured properly. This way you make sure that +even if a certain attacker has breached your defenses, it can’t move laterally between segments. [Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with @@ -32,9 +32,7 @@ all post breach actions. These actions simulate attacker's behaviour after getti ## Suggested run mode -Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar -menu and clicking on “**Run on machine of your choice**”. - Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself. +Execute Monkeys on machines in different subnetworks using the “Manual” run option. Note that if Monkey can't communicate to the Island, it will not be able to send scan results, so make sure all machines can reach the island. diff --git a/docs/content/usage/use-cases/other.md b/docs/content/usage/use-cases/other.md index 71fc0cac9..90c44a943 100644 --- a/docs/content/usage/use-cases/other.md +++ b/docs/content/usage/use-cases/other.md @@ -16,11 +16,11 @@ If you want Monkey to run some kind of script or a tool after it breaches a mach **Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields. You can also upload files and call them through commands you entered in command fields. -## Speed and coverage +## Accelerate the test -There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since -it’s safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. -The following configuration values have a significant impact on speed/coverage: +To improve scanning speed you could **specify a subnet instead of scanning all of the local network**. + +The following configuration values also have an impact on scanning speed: - **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with loud conventional tools. @@ -37,7 +37,7 @@ Security, ATT&CK and Zero Trust reports will be waiting for you! ## Persistent scanning -Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of +Use **Monkey -> Persistent** scanning configuration section to either have periodic scans or to increase reliability of exploitations by running consecutive Infection Monkey scans. ## Credentials @@ -50,7 +50,6 @@ configuration: ![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists") - ## Check logged and monitored terminals To see the Monkey executing in real-time on your servers, add the **post-breach action** command: @@ -60,27 +59,3 @@ Let you follow the breach “live” alongside the infection map, and check whic inside your network. See below: ![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.") - -## ATT&CK & Zero Trust scanning - -You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK - matrix configuration just changes the overall configuration by modifying related fields, thus you should start by - modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters, - post breach actions and other configuration values will be already chosen based on ATT&CK matrix and shouldn't be - modified. - -There's currently no way to configure monkey using Zero Trust framework, but regardless of configuration options, - you'll always be able to see ATT&CK and Zero Trust reports. - -## Tips and tricks - -- Use **Monkey -> Persistent scanning** configuration section to either have periodic scans or to increase - reliability of exploitations. - -- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials - on current system and use them to move laterally. - - -- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too - long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times. - diff --git a/docs/content/usage/use-cases/zero-trust.md b/docs/content/usage/use-cases/zero-trust.md index 8499f8adc..de3e37d39 100644 --- a/docs/content/usage/use-cases/zero-trust.md +++ b/docs/content/usage/use-cases/zero-trust.md @@ -2,24 +2,22 @@ title: "Zero Trust assessment" date: 2020-10-22T16:58:09+03:00 draft: false -description: "See where you are in your Zero Trust journey." -weight: 0 +description: "See where you stand in your Zero Trust journey." +weight: 1 --- ## Overview -Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various -violations of Zero Trust principles. +Infection Monkey will help you assess your progress on your journey to achieve Zero Trust network. +The Infection Monkey will automatically assess your readiness across the different +[Zero Trust Extended Framework](https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210) principles. ## Configuration - **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords -and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long -lists means longer scanning times. -- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and -allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific -network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make -the scanning process substantially faster. +and usernames, but feel free to adjust it according to the default passwords used in your network. +Keep in mind that long lists means longer scanning times. +- **Network -> Scope** Disable “Local network scan” and instead provide specific network ranges in the “Scan target list”. - **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define subnets that should be segregated from each other. @@ -30,14 +28,15 @@ for tips and tricks about other features and in-depth configuration parameters y ## Suggested run mode -Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation -and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey -runs on, the better the coverage. +Run the Monkey on as many machines as you can. This can be easily achieved by selecting the “Manual” run option and +executing the command shown on different machines in your environment manually or with your deployment tool. +In addition, you can use any other run options you see fit. ## Assessing results See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust -pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results” -section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did, - go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly - Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions. +pillars were tested, how many tests were done and test statuses. Specific tests are described in the “Test Results” +section. The “Findings” section shows details about the Monkey actions. Click on “Events” of different findings to +observe what exactly Infection Monkey did and when it was done. This should make it easy to cross reference events +with your security solutions and alerts/logs. +