Following the COVID-19 situation, organizations are forced to swiftly adapt to new security risks and challenges. The large and unplanned migration to a remote workforce, in particular, has businesses looking at new security requirements and cyber threats.

What can I find here?

On this page, we share how to use Infection Monkey to assess remote workforce security, including:

  • Breach and Attack Simulation scenarios which tackle the risks companies are facing in this new situation
  • How to play those scenarios out using Guardicore’s Infection Monkey
  • How to resolve issues you may discover so you can build a secure WFH environment for your business

Secure your VPN environment

The first step in using Infection Monkey to assess remote workforce security is to use the Monkey to verify that your VPN environment meets your security requirements. This way you will be able to see your network through the eyes of an attacker who controls one of your remote machines.

The Monkey can help you:

  • Verify there’s no access to other endpoints connected through the VPN
  • Find machines in your network that are accessible over VPN, but shouldn’t be.

How to use the Monkey to simulate this scenario

If you have trouble running any of these steps or want to ask questions, reach out to us in our new WFH SecurIT Slack workspace.

  • Deploy Monkey Island on a machine that is accessible over the VPN. If you are working from home right now, deploying it on your local machine is an easy way to achieve this. The Monkey has Windows, Linux, Docker, and OVA deployment options, so we got you covered - just download and install it.
  • Connect to your VPN.
  • Find the VPN’s IP subnet and your organizations’ internals IP subnets.
  • Configure the Monkey to scan the VPN’s subnet and the internal IP subnets of your organization. To do that, go to the Monkey Island, click on Configuration ➡ Basic Network. In this page do the following:
    • Deselect the “Local Network Scan” option.
    • In “Scan Subnet List” enter the subnets that you found in stage 3. In our example we’ve redacted part of the VPN IP subnet, but as you can see it starts with 10 and is a /16 size subnet.
    How to configure the Monkey to scan your VPN.
  • Run the Monkey on your machine. Click on Run Monkey ➡ Run on Monkey Island Server if you executed the Monkey Island on your machine. Otherwise, click on Run Monkey ➡ Run on a machine of your choice.
  • How to run the Monkey
  • Look at the Scanned Servers sections of the Security Report and the Infection Map. Verify that no machines are part of the VPN subnet you can access. In this example (where some information has been redacted), we see quite a lot of nodes in the VPN but none of them expose any services to us. To further analyze the results, look for servers with open services first, like SSH, HTTP, or databases. These are the soft spots that you need to harden. If there are no open services (like in this example), make sure all of the nodes are accessible from this machine.
  • Scanned Servers section of the reportExample VPN Scan map

Improve your VPN environment security

We recommend the following:

Secure your Jumpboxes

The next step in using Infection Monkey to assess remote workforce security is to use the Monkey to verify that your jumpbox doesn’t put your critical assets at risk.

Here’s how you do it:

  • Deploy Monkey Island on a machine that has access to the jumpbox. The Monkey has Windows, Linux, Docker, and OVA deployment options, so we got you covered - just download and install it.
  • Configure the Monkey with the network’s subnets you want to test. Go to Configuration ➡ Basic Network. On this page, deselect the “Local Network Scan” option and in “Scan Subnet List,” enter the IP of the Jumpbox and the IP subnet of the secure network.
  • Login to your jumpbox or VDI with the user access you want to test.
  • Run the Monkey on the jumpbox by clicking on Run Monkey ➡ Run on a machine of your choice and follow the instructions.
  • How to run the Monkey
  • Once the Monkey is done running, review the Infection Map and the Reports. Verify that the Monkey could only access the services your user needs.

Improve your Jumpbox environment security

Our recommendations are as follows:

  • Make sure that access from the jumpbox to services in the secure network is limited by user identity.
  • Block outbound traffic from the jump server to the internet.
  • Make sure that only approved programs can send and receive traffic from and to the Jumpbox.
  • Use MFA solutions when logging in to jumpboxes.

Running the Monkey in a production environment

How much of a footprint does the Monkey leave?

The Monkey leaves hardly any trace on the target system. It will leave:

  • Log files in the following locations:
    • Path on Linux: /tmp/user-1563
    • Path on Windows: %temp%\\~df1563.tmp

What’s the Monkey’s impact on system resources usage?

The Infection Monkey uses less than a single-digit percent of CPU time and very low RAM usage. For example, on a single core Windows Server machine, the Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically. If you do experience any performance issues please let us know on our Slack channel or via opening an issue on GitHub.

Is it safe to use real passwords and usernames in the Monkey’s configuration?

Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is then accessible only to users that have access to the Island. We advise to limit access to the Monkey Island server by following our password protection guide. If you are using our provided OVA, you should change the machines root password as well.

How do you store sensitive information on the Monkey Island?

Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Island’s database in an encrypted fashion. This data is transmitted to the Infection Monkeys in an encrypted fashion (HTTPS) and is not stored locally on the victim machines. When you reset the Monkey Island configuration, the Monkey Island wipes the information.

How stable are the exploitations used by the Monkey? Will the Monkey crash my systems with its exploits?

The Monkey does not use any exploits or attacks that may impact the victim system. This means we avoid using some very strong (and famous) exploits such as EternalBlue. This exploit was used in WannaCry and NotPetya with huge impact. But because it may crash a production system, we aren’t using it.

After I’ve set up the Monkey Island, how can I execute the Monkey?

See out detailed walkthrough guide.

How can I make the monkey propagate “deeper” into the network?

If you wish to simulate a very “deep” attack into your network, you can try to increase the propagation depth parameter in the configuration. This parameter tells the Monkey how far to propagate into your network from the “patient zero” machine in which it was launched manually. To do this, change the “Distance from Island” parameter in the “Basic – Network” tab of the configuration:

Increase the Monkeys propagation depth by changing the

What if the report returns a blank screen?

This is sometimes caused when Monkey Island is installed with an old version of MongoDB. Make sure your MongoDB version is up to date using the mongod --version command on Linux or the mongod -version command on Windows. If your version is older than 4.0.10, this might be the problem. To update your Mongo version:

  • Linux: First, uninstall the current version with sudo apt uninstall mongodb and then install the latest version using the official mongodb manual.
  • Windows: First, remove the MongoDB binaries from the monkey\monkey_island\bin\mongodb folder. Download and install the latest version of mongodb using the official mongodb manual. After installation is complete, copy the files from the C:\Program Files\MongoDB\Server\4.2\bin folder to the monkey\monkey_island\bin\mongodb folder. Try to run the Island again and everything should work.

How can I get involved with the project?

The Monkey is an open-source project. To become a developer you can just pick an issue, clone the repo and start working. We recommend joining the conversation on our Slack channel (#Monkey_dev channel) and to first set up a development environment where you can run and test the project before starting to code.

Please consult with our contribution guidelines before you start working on an issue.

Secure Your
Remote Workforce

im-eyes

How to Use Infection Monkey to Assess
Remote Workforce Security

Secure Your Remote Workforce

How to Use Infection Monkey to Assess Remote Workforce Security