Mandiant Security Validation: Step 5 - Testing

nathanael_s · a month ago

Mandiant Security Validation utilizes an isolated virtual environment called Protected Theater to allow you to safely test the efficacy of endpoint security controls against destructive behaviors. In this section, we will walk you through the process of deploying and utilizing the Protected Theater.

Prerequisites

Administrative access to MSV Director.

Actions

Deploy Protected Theater

In this action, we will walk you through all of the decisions and steps necessary to deploy a Protected Theater.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to MSV Director.
Administrative access to VMware vSphere.
Static IP Address for the Protected Theater.

Steps

Confirm that the hardware meets specifications in linked documenation. | Docs
Confirm that nested virtualization is enabled for the Protected Theater VM. See linked VMware documentation for more information. | Docs
Review additional information in the linked documenation to ensure that all SSL certificates and protected artifacts and services have been configured properly. | Docs
Deploy the Protected Theater using OVA, see linked documentation. | Docs
Register the Protected Theater with the Director, see linked documentation. | Docs
Configure the customer Gold Image, see linked documentation. | Docs
Import the customer gold image into the Protected Theater, see linked documentation. | Docs

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative access to MSV Director. Administrative access to VMware vSphere. Static IP Address for the Protected Theater. Steps Confirm that the hardware meets specifications in linked documenation. | Docs Confirm that nested virtualization is enabled for the Protected Theater VM. See linked VMware documentation for more information. | Docs Review additional information in the linked documenation to ensure that all SSL certificates and protected artifacts and services have been configured properly. | Docs Deploy the Protected Theater using OVA, see linked documentation. | Docs Register the Protected Theater with the Director, see linked documentation. | Docs Configure the customer Gold Image, see linked documentation. | Docs Import the customer gold image into the Protected Theater, see linked documentation. | Docs Relevant Links All Steps: https://docs.mandiant.com/home/msv-pt-before-you-begin 1: https://docs.mandiant.com/home/msv-protected-theater--system-requirements 2: https://communities.vmware.com/t5/Nested-Virtualization-Documents/Running-Nested-VMs/ta-p/2781466 3: https://docs.mandiant.com/home/msv-pt-before-you-begin 4: https://docs.mandiant.com/home/msv-pt-adding-and-configuring-the-pt-virtual-environment 5: https://docs.mandiant.com/home/msv-pt-install-register 6: https://docs.mandiant.com/home/pt-configure-gold-image 7: https://docs.mandiant.com/home/pt-import-and-install-the-gold-image

Utilize Protected Theater

Protected Theater is an extremely powerful tool to test the efficacy of your security controls. In this section, we will walk you through uploading files to the endpoint file library, connecting to the Protected Theater using VNC or Console, and finally, creating a Protected Theater Action.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to MSV Director.
Deployed Protected Theater.

Steps

In order to upload files to the Endpoint Files Library, you'll need to navigate to the Director and sign-in.
Select Library > Endpoint Files.
Click Add File and select the file you want to upload.
Add a description of the file.
Select the lowest User Group that should have access to the file.
Click Submit.
To connect to the Protected Theater over Console, you will need to navigate to the Director and sign-in. Then click Environment > Protected Theaters.
Click Edit next to the Protected Actor.
Click Launch Console.
Protected Theater Actions are a special type of Host CLI Action that includes destructive behaviors. Ensure that you've already added the file to the File Library, if your action will utilize a file.
Approve the file or have your Security Validation admin approve the file.
Create and save the Host CLI Action.

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative access to MSV Director. Deployed Protected Theater. Steps In order to upload files to the Endpoint Files Library, you'll need to navigate to the Director and sign-in. Select Library > Endpoint Files. Click Add File and select the file you want to upload. Add a description of the file. Select the lowest User Group that should have access to the file. Click Submit. To connect to the Protected Theater over Console, you will need to navigate to the Director and sign-in. Then click Environment > Protected Theaters. Click Edit next to the Protected Actor. Click Launch Console. Protected Theater Actions are a special type of Host CLI Action that includes destructive behaviors. Ensure that you've already added the file to the File Library, if your action will utilize a file. Approve the file or have your Security Validation admin approve the file. Create and save the Host CLI Action. Relevant Links 1-6: https://docs.mandiant.com/home/msv-add-a-file-to-the-endpoint-files-library 7-9: https://docs.mandiant.com/home/msv-using-the-console-vs-vnc 10-12: https://docs.mandiant.com/home/msv-adding-protected-theater-actions

Testing Ransomware Defense

Ransomware Defense Validation (RDV) is available for Mandiant Security Validation customers. It delivers a "low touch", safe, and continuous test of whether your security controls can prevent the latest ransomware.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to MSV Director.
Ensure you've met the prerequisites.

Steps

In order to run RDV actions, you will need to log in to the MSV Director. Navigate to Library > Actions.
On the Actions Library page, add Ransomware Defense Validation as a tag to filter on the RDV content.
Get a list of ransomware Actions available in the library.
Select the Action that you want to run and then click Run.
Select Actors to choose the Actor to run the Action against.
Click Run Now or Schedule.

Relevant Links

Prerequisites: https://docs.mandiant.com/home/msv-test-ransomware-controls
All Steps: https://docs.mandiant.com/home/msv-test-ransomware-controls

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative access to MSV Director. Ensure you've met the prerequisites. Steps In order to run RDV actions, you will need to log in to the MSV Director. Navigate to Library > Actions. On the Actions Library page, add Ransomware Defense Validation as a tag to filter on the RDV content. Get a list of ransomware Actions available in the library. Select the Action that you want to run and then click Run. Select Actors to choose the Actor to run the Action against. Click Run Now or Schedule. Relevant Links Prerequisites: https://docs.mandiant.com/home/msv-test-ransomware-controls All Steps: https://docs.mandiant.com/home/msv-test-ransomware-controls

Congratulations!

Your Mandiant Security Validation Journey is complete!