Shreya Malviya wrote this post as a project summary of her GSoC2020 experience.

Team:
Mentors: Shay Nehmad, Daniel Goldberg
Student: Shreya Malviya

Introduction

What is Infection Monkey?

Infection Monkey is an open-source security tool for testing a data center’s resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self-propagate across on-premises/cloud-based data centers and finds their weaknesses, whose results it then reports to a centralized Monkey Island Command and Control server.

In simpler words, Infection Monkey allows you to simulate breach and attack scenarios in your environment to help you assess the damage that you may endure in a real attack and verify that your security solutions work as expected.

Let’s talk about phishing attacks, for example. Almost everyone is prone to phishing attacks, and if successful, they can prove to be extremely costly. Using Infection Monkey, you can easily simulate a successful attack on your network, starting from the point where malware is executing, by running the Monkey with your desired configuration. You can then evaluate the results of your simulated attack using a detailed report found on the Monkey Island, comprising the Monkey’s findings, essential things the simulation discovered, and more.

What did you do for the project, briefly? (TL;DR)

I enhanced the detection capabilities of the Monkey by improving the MITRE ATT&CK coverage. This includes the addition of several new post-breach actions. These PBAs are mapped to the MITRE ATT&CK knowledge base in Monkey, in order to provide the user with a detailed visualisation of the utilized actions/techniques and their recommended mitigations, all of which can be found in the ATT&CK report on the Monkey Island. This ATT&CK report is also more explanatory now, owing to the modifications that I made. In addition, I ended up working on other general improvements of the tool, such as boosting the Monkey’s performance by making post-breach actions run in parallel with network scanning.

Delving Into What Happened

New MITRE ATT&CK techniques

The MITRE ATT&CK knowledge base is a comprehensive matrix of tactics and techniques based on real-world observations, which is widely used as a basis for network security assessments, used to classify attacks, assess an organization’s risk, and prioritize holes in defenses based on their risks.

Infection Monkey provides a way to configure the ATT&CK techniques that you want to test easily, and offers more insight about how those techniques were used and how you can further protect yourself. 

As part of my GSoC project, I added twelve new techniques (with many more on the way!):

• T1136 — “Create Account” attack technique (#579)
• T1158 — “Hidden Files and Directories” attack technique (#672)
• T1156 — “.bash_profile and .bashrc” attack technique (#682)
• T1168 — “Local Job Scheduling” attack technique (#683)
• T1053 — “Scheduled Task” attack technique (#685)
• T1504 — “PowerShell Profile” attack technique (#686)
• T1154 — “Trap” attack technique (#697)
• T1166 — “setuid and setgid” attack technique (#702)
• T1216 — “Signed Script Proxy Execution” technique (#703)
• T1087 — “Account Discovery” technique (#705)
• T1146 — “Clear Command History” attack technique (#794)
• T1099 — “Timestomping” attack technique (#795)

Take, for example, the “Hidden Files and Directories” attack technique. Hidden files exist on operating systems to prevent normal users from accidentally changing special system files. However, adversaries can use this concept to hide malicious files anywhere on the system. The MITRE ATT&CK framework lists over 20 examples of real-life cases where this property has been exploited for defense evasion.

“Hidden Files and Directories” technique in the MITRE ATT&CK database

The Monkey attempts to create and destroy a hidden file or directory on your system. Ideally, your antivirus software or security solution should incorporate the investigation of hidden files, notify you of unrecognized hidden files on the system, or simply block the creation of an unauthorized hidden file or directory. However, if the Monkey tells you that it was able to carry out the technique successfully, it is probably time for you to take a second look or upgrade to a better security service.

ATT&CK report on the Monkey Island server — the ATT&CK matrix followed by details of the selected technique (Hidden Files and Directories)

The MITRE ATT&CK matrix covers many more similar techniques. With the addition of the aforementioned 12, Infection Monkey now includes a total of 36 ATT&CK techniques out 272!

Improved reporting

Once the Monkey finishes its execution, the report is generated on the Monkey Island server, consisting of 3 sections — the Security report, the Zero Trust report, and the ATT&CK report. The ATT&CK report is a detailed account of the results of the ATT&CK techniques that Monkey configures.

While working on the addition of new techniques, we decided on making the ATT&CK report more actionable by revamping it to better cover known-unknowns. 

• ATT&CK report modifications (#717)

For instance, if the Monkey does not run the “setuid and setgid” attack technique in a given simulation, the ATT&CK report will mention the reason — whether no Linux machines were found or whether it was disabled in the configuration for the simulation. This can help you better understand and answer questions such as why an attacker would scan your network but leave out some part of the network.

ATT&CK report on the Monkey Island server — the ATT&CK matrix followed by details of the selected technique (Setuid and Setgid)

General improvements

Besides these, I worked on some general improvements —
→ Bug fixes

• Fix rendering bug in security report generation due to PBA section (#762)
• Link ATT&CK techniques of the same PBA in the config (#761)
• Windows’ “modify shell startup files” PBA fix (#757)
• Preserves ATT&CK config order on clicking ‘Reset to defaults’ (#753)
• Make setuid/setgid and trap PBAs not crash on windows (#732)
• Remove `None` values from the list of networks to scan (#550)

→ Performance improvements

• Run post-breach phase in a separate thread (#758)
• Telemetry modifications for “modify shell startup files” PBA (#731)

→ Miscellaneous (feature improvements, documentation updates, refactoring)

• Update MITRE images in documentation (#783)
• ATT&CK report message modifications (#717)
• Use mongo search for T1136’s report data (#693)
• Autoscroll to the last line in the telemetry console (#565)

The Community Aspect

Since my very first interaction, the development team of Infection Monkey has been SUPER encouraging! The last few months have been an amazing experience for me, and I am extremely appreciative of all that I have learnt.

Besides guiding me about the technical aspects of the project, my mentors have helped me acquire and practice soft skills as well, such as prioritising tasks and managing time accordingly, and taking charge and kicking off discussions revolving around future plans for the Monkey.

Slack discussion about the addition of a feature to Monkey

All of these have tremendously helped me grow as a developer in its entirety, and I can say with confidence that this has definitely been the most fruitful summer of my life! :)

If you would like to get involved, feel free to join our Slack workspace: https://infectionmonkey.slack.com/join/shared_invite/enQtNDU5MjAxMjg1MjU1LWM0NjVmNWE2ZTMzYzAxOWJiYmMxMzU0NWU3NmUxYjcyNjk0YWY2MDkwODk4NGMyNDU4NzA4MDljOWNmZWViNDU#/!

Learning Outcomes

• Acquired a firmer grasp over developing and debugging in Python
• Practised unit testing in Python
• Implemented multithreading in Python
• Learned JavaScript and basic frontend development using ReactJS
• Dived deeper into the features of Linux and Windows operating systems and shell scripting
• Was introduced to NoSQL databases — worked with MongoDB
• Brushed up on clean coding constructs
• Exercised time management and task prioritisation