forked from p15670423/monkey
Updated scenario / use case docs
This commit is contained in:
parent
53f3625172
commit
f9f70febfc
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
title: "ATT&CK techniques"
|
||||||
|
date: 2020-10-22T16:58:22+03:00
|
||||||
|
draft: false
|
||||||
|
description: "Find issues related to Zero Trust Extended framework compliance."
|
||||||
|
weight: 1
|
||||||
|
---
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Infection Monkey can simulate a number of realistic ATT&CK techniques on the network automatically. This will help you
|
||||||
|
assess the capabilities of your defensive solutions and see which ATT&CK techniques go unnoticed and how to prevent
|
||||||
|
them.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
- **ATT&CK matrix** You can use ATT&CK configuration section to select which techniques you want to scan. Keep in mind
|
||||||
|
that ATT&CK matrix configuration just changes the overall configuration by modifying related fields, thus you should
|
||||||
|
start by modifying and saving the matrix. After that you can change credentials and scope of the scan, but exploiters,
|
||||||
|
post breach actions and other configuration values will be already chosen based on the ATT&CK matrix and shouldn’t be
|
||||||
|
modified.
|
||||||
|
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||||
|
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
||||||
|
lists means longer scanning times.
|
||||||
|
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
||||||
|
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
||||||
|
network ranges in Scan target list. Scanning the local network is more realistic, but providing specific targets will
|
||||||
|
make the scanning process substantially faster.
|
||||||
|
|
||||||
|
![ATT&CK matrix](/images/usage/scenarios/attack-matrix.png "ATT&CK matrix")
|
||||||
|
|
||||||
|
## Suggested run mode
|
||||||
|
|
||||||
|
You should run the Monkey on network machines with defensive solutions you want to test.
|
||||||
|
|
||||||
|
A lot of ATT&CK techniques have a scope of a single node, so it’s important to manually run monkeys for better coverage.
|
||||||
|
|
||||||
|
## Assessing results
|
||||||
|
|
||||||
|
See the **ATT&CK report** to assess results of ATT&CK techniques used in your network. Each technique in the result
|
||||||
|
matrix is colour coated according to it’s status. Click on any technique to see more details about it and potential
|
||||||
|
mitigations. Keep in mind that each technique display contains a question mark symbol that will take you to the
|
||||||
|
official documentation of ATT&CK technique, where you can learn more about it.
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
title: "Credential Leak"
|
title: "Credential Leak"
|
||||||
date: 2020-08-12T13:04:25+03:00
|
date: 2020-08-12T13:04:25+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Assess the impact of successful phishing attack, insider threat, or other form of credentials leak."
|
description: "Assess the impact of a successful phishing attack, insider threat, or other form of credentials leak."
|
||||||
weight: 4
|
weight: 4
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -16,8 +16,6 @@ where these credentials can be reused.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
#### Important configuration values:
|
|
||||||
|
|
||||||
- **Exploits -> Credentials** After setting up the Island add the users’ **real** credentials
|
- **Exploits -> Credentials** After setting up the Island add the users’ **real** credentials
|
||||||
(usernames and passwords) to the Monkey’s configuration (Don’t worry, this sensitive data is not accessible and is not
|
(usernames and passwords) to the Monkey’s configuration (Don’t worry, this sensitive data is not accessible and is not
|
||||||
distributed or used in any way other than being sent to the monkeys, and can be easily eliminated by resetting the Monkey Island’s configuration).
|
distributed or used in any way other than being sent to the monkeys, and can be easily eliminated by resetting the Monkey Island’s configuration).
|
||||||
|
@ -26,11 +24,15 @@ For this to work, Monkey Island or initial Monkey needs to have access to SSH ke
|
||||||
To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Monkey
|
To make sure SSH keys were gathered successfully, refresh the page and check this configuration value after you run the Monkey
|
||||||
(content of keys will not be displayed, it will appear as `<Object>`).
|
(content of keys will not be displayed, it will appear as `<Object>`).
|
||||||
|
|
||||||
|
## Suggested run mode
|
||||||
|
|
||||||
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network
|
To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network
|
||||||
from potentially problematic group of machines, such as the laptop of one of your heavy email users or
|
from potentially problematic group of machines, such as the laptop of one of your heavy email users or
|
||||||
one of your strong IT users (think of people who are more likely to correspond with people outside of
|
one of your strong IT users (think of people who are more likely to correspond with people outside of
|
||||||
your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu
|
your organization). Execute the Monkey on chosen machines by clicking on “**1. Run Monkey**” from the left sidebar menu
|
||||||
and choosing “**Run on machine of your choice**”.
|
and choosing “**Run on machine of your choice**”. Since Infection Monkey is safe, feel free to run Monkeys as a
|
||||||
|
privileged user. Doing so will make sure that Monkey gathers credentials from a local machine.
|
||||||
|
|
||||||
|
|
||||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
|
|
|
@ -13,20 +13,18 @@ The Infection Monkey can help you verify that your security solutions are workin
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
#### Important configuration values:
|
- **Monkey -> Post breach** simulate the actions an attacker would make on an infected system.
|
||||||
|
To test something not present on the tool, you can provide your own file or command to be run.
|
||||||
- **Monkey -> Post breach** Post breach actions simulate the actions an attacker would make on infected system.
|
|
||||||
To test something not present on the tool, you can provide your own file or command to be ran.
|
|
||||||
|
|
||||||
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
|
The default configuration is good enough for many cases, but configuring testing scope and adding brute-force
|
||||||
credentials is a good bet in any scenario.
|
credentials is a good bet in any scenario.
|
||||||
|
|
||||||
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
|
|
||||||
as it increases coverage and propagation rates.
|
|
||||||
|
|
||||||
|
|
||||||
![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
|
![Post breach configuration](/images/usage/use-cases/ids-test.PNG "Post breach configuration")
|
||||||
|
|
||||||
|
## Suggested run mode
|
||||||
|
Running the Monkey on both the Island and on a few other machines in the network manually is also recommended,
|
||||||
|
as it increases coverage and propagation rates.
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
||||||
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
After running the Monkey, follow the Monkeys’ actions on the Monkey Island’s infection map.
|
||||||
|
@ -40,7 +38,7 @@ Now you can match this activity from the Monkey timeline display to your interna
|
||||||
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
If you see orange arrows, those incidents ought to be reported as scanning attempts (and possibly as segmentation violations).
|
||||||
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
|
- The blue arrows indicate tunneling activity, usually used by attackers to infiltrate “protected” networks from
|
||||||
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
|
the Internet. Perhaps someone is trying to bypass your firewall to gain access to a protected service in your network?
|
||||||
Check if your micro-segmentation / firewall solution identify or report anything.
|
Check if your micro-segmentation / firewall solution identifies or reports anything.
|
||||||
|
|
||||||
While running this scenario, be on the lookout for the action that should arise:
|
While running this scenario, be on the lookout for the action that should arise:
|
||||||
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
|
Did you get a phone call telling you about suspicious activity inside your network? Are events flowing
|
||||||
|
|
|
@ -17,7 +17,6 @@ Infection Monkey will help you assess the impact of internal network breach, by
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
#### Important configuration values:
|
|
||||||
- **Exploits -> Exploits** You can review the exploits Infection Monkey will be using. By default all
|
- **Exploits -> Exploits** You can review the exploits Infection Monkey will be using. By default all
|
||||||
safe exploiters are selected.
|
safe exploiters are selected.
|
||||||
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||||
|
@ -34,6 +33,13 @@ all post breach actions. These actions simulate attacker's behaviour after getti
|
||||||
|
|
||||||
![Exploiter selector](/images/usage/use-cases/network-breach.PNG "Exploiter selector")
|
![Exploiter selector](/images/usage/use-cases/network-breach.PNG "Exploiter selector")
|
||||||
|
|
||||||
|
## Suggested run mode
|
||||||
|
|
||||||
|
To simulate a foreign device you could introduce the Island server to the network and run monkey from it.
