Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"
From Gridkaschool
Line 1: | Line 1: | ||
'''- Tuesday 13:30 -- 18:30''' |
'''- Tuesday 13:30 -- 18:30''' |
||
− | Introduction to the Security Track at GKS 20min (Sven) |
+ | Introduction to the Security Track at GKS 20min (Sven Gabriel) |
- Classical Incident / Grid-Incident, agenda |
- Classical Incident / Grid-Incident, agenda |
||
− | - Set-Up (Sites, without any relation to Ursulas story, just say there will be sites :) ) |
||
- All attacks the participants will deal with have been seen recently at different sites, |
- All attacks the participants will deal with have been seen recently at different sites, |
||
we compiled from these a fictionary scenario.... |
we compiled from these a fictionary scenario.... |
||
Line 10: | Line 9: | ||
+ | |||
− | Introduction to the Forensic Tools which might be of help here (Toby/Heiko) |
||
+ | |||
− | - TOBY/HEIKO PLEASE FILL IN HERE WHAT YOU PLAN TO DO/TIME NEEDED |
||
− | - Give them the check-list |
||
- Coffeebreak |
- Coffeebreak |
||
Line 23: | Line 21: | ||
with the load generator. |
with the load generator. |
||
− | - |
+ | - Try to harden their systems |
(Rules: don't remove Leifs access and ?? add general firewall rule?) |
(Rules: don't remove Leifs access and ?? add general firewall rule?) |
||
+ | Introduction to the Forensic Tools which might be of help here (Toby/Heiko) |
||
− | - Leif start [[Attack 1]] (please describe here) |
||
+ | - Tool, check-list |
||
+ | - Start Attack 1 |
||
− | - Let the participant work on the case |
||
+ | - Participants work on the case |
||
− | - |
+ | - Give the Participants a last Hint which makes clear what to head for |
'''End of Day 1: having found the password of the intruder''' |
'''End of Day 1: having found the password of the intruder''' |
||
− | '''Leifs Stuff''' |
||
− | - [[Attack scenarios]] |
||
'''- Wednesday 10:50 - 18:30 ''' |
'''- Wednesday 10:50 - 18:30 ''' |
||
Line 42: | Line 40: | ||
- If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge |
- If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge |
||
- Other sites: Keep working on the case |
- Other sites: Keep working on the case |
||
+ | - Reports from teams |
||
− | - Ursula: [Close case, Leif hitchhiked a borg cube and was last seen with [http://blastr.com/assets_c/2011/03/seven-chakotay_1-thumb-480x360-59736.jpg 7of9] somehwere in [http://upload.wikimedia.org/wikipedia/en/thumb/e/eb/ST-TNG_Lower_Decks.jpg/270px-ST-TNG_Lower_Decks.jpg TenForward] spending a lot of [http://images3.wikia.nocookie.net/__cb57889/memoryalpha/en/images/8/8a/Lavelle_and_Riker_at_Ten_Forward.jpg Klingon Currency] |
||
+ | - Close case |
||
− | LEAVE OUT THE STOLEN CERT-Passwords issue |
||
- Lunch break |
- Lunch break |
||
Line 49: | Line 47: | ||
14:00 - 18:30 |
14:00 - 18:30 |
||
14:00 - 14:30 |
14:00 - 14:30 |
||
− | - Introduction to the grid specific part of incident response |
+ | - Introduction to the grid specific part of incident response (Sven Gabriel) |
(Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) |
(Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) |
||
- tracing a job to the originating WMS or UI |
- tracing a job to the originating WMS or UI |
||
Line 56: | Line 54: | ||
14:30 - 18:30 |
14:30 - 18:30 |
||
+ | |||
− | [Ursula to "interrupt" the presentation, saying breaking news, we just got informed from [http://www.ai.wu.ac.at/~franz/Startrek/gifs/Personen/odo.gif trusted sources] on the outpost DS9 where Leif |
||
− | got all this Klingon-Money from] |
||
− | - Pictures: 1) [http://ia.media-imdb.com/images/M/MV5BMTkwNTUyOTc5N15BMl5BanBnXkFtZTcwNTY0NjA2MQ@@._V1._SX383_SY576_.jpg Oscar in Klingon suite] |
||
− | 2) screenshot typing certificate password of user gs151 |
||
− | - Bots from our sites brought down the finance systems at Deep-Space-Nine resulting in an armed conflict with the [http://images2.wikia.nocookie.net/__cb58377/memoryalpha/en/images/2/28/Quark%2C_2375.jpg Ferengis]) |
||
− | - Start investigation of web-attack |
||
− | |||
− | [https://wiki.egi.eu/csirt/index.php/GKS2012/AttackScenario3 Grid-Attack Scenario] |
||
'''End of day 2''' |
'''End of day 2''' |
||
Line 74: | Line 65: | ||
- all bots stopped |
- all bots stopped |
||
- Network Forensics found CnC |
- Network Forensics found CnC |
||
+ | - Other sites: Keep working on the case |
||
− | - If there is a site that sticks out and solved everything as in [https://wiki.egi.eu/csirt/index.php/GKS2012/AttackScenario3 Grid-Attack Scenario] scenario, give them the WMS with CVE-4073 |
||
+ | |||
− | - Other sites: Keep working on the case |
||
− | - Possibly give them Eygenes tool to trace jobs on the CREAM-CE |
||
− | |||
12:30 - 14:00 Lunch break |
12:30 - 14:00 Lunch break |
||
Revision as of 11:47, 27 August 2012
- Tuesday 13:30 -- 18:30
Introduction to the Security Track at GKS 20min (Sven Gabriel) - Classical Incident / Grid-Incident, agenda - All attacks the participants will deal with have been seen recently at different sites, we compiled from these a fictionary scenario.... Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind rein zufällig und nicht beabsichtigt.:) - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
- Coffeebreak
- Ursula: Story/Introduction Special suite: Star Trek - Give the Participants their sites, let them get familiar with it (Ursula) - Give some intro to what the systems usually do, user communities -> Space wheather, typical usage, basically what you produced with the load generator.
- Try to harden their systems (Rules: don't remove Leifs access and ?? add general firewall rule?)
Introduction to the Forensic Tools which might be of help here (Toby/Heiko) - Tool, check-list
- Start Attack 1
- Participants work on the case - Give the Participants a last Hint which makes clear what to head for End of Day 1: having found the password of the intruder
- Wednesday 10:50 - 18:30
10:50 - 12:30 - First summary of day one, what was found, get all sites on the same level: - If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge - Other sites: Keep working on the case - Reports from teams - Close case
- Lunch break
14:00 - 18:30 14:00 - 14:30 - Introduction to the grid specific part of incident response (Sven Gabriel) (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) - tracing a job to the originating WMS or UI - suspending a user at the site - trace activity of a certain DN
14:30 - 18:30
End of day 2
- users banned
-Thursday 10:50 - 18:30
10:50 - 12:30 - First summary of day two, what was found, get all sites on the same level: - all bots stopped - Network Forensics found CnC - Other sites: Keep working on the case 12:30 - 14:00 Lunch break
14:30 - 15:00 -Demo of CVE 4073 [Group that handled this case / Sven]
15:00 - 16:30 - Group Presentations (15 minutes per Group)
16:30 - 17:30 - Presentation of what the sites could have found / hints which attack was taken from which incident - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
17:30 - 18:30 - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else