Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis
From Gridkaschool
Jump to navigationJump to search
- Tuesday 13:30 -- 18:30
Introduction to the Security Track at GKS 20min (Sven) - Classical Incident / Grid-Incident, agenda - Set-Up (Sites, without any relation to Ursulas story, just say there will be sites :) ) - All attacks the participants will deal with have been seen recently at different sites, we compiled from these a fictionary scenario.... Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind rein zufällig und nicht beabsichtigt.:) - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
Or having the start of the story here and integrate the introduction as training for 'new admins'? -> Yes this sounds like a good idea
Introduction to the Forensic Tools which might be of help here (Toby/Heiko) - TOBY/HEIKO PLEASE FILL IN HERE WHAT YOU PLAN TO DO/TIME NEEDED - Give them the check-list - Coffeebreak
- Ursula: Story/Introduction Special suite: Star Trek - Give the Participants their sites, let them get familiar with it (Ursula) - Give some intro to what the systems usually do, user communities -> Space wheather, typical usage, basically what you produced with the load generator.
- They may try to harden their systems (Rules: don't remove Leifs access and ?? add general firewall rule?)
- Leif start Attack 1 (please describe here)
- Let the participant work on the case
- Ursula: Give the Participants a last Hint which makes clear what to head for, what will be the end of that part. End of Day 1: having found the password of the intruder
Leifs Stuff
- Attack scenarios
- Wednesday 10:50 - 18:30
10:50 - 12:30 - First summary of day one, what was found, get all sites on the same level: - If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge - Other sites: Keep working on the case - Ursula: [Close case, Leif hitchhiked a borg cube and was last seen with 7of9 somehwere in TenForward spending a lot of Klingon Currency LEAVE OUT THE STOLEN CERT-Passwords issue
- Lunch break
14:00 - 18:30 14:00 - 14:30 - Introduction to the grid specific part of incident response [Somenone from KIT if interested otherwise Sven] (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) - tracing a job to the originating WMS or UI - suspending a user at the site - trace activity of a certain DN
14:30 - 18:30 [Ursula to "interrupt" the presentation, saying breaking news, we just got informed from trusted sources on the outpost DS9 where Leif got all this Klingon-Money from] - Pictures: 1) Oscar in Klingon suite 2) screenshot typing certificate password of user gs151 - Bots from our sites brought down the finance systems at Deep-Space-Nine resulting in an armed conflict with the Ferengis) - Start investigation of web-attack
End of day 2
- users banned
-Thursday 10:50 - 18:30
10:50 - 12:30 - First summary of day two, what was found, get all sites on the same level: - all bots stopped - Network Forensics found CnC - If there is a site that sticks out and solved everything as in Grid-Attack Scenario scenario, give them the WMS with CVE-4073 - Other sites: Keep working on the case - Possibly give them Eygenes tool to trace jobs on the CREAM-CE
12:30 - 14:00 Lunch break
14:30 - 15:00 -Demo of CVE 4073 [Group that handled this case / Sven]
15:00 - 16:30 - Group Presentations (15 minutes per Group)
16:30 - 17:30 - Presentation of what the sites could have found / hints which attack was taken from which incident - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
17:30 - 18:30 - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else