|
||||||
|
Alternatively, for a malicious agent simulation, you should run monkey manually on a machine that’s already running in
|
||||||
|
the network. Combining both, as always, will give you the best coverage.
|
||||||
|
|
||||||
|
|
||||||
## Assessing results
|
## Assessing results
|
||||||
|
|
||||||
Check infection map and security report to see how far monkey managed to propagate in the network and which
|
Check infection map and security report to see how far monkey managed to propagate in the network and which
|
||||||
|
|
|
@ -2,18 +2,18 @@
|
||||||
title: "Network Segmentation"
|
title: "Network Segmentation"
|
||||||
date: 2020-08-12T13:05:05+03:00
|
date: 2020-08-12T13:05:05+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Test network segmentation policies for apps that need ringfencing or tiers that require microsegmentation."
|
description: "Test network segmentation policies for apps that need ring fencing or tiers that require microsegmentation."
|
||||||
weight: 3
|
weight: 3
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
|
Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to
|
||||||
isolate workloads from one another and secure them individually, typically using policies.
|
isolate workloads from one another and secure them individually, typically using policies. A useful way to test the
|
||||||
A useful way to test the effectiveness of your segmentation is to ensure that your network segments are
|
effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your
|
||||||
properly separated, e,g, your Development is separated from your Production, your applications are separated from one
|
Development is separated from your Production, your applications are separated from one another etc. To test the
|
||||||
another etc. To security test is to verify that your network segmentation is configured properly. This way you make
|
security is to verify that your network segmentation is configured properly. This way you make sure that even if a
|
||||||
sure that even if a certain attacker has breached your defenses, it can’t move laterally from point A to point B.
|
certain attacker has breached your defenses, it can’t move laterally from point A to point B.
|
||||||
|
|
||||||
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
|
[Segmentation is key](https://www.guardicore.com/use-cases/micro-segmentation/) to protecting your network, reducing
|
||||||
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
|
the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with
|
||||||
|
@ -21,8 +21,6 @@ its cross-segment traffic testing feature.
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
#### Important configuration values:
|
|
||||||
|
|
||||||
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
||||||
subnets that should be segregated from each other. If any of provided networks can reach each other, you'll see it
|
subnets that should be segregated from each other. If any of provided networks can reach each other, you'll see it
|
||||||
in security report.
|
in security report.
|
||||||
|
@ -32,12 +30,14 @@ its cross-segment traffic testing feature.
|
||||||
all post breach actions. These actions simulate attacker's behaviour after getting access to a new system, so they
|
all post breach actions. These actions simulate attacker's behaviour after getting access to a new system, so they
|
||||||
might trigger your defence solutions which will interrupt segmentation test.
|
might trigger your defence solutions which will interrupt segmentation test.
|
||||||
|
|
||||||
Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar menu
|
## Suggested run mode
|
||||||
and clicking on “**Run on machine of your choice**”.
|
|
||||||
|
Execute Monkeys on machines in different subnetworks manually, by choosing “**1. Run Monkey**” from the left sidebar
|
||||||
|
menu and clicking on “**Run on machine of your choice**”.
|
||||||
Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself.
|
Alternatively, you could provide valid credentials and allow Monkey to propagate to relevant subnetworks by itself.
|
||||||
|
|
||||||
Note that if Monkey can't communicate to the Island, it will
|
Note that if Monkey can't communicate to the Island, it will
|
||||||
not be able to send scan results, so make sure all machines can reach the island.
|
not be able to send scan results, so make sure all machines can reach the island.
|
||||||
|
|
||||||
![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing")
|
![How to configure network segmentation testing](/images/usage/scenarios/segmentation-config.png "How to configure network segmentation testing")
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
title: "Other"
|
title: "Other"
|
||||||
date: 2020-08-12T13:07:55+03:00
|
date: 2020-08-12T13:07:55+03:00
|
||||||
draft: false
|
draft: false
|
||||||
description: "Tips and tricks about configuring monkey for your needs."
