How to check IPS? Infection Monkey vs Check Point
Three years ago, we published the article “ Online tools for the simplest Pentest ”. There we talked about affordable and quick ways to check the security of your network perimeter using tools such as Check Point CheckMe , Fortinet Test Your Metal , etc. But sometimes a more serious test is required when you want to make some noise already inside the network (and preferably safely for the infrastructure). A free tool like Infection Monkey can be very useful for this purpose. For example, we decided to scan the network through the Check Point gateway and see what IPS sees. Although nothing prevents you from conducting a similar experience with other solutions to check how your IPS system or NGFW works. Results under cat.
This tool can be attributed to BAS (Breach and Attack Simulation) systems, which allow you to evaluate the security of your network in automatic mode. At the same time, a secure “pentest” of your infrastructure is performed. An open source tool and is actively developing. Perhaps its main difference is that all tests pass inside your network, as if the attacker had already penetrated you. Most still concentrate on protecting the perimeter, while forgetting about the need for other measures. The same IDS/IPS is very important for comprehensive protection, as Allows you to identify threats that are already inside the network. Infection Monkey is a good way to evaluate the maturity of information security in your company.
Infection Monkey itself can be deployed as a virtual machine. The following platforms are supported:
- Google Cloud Platform
For AWS, there is a ready-made template that you can use in as part of a free account. We most often use ESXi. The image can be requested at of. website , or with us .
The installation itself is extremely simple and described here , I see no reason to duplicate this information. There is also an instruction for starting a check. We’d better focus on the test results.
Used attack techniques
Infection Monkey uses several attack vectors and allows you to see the following things:
1) Vulnerable hosts . Finds sites with weak passwords, old software versions, or known vulnerabilities. Here is a list of exploits on board:
- SMB Exploiter
- WMI Exploiter
- MSSQL Exploiter
- MS08-067 Exploiter
- SSH Exploiter (essentially brute force)
- ShellShock Exploiter
- SambaCry Exploiter
- ElasticGroovy Exploiter
- Struts2 Exploiter
- WebLogic Exploiter
- Hadoop/Yarn Expoiter
- VSFTPD Exploiter
2) Forbidden interaction . You can find interaction between networks, which should be prohibited at the ME or router level.
3) Horizontal distribution . Displays the movement of the "malware" in graphical form. How does a bot “transplant” on your network.
All this is complemented by detailed reporting.For example, using the MITER ATT & amp; CK matrix:
Zero Trust Model Report:
It is also a good check for your existing remedies. Could they detect this activity? Have all the logs arrived on your SIEM?
Infection Monkey FAQ
Before moving on to the test results, I would like to answer some of the most common questions about Infection Monkey.
Is this test dangerous for my infrastructure?
None. Infection Monkey uses absolutely safe Pentest methods that cannot lead to the degradation of your services
Is it possible to clean the 'infected' devices after the test?
Infection Monkey does this automatically when the test completes
Are there any traces left in the 'infected' system after removing the Infection Monkey?
Almost none. Only log files. On Windows, this is% temp% \\ ~ df1563.tmp. On Linux -/tmp/user-1563
Does Infection Monkey load the system?
There is virtually no load. For example, on a single-core system (Windows Server), Monkey consumes less than 0.6% of CPU and less than 80 MB of RAM
Does the program require Internet access?
No, but it is desirable that it be. The Internet is used to check for updates (updates.infectionmonkey.com) and to check the availability of the Internet from "infected" hosts (www.google.com). However, no data is collected or sent
The scheme is very simple. Virtualization with Infection Monkey is in the selected segment. From it we scan a local network segment through the Check Point gateway:
Check Point IPS Results with Optimized Profile
Still in the course of Check Point to the maximum I tried to show what the default settings are dangerous. This applies to all vendors. You must be able to properly “tighten” the nuts. In this case, I decided to check the default Check Point - Optimized profile first. The results can be seen in the image below:
It is worth noting that with the default profile, Infection Monkey successfully “hacked” the test host (despite the primitive attack). The desired signature was simply not enabled.
Check Point IPS results with my profile
The settings were made in accordance with the recommendations that were given as part of the course Check Point to the maximum ”. The result is already completely different:
At the same time, IPS prevented infection of the host and the further spread of Infection Monkey.
It is worth noting that Check Point has pretty good forensics.This is what the log looks like:
Here you can see the traffic dump, the CVE number, the type of attack, and detailed information about it, as well as recommendations for setting up Check Point. Example:
Check Point did a good job in this regard. they have a rich knowledge base on all kinds of malware.
Of course, Infection Monkey is not a panacea and cannot reflect all potential problems in network security. But for a free tool, this is more than interesting. As already said, you can “make noise” on the network and see how your security features behave. The same NGFW with default settings can behave extremely unsatisfactorily. If the result does not suit you, we can help with analyzing your configuration .
In the near future we plan to publish similar tests for another tool ( Cymulate ), which can be used for free, a trial version. There are already many more attack options. In addition to the results, we will share recommendations on how to strengthen the protection. In order not to miss the following articles, stay tuned in our channels ( Telegram , Facebook , VK , TS Solution Blog ) !.