search

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform
https://www.guardicore.com/infectionmonkey/
GNU General Public License v3.0
6.55k stars 764 forks source link

Add a "Configure Scenarios" wizard to the configuration 🧙‍♂️ #673

Open ShayNehmad opened 4 years ago

ShayNehmad commented 4 years ago

Is your feature request related to a problem? Please describe.

Users would like to configure the Monkey according to the BAS scenario that they'd like to simulate. We should provide a built-in option to do that, instead of only providing external documentation.

Describe the solution you'd like

This depends on #637 being done. When entering the config page the user should choose between "manual" config or "Scenario picker". If Scenario is chosen, the user should get a subset of config fields with content next to each field which explains what to configure in this field for this scenario to work.

Describe alternatives you've considered

Consolidating and Improving the existing documentation.

Some examples of scenarios

Network segmentation

Segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually, typically using policies. A useful way to test the effectiveness of your segmentation is to ensure that your network segments are properly separated, e,g, your Development is separated from your Production, your applications are separated from one another etc. “to security test is to verify that your network segmentation is configured properly. This way you make sure that even if a certain attacker has breached your defenses, it can’t move laterally from point A to point B.

Segmentation is key to protecting your network, reducing the attack surface and minimizing the damage of a breach. The Monkey can help you test your segmentation settings with its cross-segment traffic testing feature.

Config Field Extra text
Network Segments In here, you should list all of your network segments.
Scan IP list Put all the servers you'd like to test here. This should be a super-set of the Network Segments.
Scan Local Network If you want to only check the IP list, uncheck this. However, for a full network segmentation test with maximum visibility, you should leave this on.

Phishing

Almost everyone is prone to phishing attacks. Results of a successful phishing attempt can be extremely costly as demonstrated in our report IResponse to IEncrypt.

This scenario begins in a section of the network which is a potential phishing spot. Phishing attacks target human users – as such, these types of attacks try to penetrate the network via a service an employee is using, such as an email with an attached malware or social media message with a link redirecting to a malicious website. These are just two examples of where and how an attacker may choose to launch their campaign.

To simulate the damage from a successful phishing attack using the Infection Monkey, choose machines in your network from a potentially problematic group of machines, such as the laptop of one of your heavy email users or one of your strong IT users (think of people who are more likely to correspond with people outside of your organization).

After supplying the Monkey with the passwords and usernames, execute the Monkey from the simulated “victim” machines. To do this, click “2. Run Monkey” from the left sidebar menu and choose “Run on machine of your choice”.

Config Field Extra text
Usernames Put the credentials of "phished" users here.
Passwords Put the passwords of "phished" users here.

Single App attack surface

Config Field Extra text Default Value
Scan IP list Put all the IPs of the app here.
Scan Local Network Make sure to uncheck this. off

VPN

Jumpboxes

Worm breach from external services

Whether it was the Hex-men campaign that hit your Internet-facing DB server, a cryptomining operation that attacked your WordPress site or any other malicious campaign – the attackers are now trying to go deeper into your network.

To simulate this breach scenario, execute the Infection Monkey on different machines that host internet-facing services such as your web servers (Apache, Tomcat, NGINX…)

After executing the Monkey, evaluate the results of this simulation using the information in the Report page. There you will find a summary of the most important things the simulation has discovered, a detailed report of all the Monkey’s findings and more. You can also use the Infection Map to analyze the Monkey’s progress through the network, and to see each Monkey’s detailed telemetry and logs..

Config Field Extra text Default Value
Depth Try to estimate how deep your network is. If your network is completely flat, this should be 1. Add 1 for each sub-segment that you think is separated from the external network. 3
VakarisZ commented 3 years ago

The "phishing" scenario has nothing to do with the actual phishing. Monkey doesn't send emails, links and does not communicate with employees in any way and phishing doesn't necessarily result in leaked username/password. What would be a phishing scenario is if user manually crafted emails, added renamed monkey binaries to them and sent it around the company. Then waited to see how many machines communicate back to island. The "phishing" scenario should be called "leaked credentials", and description should be something like "Adversaries might compromise user's credentials by phishing, dumpster diving, physical access or simply buying them from the original owner. Enter user's credentials to see the impact of leaked credentials on your network"

VakarisZ commented 3 years ago

Scenario workflows:

Quick run

  1. User click on "Quick run" option and monkey starts running on island with default config.
  2. Same workflow from this point: user goes to map then to reports.

