Security Experts:

New Version of Infection Monkey Maps to MITRE ATT&CK Framework

Guardicore's open source breach and attack simulation platform Infection Monkey now maps its attack results to the MITRE ATT&CK framework, allowing users to quickly discover internal vulnerabilities and rapidly fix them.

Guardicore is a provider of software based microsegmentation. It has an interest in lateral movement. Guardicore Labs is its team of researchers, drawn primarily from the IDF's units 81 and 8200 (Unit 81 is similar to the NSA's TAO -- tailored access operations -- continuing the long relationship between U.S. cybersecurity firms and the Israeli intelligence services).

It was Guardicore Labs that first developed Infection Monkey as an easy to use attack simulation tool. Infection Monkey operates within organizations' existing environments, whether cloud, on prem, hypervisors or containers, and finds and maps lateral movement paths through the environment using real world exploits.

Infection Monkey is free and open source. The original inspiration came from Netflix, which had a tool called Chaos Monkey. Chaos Monkey was designed to help Netflix have a high survival rate to maintain streaming if one or more servers crashed. To ensure the theory worked, they decided that the genuine production environment must be tested for real. Chaos Monkey is deployed in the production environment. It just randomly crashed servers, closed random ports, to check that the entire network wasn't stopped by a few crashes.

The take-away from Chaos Monkey is that serious testing can only be done in the real production environment, so Guardicore Labs developed its own attack simulator to run, harmlessly, within existing production environments. Existing alternative solutions include penetration testing, which is costly and used sparingly and infrequently (usually just before an audit) and cannot cover the entire environment; and vulnerability scanning, which provides a long list of vulnerabilities, but with little context over fixing priorities.

When Infection Monkey is installed, it effectively provides a C&C server (the Monkey's own server) and a harmless worm. When it is run, the worm is set free. It starts with surveillance, looking for other machines, and tries to exploit those it finds. If it succeeds, it continues from machine to machine. "You can think of it as an automatic penetration tester," said Shay Nehmad, technical lead at Guardicore.

As it progresses through the environment, it draws a visual map of the computers it finds and how it accesses them, detailing what exploit was used. Infection Monkey delivers genuine live attacks within the environment. It is called a simulator rather than an attack engine to stress that it does no damage -- the exploits are genuine, but are harmless and carry no malicious payload.

Because the maps generated are so complex, larger organizations can configure the simulator to test individual subnets or specific applications. It can be used to simulate attacks solely against web servers, or to deliver periodic simulated phishing attacks. It can be run any number of times or in any frequency to provide what amounts to continuous but free penetration testing.

Once complete, the Monkey generates a report of findings and recommends remedial actions, and can even provide a zero-trust assessment report. Companies may believe they have implemented zero-trust, but Infection Monkey will show every point of failure in the implementation. It effectively finds all the lateral movement routes that a real attacker might use within a compromised network.

A by-product advantage of the simulator is that it can find connected servers that the IT department might have forgotten. If Equifax had run the simulator prior to its breach, it would have found the unpatched server since the relevant Struts exploit is included within the Monkey's armory.

Infection Monkey

The latest version now released maps the Monkey's findings to the MITRE ATT&CK framework, providing an ATT&CK status report that delivers all the information on each successful exploit attack to allow users to prepare for the next stage in a potential real attack. "Test the attack before the attack," commented Nehmad.

MITRE ATT&CK is a globally recognized matrix of malicious tactics and techniques observed in millions of actual attacks. "By leveraging the universally accepted framework," says Pavel Gurvich, co-founder and CEO at Guardicore, "Infection Monkey is now equipped to help security teams quickly and safely test network defenses and how they map to specific advanced persistent threats."

The existing version of Infection Monkey allows security teams to see how their network can be traversed and by what methods. The new version now adds MITRE ATT&CK recommendations on solutions. It allows rapid and continuous security enhancements: Monkey finds the holes and ATT&CK recommends mitigations. Holes can be repaired, and Monkey rerun to confirm the solution has worked. The types of attack used by Monkey can even be configured via the MITRE ATT&CK report -- so if 'pass the hash' testing is not required, it can be turned off (or back on) via the ATT&CK framework.

The strength of Infection Monkey is that it is easy to use yet very powerful. Small companies can implement it and start getting results in less than an hour. Larger organizations can configure it to test specific aspects or portions of their network, and similarly get results in minutes of operation.

Boston, Mass- and Tel Aviv, Israel-based Guardicore was founded by Ariel Zeitlin (CTO), Dror Sal'ee (VP, business development), and Pavel Gurvich (CEO) in 2013. It most recently raised $60 million in a Series C funding round in May 2019, bringing the total funds raised to date to $106 million.

Related: Randori Arms Red Teams With New Automated Attack Platform 

Related: Automated Penetration Testing Startup Pcysys Raises $10 Million 

Related: PCI Security Standards Council Releases Guidance on Pen Testing 

Related: IBM Unveils "X-Force Red" Pen Testing Group 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.