Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"

Latest revision as of 11:11, 27 August 2013

Introduction

The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.

Practical Issues

You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. these instructions on how to use them together with Putty.

To get connected to the game VMs follow the instructions on Game.pdf

List of sites

Agenda

- Tuesday 13:30 -- 18:30

  Introduction to the Security Track at GKS 15min (Sven Gabriel)
  - Classical Incident / Grid-Incident, agenda
  - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram

  Presentation: Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)

  Introduction to the game (15 min)
  - build teams
  - get comfortable with your new job as cluster admin

15:00 - 15:30

  Coffee / get the teams ready to roll, feel free to harden your system

15:30 - 18:30

  Your Cluster is under attack, better get your fingers dirty now...

- Wednesday 10:50 - 18:30

10:50 - 12:30
  - Oh dear, under attack again, next levels, enjoy the game

  - Lunch break

14:00 - 18:30
  14:00 - 17:45
  - Your site is still up and running? Well, we will work on this, 
  
  17:45 - 18:30
  - Wrap up, findings, defense strategies and discussions

-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment

10:50 - 12:30
  - Introduction, Incident Response for Grid Admins (30min)
  - Teams get introduced to their Grid-Site
12:30 - 14:00 Lunch break

  14:30 - 17:00
  - Alarm, seems we have another problem ...
  - Incident Responce in Security-Service-Challenge

17:00 - 18:00
  - Presentation of what the sites could have found / hints which attack was taken from which incident
  - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)

18:00 - 18:30
  - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else

Feedback and suggestions for improving the workshop

@@ Line 1: / Line 1: @@
+== Introduction ==
+The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.
+==  Practical Issues ==
+You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. [http://meinit.nl/using-your-openssh-private-key-in-putty these instructions] on how to use them together with Putty.
+To get connected to the game VMs follow the instructions on [http://wiki.scc.kit.edu/gridkaschool/upload/3/36/Game.pdf Game.pdf]<br>
+[[List of sites]]
+== Agenda ==
 '''- Tuesday 13:30 -- 18:30'''
-   Introduction to the Security Track at GKS 20min (Sven Gabriel)
+   Introduction to the Security Track at GKS 15min (Sven Gabriel)
    - Classical Incident / Grid-Incident, agenda
-   - All attacks the participants will deal with have been seen recently at different sites,
-     we compiled from these a fictionary scenario....
-     Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind
-     rein zufällig und nicht beabsichtigt.:)
    - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
-   - Coffeebreak
-   - Ursula: Story/Introduction
+   '''Presentation''': Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)
-   - Give the Participants their sites, let them get familiar with it (Ursula)
-   - Try to harden the systems
-     (Rules: don't remove Leifs access and ?? add general firewall rule?)
-  Introduction to the Forensic Tools which might be of help here (Toby/Heiko)
+   Introduction to the game (15 min)
-   - Tools, check-list
+   - build teams
+   - get comfortable with your new job as cluster admin
+'''15:00 - 15:30 '''
+   Coffee / get the teams ready to roll, feel free to harden your system
+'''15:30 - 18:30 '''
-   - Start Attack 1
+   '''Your Cluster is under attack, better get your fingers dirty now...'''
-   - Participants work on the case
-   '''End of Day 1: having found the password of the intruder'''
 '''- Wednesday 10:50 - 18:30 '''
 :50 - 12:30
-   - First summary of day one, what was found, get all sites on the same level:
+   - '''Oh dear, under attack again''', next levels, enjoy the game
-     - If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge
-     - Other sites: Keep working on the case
-   - Reports from teams
-   - Close case
    - Lunch break
 :00 - 18:30
-:00 - 14:30
+:00 - 17:45
+   - '''Your site is still up and running? '''Well, we will work on this,
-   - Introduction to the grid specific part of incident response (Sven Gabriel)
-   (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning)
+:45 - 18:30
-     - tracing a job to the originating WMS or UI
+   - '''Wrap up, findings, defense strategies and discussions'''
-     - suspending a user at the site
-     - trace activity of a certain DN
-:30 - 18:30
-   - Work on the case
-  '''End of day 2:  - users banned'''
+'''-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment'''
-'''-Thursday 10:50 - 18:30 '''
 :50 - 12:30
+   - Introduction, Incident Response for Grid Admins (30min)
-   - First summary of day two, what was found, get all sites on the same level:
+   - Teams get introduced to their Grid-Site
 :30 - 14:00 Lunch break
-:30 - 15:00
+:30 - 17:00
+   - '''Alarm''', seems we have another problem ...
-   - Demo of CVE 4073 [Group that handled this case / Sven]
+   - Incident Responce in Security-Service-Challenge
-:00 - 16:30
+:00 - 18:00
-   - Group Presentations (15 minutes per Group)
-:30 - 17:30
    - Presentation of what the sites could have found / hints which attack was taken from which incident
    - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
-:30 - 18:30
+:00 - 18:30
    - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else
+* [[Feedback and suggestions for improving the workshop]]

Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"

Latest revision as of 11:11, 27 August 2013

Introduction

Practical Issues

Agenda

Navigation menu

Views

Personal tools

Navigation

Search

Tools