    Full configuration

  3. User click on "Full configuration" option.
  4. Redirect user to Configuration page.
  5. After submit redirect run page.
  6. Same workflow from this point: user goes to map then to reports.

    Network breach

  7. User configures the following configuration values: Exploits -> Exploits, Exploits -> Credentials, Network -> Scope
  8. Present user with optional configuration values: (Optional) Internal -> Network -> TCP scanner, (Optional) Monkey -> Post Breach Actions
  9. User gets redirected to run monkey page.
  10. User chooses which way he wants to run monkey and runs it.
  11. Same workflow from this point: user goes to map then to reports.

    Network segmentation

  12. User configures Network -> Network analysis -> Network segmentation testing
  13. Present user with optional configuration values: (Optional) Network -> Scope, (Optional) Monkey -> Post Breach Actions
  14. Redirect user to manual monkey run option. User runs monkeys around the network.
  15. Same workflow from this point: user goes to map then to reports.

    Credential leak

  16. User configures Exploits -> Credentials
  17. Explain to user how to gather ssh keys or add an option to add them
  18. Present user with optional configuration values: (Optional) Network -> Scope, (Optional) Monkey -> Post Breach Actions
  19. Redirect user to manual monkey run option. User runs monkeys around the network.
  20. Same workflow from this point: user goes to map then to reports.

    IDS/IPS TEST

  21. User configures Monkey -> Post breach.
  22. Present user with optional configuration values: (Optional) Network -> Scope, (Optional) Monkey -> Post Breach Actions.
  23. Redirect to run monkey page.
  24. Same workflow from this point: user goes to map then to reports.

    ATT&CK test

  25. User configures ATT&CK matrix
  26. Present user with optional configuration values: (Optional) Network -> Scope, (Optional)Exploits -> Credentials,
  27. Redirect to run monkey page.
  28. Same workflow from this point: user goes to map then to reports.

    ZeroTrust

    Do what?

VakarisZ commented 3 years ago

PDR

Problem statement

With scenario feature we hope to solve these problems:

  1. Introduce the user to all possible use cases of infection monkey.
  2. Guide the user through the process of configuring and using the tool. Business value of this feature is that it will get easier for newcomers to extract more value from the tool.

Scope

Essential parts are:

Optional parts:

Out of scope:

Specific components PDR

UI components used

image image image

Backend components

Main backend structure will be Scenario object, containing different dependencies: config values, optional config values, run options, contextual messages and so on.

DDR

Lingo

Scenario - monkey use case, as defined here.

High level design

With this feature we aim to introduce user to various use cases of Infection Monkey and guide him through configuring and running the tool. Implementation: On the back end we will have "Scenario" object that links all related options/structures/data together. User will chose which scenario he wants to execute and back end will fetch all data related to that scenario. This data will be used in scenario configuration wizard in UI.

Affected components

UI - Side nav, home page, monkey run page, server run page. New components added: scenarios wizard that will encompass scenario choice, configuration screen and run option. DB - will contain chosen scenario, Backend - scenario object and related infrastructure: creating configs for this scenario from default config, mapping relevant config values etc.

Testing

UI - shouldn't be too much parsing, so manual tests Backend - unit tests for scenario creation and configuration parsing

Risks + Opportunities

As always, if not implemented properly this could introduce huge shadow/maintenance costs. We need to make sure that whenever a new feature is introduced, new configuration is automatically compatible with scenarios and that we won't need to integrate everything we develop into a multitude of scenarios manually.

Scenarios introduce opportunities to do small overhauls to our UI, maybe start migrating to redux. Another opportunity is to improve our configuration, for example create a decent way to upload ssh keys. It also introduces opportunities to add more non-orthodox features in the future.

UI tasks e/7.5:

Backend tasks e/9:

Optional tasks e/2:

UI e/1:

Backend e/1: