Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis

From Gridkaschool


The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.

Practical Issues

You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. these instructions on how to use them together with Putty.

To get connected to the game VMs follow the instructions on Game.pdf

List of sites


- Tuesday 13:30 -- 18:30

  Introduction to the Security Track at GKS 15min (Sven Gabriel)
  - Classical Incident / Grid-Incident, agenda
  - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
  Presentation: Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)
  Introduction to the game (15 min)
  - build teams
  - get comfortable with your new job as cluster admin

15:00 - 15:30

  Coffee / get the teams ready to roll, feel free to harden your system

15:30 - 18:30

  Your Cluster is under attack, better get your fingers dirty now...

- Wednesday 10:50 - 18:30

10:50 - 12:30
  - Oh dear, under attack again, next levels, enjoy the game
  - Lunch break
14:00 - 18:30
  14:00 - 17:45
  - Your site is still up and running? Well, we will work on this, 
  17:45 - 18:30
  - Wrap up, findings, defense strategies and discussions

-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment

10:50 - 12:30
  - Introduction, Incident Response for Grid Admins (30min)
  - Teams get introduced to their Grid-Site
12:30 - 14:00 Lunch break
  14:30 - 17:00
  - Alarm, seems we have another problem ...
  - Incident Responce in Security-Service-Challenge
17:00 - 18:00
  - Presentation of what the sites could have found / hints which attack was taken from which incident
  - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
18:00 - 18:30
  - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else