Following the COVID-19 situation, organizations are forced to swiftly adapt to new security risks and challenges. The large and unplanned migration to a remote workforce, in particular, has businesses looking at new security requirements and cyber threats.
What can I find here?
On this page, we share how to use Infection Monkey to assess remote workforce security, including:
- Breach and Attack Simulation scenarios which tackle the risks companies are facing in this new situation
- How to play those scenarios out using Guardicore’s Infection Monkey
- How to resolve issues you may discover so you can build a secure WFH environment for your business
Secure your VPN environment
The first step in using Infection Monkey to assess remote workforce security is to use the Monkey to verify that your VPN environment meets your security requirements. This way you will be able to see your network through the eyes of an attacker who controls one of your remote machines.
The Monkey can help you:
- Verify there’s no access to other endpoints connected through the VPN
- Find machines in your network that are accessible over VPN, but shouldn’t be.
How to use the Monkey to simulate this scenario
If you have trouble running any of these steps or want to ask questions, reach out to us in our new WFH SecurIT Slack workspace.
- Deploy Monkey Island on a machine that is accessible over the VPN. If you are working from home right now, deploying it on your local machine is an easy way to achieve this. The Monkey has Windows, Linux, Docker, and OVA deployment options, so we got you covered - just download and install it.
- Connect to your VPN.
- Find the VPN’s IP subnet and your organizations’ internals IP subnets.
- Configure the Monkey to scan the VPN’s subnet and the internal IP subnets of your organization. To do that, go to the Monkey Island, click on Configuration ➡ Basic Network. In this page do the following:
- Deselect the “Local Network Scan” option.
- In “Scan Subnet List” enter the subnets that you found in stage 3. In our example we’ve redacted part of the VPN IP subnet, but as you can see it starts with 10 and is a /16 size subnet.
- Run the Monkey on your machine. Click on Run Monkey ➡ Run on Monkey Island Server if you executed the Monkey Island on your machine. Otherwise, click on Run Monkey ➡ Run on a machine of your choice.
- Look at the Scanned Servers sections of the Security Report and the Infection Map. Verify that no machines are part of the VPN subnet you can access. In this example (where some information has been redacted), we see quite a lot of nodes in the VPN but none of them expose any services to us. To further analyze the results, look for servers with open services first, like SSH, HTTP, or databases. These are the soft spots that you need to harden. If there are no open services (like in this example), make sure all of the nodes are accessible from this machine.
Improve your VPN environment security
We recommend the following:
- Configure your VPN to block incoming traffic to users’ endpoints.
- Segment your critical assets from users’ machines to reduce their attack surface.
- Continuously test your security setup with Infection Monkey from various PCs in your network.
- Reach out and consult with us! Join us at the WFH SecurIT Slack workspace or contact us at email@example.com.
Secure your Jumpboxes
The next step in using Infection Monkey to assess remote workforce security is to use the Monkey to verify that your jumpbox doesn’t put your critical assets at risk.
Here’s how you do it:
- Deploy Monkey Island on a machine that has access to the jumpbox. The Monkey has Windows, Linux, Docker, and OVA deployment options, so we got you covered - just download and install it.
- Configure the Monkey with the network’s subnets you want to test. Go to Configuration ➡ Basic Network. On this page, deselect the “Local Network Scan” option and in “Scan Subnet List,” enter the IP of the Jumpbox and the IP subnet of the secure network.
- Login to your jumpbox or VDI with the user access you want to test.
- Run the Monkey on the jumpbox by clicking on Run Monkey ➡ Run on a machine of your choice and follow the instructions.
- Once the Monkey is done running, review the Infection Map and the Reports. Verify that the Monkey could only access the services your user needs.
Improve your Jumpbox environment security
Our recommendations are as follows:
- Make sure that access from the jumpbox to services in the secure network is limited by user identity.
- Block outbound traffic from the jump server to the internet.
- Make sure that only approved programs can send and receive traffic from and to the Jumpbox.
- Use MFA solutions when logging in to jumpboxes.
Running the Monkey in a production environment
How much of a footprint does the Monkey leave?
The Monkey leaves hardly any trace on the target system. It will leave:
- Log files in the following locations:
- Path on Linux:
- Path on Windows:
- Path on Linux:
What’s the Monkey’s impact on system resources usage?
The Infection Monkey uses less than a single-digit percent of CPU time and very low RAM usage. For example, on a single core Windows Server machine, the Monkey consistently uses 0.06% CPU, less than 80MB of RAM and a small amount of I/O periodically. If you do experience any performance issues please let us know on our Slack channel or via opening an issue on GitHub.
Is it safe to use real passwords and usernames in the Monkey’s configuration?
Absolutely! User credentials are stored encrypted in the Monkey Island server. This information is then accessible only to users that have access to the Island. We advise to limit access to the Monkey Island server by following our password protection guide. If you are using our provided OVA, you should change the machines root password as well.
How do you store sensitive information on the Monkey Island?
Sensitive data such as passwords, SSH keys and hashes are stored on the Monkey Island’s database in an encrypted fashion. This data is transmitted to the Infection Monkeys in an encrypted fashion (HTTPS) and is not stored locally on the victim machines. When you reset the Monkey Island configuration, the Monkey Island wipes the information.
How stable are the exploitations used by the Monkey? Will the Monkey crash my systems with its exploits?
The Monkey does not use any exploits or attacks that may impact the victim system. This means we avoid using some very strong (and famous) exploits such as EternalBlue. This exploit was used in WannaCry and NotPetya with huge impact. But because it may crash a production system, we aren’t using it.
After I’ve set up the Monkey Island, how can I execute the Monkey?
See out detailed walkthrough guide.
How can I make the monkey propagate “deeper” into the network?
If you wish to simulate a very “deep” attack into your network, you can try to increase the propagation depth parameter in the configuration. This parameter tells the Monkey how far to propagate into your network from the “patient zero” machine in which it was launched manually. To do this, change the “Distance from Island” parameter in the “Basic – Network” tab of the configuration:
What if the report returns a blank screen?
This is sometimes caused when Monkey Island is installed with an old version of MongoDB. Make sure your MongoDB version is up to date using the
mongod --version command on Linux or the
mongod -version command on Windows. If your version is older than 4.0.10, this might be the problem. To update your Mongo version:
- Linux: First, uninstall the current version with
sudo apt uninstall mongodband then install the latest version using the official mongodb manual.
- Windows: First, remove the MongoDB binaries from the
monkey\monkey_island\bin\mongodbfolder. Download and install the latest version of mongodb using the official mongodb manual. After installation is complete, copy the files from the
C:\Program Files\MongoDB\Server\4.2\binfolder to the
monkey\monkey_island\bin\mongodbfolder. Try to run the Island again and everything should work.
How can I get involved with the project?
The Monkey is an open-source project. To become a developer you can just pick an issue, clone the repo and start working. We recommend joining the conversation on our Slack channel (#Monkey_dev channel) and to first set up a development environment where you can run and test the project before starting to code.
Please consult with our contribution guidelines before you start working on an issue.