Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"

From Gridkaschool
(Created page with "'''- Tuesday 13:30 -- 18:30''' Introduction to the Security Track at GKS 20min (Sven) - Classical Incident / Grid-Incident, agenda - Set-Up (Sites, without any relation …")
 
(Practical Issues)
 
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
  +
== Introduction ==
'''- Tuesday 13:30 -- 18:30'''
  
  +
The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.
Introduction to the Security Track at GKS 20min (Sven)
  
- Classical Incident / Grid-Incident, agenda
  
- Set-Up (Sites, without any relation to Ursulas story, just say there will be sites :) )
  
- All attacks the participants will deal with have been seen recently at different sites,
 
we compiled from these a fictionary scenario....
 
Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind
 
rein zufällig und nicht beabsichtigt.:)
  
- The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
  
   
  +
== Practical Issues ==
<span style="color:#FF7F24">Or having the start of the story here and integrate the introduction as training for 'new admins'?</span>
  
  +
You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. [http://meinit.nl/using-your-openssh-private-key-in-putty these instructions] on how to use them together with Putty.
'''-> Yes this sounds like a good idea '''
  
   
  +
To get connected to the game VMs follow the instructions on [http://wiki.scc.kit.edu/gridkaschool/upload/3/36/Game.pdf Game.pdf]<br>
Introduction to the Forensic Tools which might be of help here (Toby/Heiko)
  
- TOBY/HEIKO PLEASE FILL IN HERE WHAT YOU PLAN TO DO/TIME NEEDED
  
- Give them the check-list
  
 
- Coffeebreak
  
   
  +
[[List of sites]]
- Ursula: [[Story/Introduction]]
 
Special suite: Star Trek
  
 
- Give the Participants their sites, let them get familiar with it (Ursula)
  
- Give some intro to what the systems usually do, user communities -> Space wheather, typical usage, basically what you produced
  
with the load generator.
  
   
  +
== Agenda ==
- They may try to harden their systems
 
  +
'''- Tuesday 13:30 -- 18:30'''
(Rules: don't remove Leifs access and ?? add general firewall rule?)
  
  +
Introduction to the Security Track at GKS 15min (Sven Gabriel)
  +
- Classical Incident / Grid-Incident, agenda
  +
- The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
   
  +
'''Presentation''': Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)
- Leif start [[Attack 1]] (please describe here)
  
   
- Let the participant work on the case
 +
Introduction to the game (15 min)
  +
- build teams
  +
- get comfortable with your new job as cluster admin
  +
'''15:00 - 15:30 '''
  +
Coffee / get the teams ready to roll, feel free to harden your system
   
  +
'''15:30 - 18:30 '''
 
  +
'''Your Cluster is under attack, better get your fingers dirty now...'''
- Ursula: Give the Participants a last Hint which makes clear what to head for, what will be the end of that part.
  
'''End of Day 1: having found the password of the intruder'''
  
   
'''Leifs Stuff'''
  
- [[Attack scenarios]]
  
 
'''- Wednesday 10:50 - 18:30 '''
  
'''- Wednesday 10:50 - 18:30 '''
   
 
10:50 - 12:30
  
10:50 - 12:30
- First summary of day one, what was found, get all sites on the same level:
 +
- '''Oh dear, under attack again''', next levels, enjoy the game
- If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge
  
- Other sites: Keep working on the case
  
- Ursula: [Close case, Leif hitchhiked a borg cube and was last seen with [http://blastr.com/assets_c/2011/03/seven-chakotay_1-thumb-480x360-59736.jpg 7of9] somehwere in [http://upload.wikimedia.org/wikipedia/en/thumb/e/eb/ST-TNG_Lower_Decks.jpg/270px-ST-TNG_Lower_Decks.jpg TenForward] spending a lot of [http://images3.wikia.nocookie.net/__cb57889/memoryalpha/en/images/8/8a/Lavelle_and_Riker_at_Ten_Forward.jpg Klingon Currency]
  
LEAVE OUT THE STOLEN CERT-Passwords issue
  
   
 
- Lunch break
  
- Lunch break
   
 
14:00 - 18:30
  
14:00 - 18:30
14:00 - 14:30
 +
14:00 - 17:45
  +
- '''Your site is still up and running? '''Well, we will work on this,
- Introduction to the grid specific part of incident response [Somenone from KIT if interested otherwise Sven]
  
  +
(Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning)
  
  +
17:45 - 18:30
- tracing a job to the originating WMS or UI
  
  +
- '''Wrap up, findings, defense strategies and discussions'''
- suspending a user at the site
  
