Mandiant Security Validation: Step 5 - Testing

GCSCommunity · ‎09-06-2024

Mandiant Security Validation utilizes an isolated virtual environment called Protected Theater to allow you to safely test the efficacy of endpoint security controls against destructive behaviors. In this section, we will walk you through the process of deploying and utilizing the Protected Theater.

Prerequisites

Administrative access to MSV Director.

Actions

Deploy Protected Theater

In this action, we will walk you through all of the decisions and steps necessary to deploy a Protected Theater.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to MSV Director.
Administrative access to VMware vSphere.
Static IP Address for the Protected Theater.
An MSV license with Protected Theater as an included entitlement.

Steps

Confirm that the hardware meets specifications in linked documenation. | Docs
Confirm that nested virtualization is enabled for the Protected Theater VM. See linked VMware documentation for more information. | Docs
Review additional information in the linked documentation to ensure that all SSL certificates and protected artifacts and services have been configured properly. | Docs
Deploy the Protected Theater using OVA, see linked documentation. | Docs
Register the Protected Theater with the Director, see linked documentation. | Docs
Configure the customer Gold Image, see linked documentation. | Docs
Import the customer gold image into the Protected Theater, see linked documentation. | Docs
Review additional information for configuring user profiles and protected rule assignments. | Docs
Install the MSV software agent onto the Golden Image, and register the Protected Actor to the Director. Utilize the steps in the next section to upload the MSV installation files to the director, and access the director from the imported Golden Image to download the installation files.

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative access to MSV Director. Administrative access to VMware vSphere. Static IP Address for the Protected Theater. An MSV license with Protected Theater as an included entitlement. Steps Confirm that the hardware meets specifications in linked documenation. | Docs Confirm that nested virtualization is enabled for the Protected Theater VM. See linked VMware documentation for more information. | Docs Review additional information in the linked documentation to ensure that all SSL certificates and protected artifacts and services have been configured properly. | Docs Deploy the Protected Theater using OVA, see linked documentation. | Docs Register the Protected Theater with the Director, see linked documentation. | Docs Configure the customer Gold Image, see linked documentation. | Docs Import the customer gold image into the Protected Theater, see linked documentation. | Docs Review additional information for configuring user profiles and protected rule assignments. | Docs Install the MSV software agent onto the Golden Image, and register the Protected Actor to the Director. Utilize the steps in the next section to upload the MSV installation files to the director, and access the director from the imported Golden Image to download the installation files. Relevant Links All Steps: https://docs.mandiant.com/home/msv-pt-before-you-begin 1: https://docs.mandiant.com/home/msv-protected-theater--system-requirements 2: https://communities.vmware.com/t5/Nested-Virtualization-Documents/Running-Nested-VMs/ta-p/2781466 3: https://docs.mandiant.com/home/msv-pt-before-you-begin 4: https://docs.mandiant.com/home/msv-pt-adding-and-configuring-the-pt-virtual-environment 5: https://docs.mandiant.com/home/msv-pt-install-register 6: https://docs.mandiant.com/home/pt-configure-gold-image 7: https://docs.mandiant.com/home/pt-import-and-install-the-gold-image 8. https://docs.mandiant.com/home/msv-protected-theater-configurations

Utilize Protected Theater

Protected Theater is an extremely powerful tool to test the efficacy of your security controls. In this section, we will walk you through uploading files to the endpoint file library, connecting to the Protected Theater using VNC or Console, and finally, creating a Protected Theater Action.

Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

Administrative access to MSV Director.
Deployed Protected Theater.
Deployed Protected Actor with MSV Agent installed and connected to MSV Director.

Steps

In order to upload files to the Endpoint Files Library, you'll need to navigate to the Director and sign-in.
Select Library > Endpoint Files.
Click Add File and select the file you want to upload.
Add a description of the file.
Select the lowest User Group that should have access to the file.
Click Submit.
To connect to the Protected Theater over Console, you will need to navigate to the Director and sign-in. Then click Environment > Protected Theaters.
Click Edit next to the Protected Actor.
Click Launch Console.
Protected Theater Actions are a special type of Host CLI Action that includes destructive behaviors. Ensure that you've already added the file to the File Library, if your action will utilize a file.
Approve the file or have your Security Validation admin approve the file.
Create and save the Host CLI Action.

Relevant Links

Prerequisites See the Relevant Links section for more documentation regarding the prerequisites. Administrative access to MSV Director. Deployed Protected Theater. Deployed Protected Actor with MSV Agent installed and connected to MSV Director. Steps In order to upload files to the Endpoint Files Library, you'll need to navigate to the Director and sign-in. Select Library > Endpoint Files. Click Add File and select the file you want to upload. Add a description of the file. Select the lowest User Group that should have access to the file. Click Submit. To connect to the Protected Theater over Console, you will need to navigate to the Director and sign-in. Then click Environment > Protected Theaters. Click Edit next to the Protected Actor. Click Launch Console. Protected Theater Actions are a special type of Host CLI Action that includes destructive behaviors. Ensure that you've already added the file to the File Library, if your action will utilize a file. Approve the file or have your Security Validation admin approve the file. Create and save the Host CLI Action. Relevant Links 1-6: https://docs.mandiant.com/home/msv-add-a-file-to-the-endpoint-files-library 7-9: https://docs.mandiant.com/home/msv-using-the-console-vs-vnc 10-12: https://docs.mandiant.com/home/msv-adding-protected-theater-actions

Initial Baseline Testing

The action of baselining in reference to a security validation program and using a tool like Mandiant Security Validation (MSV), is the process of running a core set of tests to evaluate the effectiveness of the controls in your environment to provide a basis of data.

Prerequisites

Administrative access to MSV Director.
Deployment of MSV Director, Internal Network and Endpoint Actors, and a externally hosted network actor.
Recommended: Configured integrations with your security technologies, (SIEM, EDR/AV, etc.)

Steps

1. Review the following Blog on how to develop baseline testing for new security validation deployments. | Docs

Relevant Links

All Steps: https://www.googlecloudcommunity.com/gc/Community-Blog/Developing-Baseline-Testing-for-New-Security-...

Prerequisites Administrative access to MSV Director. Deployment of MSV Director, Internal Network and Endpoint Actors, and a externally hosted network actor. Recommended: Configured integrations with your security technologies, (SIEM, EDR/AV, etc.) Steps Review the following Blog on how to develop baseline testing for new security validation deployments. | Docs Relevant Links All Steps: https://www.googlecloudcommunity.com/gc/Community-Blog/Developing-Baseline-Testing-for-New-Security-Validation/ba-p/795186

Congratulations!

Your Mandiant Security Validation Journey is complete!

Previous Step: Mandiant Security Validation: Step 4 - Security Content

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps