Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"

- Tuesday 13:30 -- 18:30

  Introduction to the Security Track at GKS 20min (Sven)
  - Classical Incident / Grid-Incident, agenda
  - Set-Up (Sites, without any relation to Ursulas story, just say there will be sites :) )
  - All attacks the participants will deal with have been seen recently at different sites, 
    we compiled from these a fictionary scenario.... 
    Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind 
    rein zufällig und nicht beabsichtigt.:)
  - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram

  Introduction to the Forensic Tools which might be of help here (Toby/Heiko)
  - TOBY/HEIKO PLEASE FILL IN HERE WHAT YOU PLAN TO DO/TIME NEEDED
  - Give them the check-list
  
  - Coffeebreak

  - Ursula: Story/Introduction 
    Special suite: Star Trek
   
  - Give the Participants their sites, let them get familiar with it (Ursula)
  - Give some intro to what the systems usually do, user communities -> Space wheather, typical usage, basically what you produced
    with the load generator.

  - They may try to harden their systems 
    (Rules: don't remove Leifs access and ?? add general firewall rule?)

  - Leif start Attack 1 (please describe here)

  - Let the participant work on the case

  - Ursula: Give the Participants a last Hint which makes clear what to head for, what will be the end of that part.
  End of Day 1: having found the password of the intruder

Leifs Stuff

  - Attack scenarios

- Wednesday 10:50 - 18:30

10:50 - 12:30
  - First summary of day one, what was found, get all sites on the same level:
    - If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge
    - Other sites: Keep working on the case
  - Ursula: [Close case, Leif hitchhiked a borg cube and was last seen with 7of9 somehwere in TenForward spending a lot of Klingon Currency
   LEAVE OUT THE STOLEN CERT-Passwords issue

  - Lunch break

14:00 - 18:30
  14:00 - 14:30
  - Introduction to the grid specific part of incident response [Somenone from KIT if interested otherwise Sven]
  (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning)
    - tracing a job to the originating WMS or UI
    - suspending a user at the site
    - trace activity of a certain DN

  14:30 - 18:30
  [Ursula to "interrupt" the presentation, saying breaking news, we just got informed from trusted sources on the outpost DS9 where Leif 
   got all this Klingon-Money from]
  - Pictures: 1) Oscar in Klingon suite 
              2) screenshot typing certificate password of user gs151
  - Bots from our sites brought down the finance systems at Deep-Space-Nine resulting in an armed conflict with the Ferengis)
  - Start investigation of web-attack

Grid-Attack Scenario

End of day 2

  - users banned

-Thursday 10:50 - 18:30

10:50 - 12:30
  - First summary of day two, what was found, get all sites on the same level:
     - all bots stopped
     - Network Forensics found CnC
  - If there is a site that sticks out and solved everything as in Grid-Attack Scenario scenario, give them the WMS with CVE-4073
  - Other sites: Keep working on the case
  - Possibly give them Eygenes tool to trace jobs on the CREAM-CE

12:30 - 14:00 Lunch break

  14:30 - 15:00
  -Demo of CVE 4073 [Group that handled this case / Sven]

15:00 - 16:30
  - Group Presentations (15 minutes per Group)

16:30 - 17:30
  - Presentation of what the sites could have found / hints which attack was taken from which incident
  - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)

17:30 - 18:30
  - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else