|
description: "Tips and tricks about configuring Monkeys for your needs."
|
||||||
weight: 100
|
weight: 100
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -10,6 +10,57 @@ weight: 100
|
||||||
|
|
||||||
This page provides additional information about configuring monkeys, tips and tricks and creative usage scenarios.
|
This page provides additional information about configuring monkeys, tips and tricks and creative usage scenarios.
|
||||||
|
|
||||||
|
## Custom behaviour
|
||||||
|
|
||||||
|
If you want Monkey to run some kind of script or a tool after it breaches a machine, you can configure it in
|
||||||
|
**Configuration -> Monkey -> Post breach**. Just input commands you want executed in the corresponding fields.
|
||||||
|
You can also upload files and call them through commands you entered in command fields.
|
||||||
|
|
||||||
|
## Speed and coverage
|
||||||
|
|
||||||
|
There are some trivial ways to increase the coverage, for example you can **run the Monkey as a privileged user since
|
||||||
|
it’s safe**. To improve scanning speed you could **specify a subnet instead of scanning all of the local network**.
|
||||||
|
The following configuration values have a significant impact on speed/coverage:
|
||||||
|
- **Credentials** - the more usernames and passwords you input, the longer it will take the Monkey to scan machines having
|
||||||
|
remote access services. Monkeys try to stay elusive and leave a low impact, thus brute forcing takes longer than with
|
||||||
|
loud conventional tools.
|
||||||
|
- **Network scope** - scanning large networks with a lot of propagations can become unwieldy. Instead, try to scan your
|
||||||
|
networks bit by bit with multiple runs.
|
||||||
|
- **Post breach actions** - you can disable most of these if you only care about propagation.
|
||||||
|
- **Internal -> TCP scanner** - you can trim the list of ports monkey tries to scan increasing performance even further.
|
||||||
|
|
||||||
|
## Combining different scenarios
|
||||||
|
|
||||||
|
Infection Monkey is not limited to the scenarios mentioned in this section, once you get the hang of configuring it,
|
||||||
|
you might come up with your own use case or test all of suggested scenarios at the same time! Whatever you do,
|
||||||
|
Security, ATT&CK and Zero Trust reports will be waiting for you!
|
||||||
|
|
||||||
|
## Persistent scanning
|
||||||
|
|
||||||
|
Use Monkey -> Persistent scanning configuration section to either have periodic scans or to increase reliability of
|
||||||
|
exploitations by running consecutive Infection Monkey scans.
|
||||||
|
|
||||||
|
## Credentials
|
||||||
|
|
||||||
|
Every network has its old “skeleton keys” that should have long been discarded. Configure the Monkey with old and stale
|
||||||
|
passwords, but make sure that they were really discarded using the Monkey. To add the old passwords, in the island’s
|
||||||
|
configuration, go to the “Exploit password list” under “Basic - Credentials” and use the “+” button to add the old
|
||||||
|
passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the
|
||||||
|
configuration:
|
||||||
|
|
||||||
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
|
|
||||||
|
## Check logged and monitored terminals
|
||||||
|
|
||||||
|
To see the Monkey executing in real-time on your servers, add the **post-breach action** command:
|
||||||
|
`wall “Infection Monkey was here”`. This post breach command will broadcast a message across all open terminals on
|
||||||
|
the servers the Monkey breached, to achieve the following: Let you know the Monkey ran successfully on the server.
|
||||||
|
Let you follow the breach “live” alongside the infection map, and check which terminals are logged and monitored
|
||||||
|
inside your network. See below:
|
||||||
|
|
||||||
|
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
||||||
|
|
||||||
## ATT&CK & Zero Trust scanning
|
## ATT&CK & Zero Trust scanning
|
||||||
|
|
||||||
You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
|
You can use **ATT&CK** configuration section to select which techniques you want to scan. Keep in mind that ATT&CK
|
||||||
|
@ -29,13 +80,6 @@ There's currently no way to configure monkey using Zero Trust framework, but reg
|
||||||
- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
|
- To increase propagation run monkey as root/administrator. This will ensure that monkey will gather credentials
|
||||||
on current system and use them to move laterally.