- trace activity of a certain DN
  
   
  +
'''-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment'''
14:30 - 18:30
  
[Ursula to "interrupt" the presentation, saying breaking news, we just got informed from [http://www.ai.wu.ac.at/~franz/Startrek/gifs/Personen/odo.gif trusted sources] on the outpost DS9 where Leif
 
got all this Klingon-Money from]
  
- Pictures: 1) [http://ia.media-imdb.com/images/M/MV5BMTkwNTUyOTc5N15BMl5BanBnXkFtZTcwNTY0NjA2MQ@@._V1._SX383_SY576_.jpg Oscar in Klingon suite]
 
2) screenshot typing certificate password of user gs151
  
- Bots from our sites brought down the finance systems at Deep-Space-Nine resulting in an armed conflict with the [http://images2.wikia.nocookie.net/__cb58377/memoryalpha/en/images/2/28/Quark%2C_2375.jpg Ferengis])
  
- Start investigation of web-attack
  
 
[https://wiki.egi.eu/csirt/index.php/GKS2012/AttackScenario3 Grid-Attack Scenario]
  
 
'''End of day 2'''
  
- users banned
  
 
 
'''-Thursday 10:50 - 18:30 '''
  
 
10:50 - 12:30
  
10:50 - 12:30
  +
- Introduction, Incident Response for Grid Admins (30min)
- First summary of day two, what was found, get all sites on the same level:
  
  +
- Teams get introduced to their Grid-Site
- all bots stopped
  
- Network Forensics found CnC
  
- If there is a site that sticks out and solved everything as in [https://wiki.egi.eu/csirt/index.php/GKS2012/AttackScenario3 Grid-Attack Scenario] scenario, give them the WMS with CVE-4073
  
- Other sites: Keep working on the case
  
- Possibly give them Eygenes tool to trace jobs on the CREAM-CE
  
 
 
12:30 - 14:00 Lunch break
  
12:30 - 14:00 Lunch break
   
14:30 - 15:00
 +
14:30 - 17:00
  +
- '''Alarm''', seems we have another problem ...
-Demo of CVE 4073 [Group that handled this case / Sven]
  
  +
- Incident Responce in Security-Service-Challenge
   
15:00 - 16:30
 +
17:00 - 18:00
- Group Presentations (15 minutes per Group)
  
 
16:30 - 17:30
  
 
- Presentation of what the sites could have found / hints which attack was taken from which incident
  
- Presentation of what the sites could have found / hints which attack was taken from which incident
 
- Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
  
- Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
   
17:30 - 18:30
 +
18:00 - 18:30
 
- Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else
  
- Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else
  +
  +
* [[Feedback and suggestions for improving the workshop]]

Latest revision as of 11:11, 27 August 2013

Introduction

The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.

Practical Issues

You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. these instructions on how to use them together with Putty.

To get connected to the game VMs follow the instructions on Game.pdf

List of sites

Agenda

- Tuesday 13:30 -- 18:30 

  Introduction to the Security Track at GKS 15min (Sven Gabriel)
  - Classical Incident / Grid-Incident, agenda
  - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram

  Presentation: Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)

  Introduction to the game (15 min)
  - build teams
  - get comfortable with your new job as cluster admin

15:00 - 15:30 

  Coffee / get the teams ready to roll, feel free to harden your system

15:30 - 18:30 

  Your Cluster is under attack, better get your fingers dirty now...

- Wednesday 10:50 - 18:30 

10:50 - 12:30
  - Oh dear, under attack again, next levels, enjoy the game

  - Lunch break

14:00 - 18:30
  14:00 - 17:45
  - Your site is still up and running? Well, we will work on this, 
  
  17:45 - 18:30
  - Wrap up, findings, defense strategies and discussions

-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment 

10:50 - 12:30
  - Introduction, Incident Response for Grid Admins (30min)
  - Teams get introduced to their Grid-Site
12:30 - 14:00 Lunch break

  14:30 - 17:00
  - Alarm, seems we have another problem ...
  - Incident Responce in Security-Service-Challenge

17:00 - 18:00
  - Presentation of what the sites could have found / hints which attack was taken from which incident
  - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)

18:00 - 18:30
  - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else
Retrieved from "https://wiki.scc.kit.edu/gridkaschool/index.php?title=Security_Workshop:_Simulated_Security_Incident_in_Grid-_and_Cluster_environment_with_Forensic_Analysis&oldid=1153"