|
on current system and use them to move laterally.
|
||||||
|
|
||||||
- Every network has its old “skeleton keys” that should have long been discarded. Configure the Monkey with old and stale passwords, but make sure that they were really discarded using the Monkey. To add the old passwords, in the island’s configuration, go to the “Exploit password list” under “Basic - Credentials” and use the “+” button to add the old passwords to the configuration. For example, here we added a few extra passwords (and a username as well) to the configuration:
|
|
||||||
|
|
||||||
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
|
||||||
|
|
||||||
- To see the Monkey executing in real-time on your servers, add the **post-breach action** command: `wall “Infection Monkey was here”`. This post breach command will broadcast a message across all open terminals on the servers the Monkey breached, to achieve the following: Let you know the Monkey ran successfully on the server. let you follow the breach “live” alongside the infection map, and check which terminals are logged and monitored inside your network. See below:
|
|
||||||
|
|
||||||
![How to configure post breach commands](/images/usage/scenarios/pba-example.png "How to configure post breach commands.")
|
|
||||||
|
|
||||||
- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
|
- If you're scanning a large network, consider narrowing the scope and scanning it bit by bit if scan times become too
|
||||||
long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.
|
long. Lowering the amount of credentials, exploiters or post breach actions can also help to lower scanning times.
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
title: "Zero Trust assessment"
|
||||||
|
date: 2020-10-22T16:58:09+03:00
|
||||||
|
draft: false
|
||||||
|
description: "See where you are in your Zero Trust journey."
|
||||||
|
weight: 0
|
||||||
|
---
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Infection Monkey can help assess your network compliance with Zero Trust Extended framework by checking for various
|
||||||
|
violations of Zero Trust principles.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
- **Exploits -> Credentials** This configuration value will be used for brute-forcing. We use most popular passwords
|
||||||
|
and usernames, but feel free to adjust it according to your native language and other factors. Keep in mind that long
|
||||||
|
lists means longer scanning times.
|
||||||
|
- **Network -> Scope** Make sure to properly configure the scope of the scan. You can select Local network scan and
|
||||||
|
allow Monkey to propagate until maximum Scan depth(hop count) is reached or you can fine tune it by providing specific
|
||||||
|
network ranges in Scan target list. Scanning local network is more realistic, but providing specific targets will make
|
||||||
|
the scanning process substantially faster.
|
||||||
|
- **Network -> Network analysis -> Network segmentation testing** This configuration setting allows you to define
|
||||||
|
subnets that should be segregated from each other.
|
||||||
|
|
||||||
|
In general, other configuration value defaults should be good enough, but feel free to see the “Other” section
|
||||||
|
for tips and tricks about other features and in-depth configuration parameters you can use.
|
||||||
|
|
||||||
|
![Exploit password and user lists](/images/usage/scenarios/user-password-lists.png "Exploit password and user lists")
|
||||||
|
|
||||||
|
## Suggested run mode
|
||||||
|
|
||||||
|
Running Monkey from the Island alone will give you reasonable results, but to increase the coverage for segmentation
|
||||||
|
and single node tests make sure to run monkey manually on various machines in the network. The more machines monkey
|
||||||
|
runs on, the better the coverage.
|
||||||
|
|
||||||
|
## Assessing results
|
||||||
|
|
||||||
|
See the results in the Zero Trust report section. “The Summary” section will give you an idea about which Zero Trust
|
||||||
|
pillars were tested, how many tests were done and test statuses. You can see more details below in the “Test Results”
|
||||||
|
section, where each test is sorted by pillars and principles it tests. To get even more details about what Monkey did,
|
||||||
|
go down to the “Findings” section and observe “Events” of different findings. “Events” will tell you what exactly
|
||||||
|
Infection Monkey did and when it was done, to make it easy to cross reference it with your defensive solutions.
|
Loading…
Reference in New Issue