Difference between revisions of "Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis"
From Gridkaschool
| Line 1: | Line 1: | ||
| + | == Introduction == |
||
| + | The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes. |
||
| + | |||
| + | == Practical Issues == |
||
| + | You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. [http://meinit.nl/using-your-openssh-private-key-in-putty these instructions] on how to use them together with Putty. |
||
| + | |||
| + | |||
| + | == Agenda == |
||
'''- Tuesday 13:30 -- 18:30''' |
'''- Tuesday 13:30 -- 18:30''' |
||
| − | Introduction to the Security Track at GKS |
+ | Introduction to the Security Track at GKS 15min (Sven Gabriel) |
- Classical Incident / Grid-Incident, agenda |
- Classical Incident / Grid-Incident, agenda |
||
| − | - All attacks the participants will deal with have been seen recently at different sites, |
||
| − | we compiled from these a fictional scenario.... |
||
- The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram |
- The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram |
||
| − | Introduction to |
+ | '''Presentation''': Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min) |
| − | Introduction to the |
+ | Introduction to the game (15 min) |
| + | - build teams |
||
| − | - [[File:2012-08-28-GridKa-School_Incidents_and_Forensics.pdf]] |
||
| + | - get comfortable with your new job as cluster admin |
||
| − | - [[File:Vortrag_Linux_Checklist.txt]] |
||
| + | '''15:00 - 15:30 ''' |
||
| − | |||
| + | Coffee / get the teams ready to roll, feel free to harden your system |
||
| − | - Start Scenario 1 |
||
| − | * [[Security_Workshop:Scenario1|Scenario details and scoring]] |
||
| − | * [[Security_Workshop:Rules|Rules]] |
||
| − | |||
| − | - Participants work on the case |
||
| + | '''Your Cluster is under attack, better get your fingers dirty now...''' |
||
| − | '''End of Day 1: having found the intruder's backdoor password''' (Sites that finish early can receive an optional bonus challenge.) |
||
| − | |||
| − | * [[Findings from day 1]] |
||
'''- Wednesday 10:50 - 18:30 ''' |
'''- Wednesday 10:50 - 18:30 ''' |
||
10:50 - 12:30 |
10:50 - 12:30 |
||
| + | - Next levels, enjoy the game |
||
| − | - Scenario 2 |
||
| − | * [[Security_Workshop:Scenario2|Scenario details and scoring]] |
||
- Lunch break |
- Lunch break |
||
14:00 - 18:30 |
14:00 - 18:30 |
||
| − | 14:00 - |
+ | 14:00 - 17:45 |
| + | - '''Your site is still up and running? '''Well we will work on this, |
||
| − | - Introduction to the grid specific part of incident response (Sven Gabriel) |
||
| + | |||
| − | (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) |
||
| + | 17:45 - 18:30 |
||
| − | - tracing a job to the originating WMS or UI |
||
| + | - '''Wrap up, findings, defense strategies and discussions''' |
||
| − | - suspending a user at the site |
||
| − | - trace activity of a certain DN |
||
| − | |||
| − | 14:30 - 18:30 |
||
| − | - Work on the case |
||
| − | |||
| − | '''End of day 2: - users banned''' |
||
| − | |||
| − | * [[Findings from day 2]] |
||
'''-Thursday 10:50 - 18:30 ''' |
'''-Thursday 10:50 - 18:30 ''' |
||
| + | ''' Incident Response in a Grid-Environment''' |
||
10:50 - 12:30 |
10:50 - 12:30 |
||
| + | - Introduction, Incident Response for Grid Admins (30min) |
||
| − | - First summary of day two, what was found, get all sites on the same level: |
||
| + | - Teams get introduced to their Grid-Site |
||
| − | |||
| + | - |
||
12:30 - 14:00 Lunch break |
12:30 - 14:00 Lunch break |
||
Revision as of 15:34, 3 June 2013
Introduction
The participants will learn basic incident response and forensic skills in a virtualized environment. After a couple of introductory lectures on field forensics and incident response, most of the 3 days will be taken up by a tournament where the participants form teams that are given full root access to simulated HPC/Grid sites. Their task is to defend against and analyze realistic attacks of increasing sophistication, while keeping their systems up and running. The teams will be scored on their performance, and the winning team will be celebrated the most l33t admins. There may even be prizes.
Practical Issues
You will need to bring your own laptop. The only required software is an ssh client (although access to a unixoid operating system doesn't hurt). If you use the Putty ssh client, please be aware that we will be using OpenSSH keys during the exercise; see e.g. these instructions on how to use them together with Putty.
Agenda
- Tuesday 13:30 -- 18:30
Introduction to the Security Track at GKS 15min (Sven Gabriel) - Classical Incident / Grid-Incident, agenda - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram
Presentation: Leif Nixon: An Introduction to Quick and Dirty Forensics (60 min)
Introduction to the game (15 min) - build teams - get comfortable with your new job as cluster admin
15:00 - 15:30
Coffee / get the teams ready to roll, feel free to harden your system Your Cluster is under attack, better get your fingers dirty now...
- Wednesday 10:50 - 18:30
10:50 - 12:30 - Next levels, enjoy the game
- Lunch break
14:00 - 18:30 14:00 - 17:45 - Your site is still up and running? Well we will work on this, 17:45 - 18:30 - Wrap up, findings, defense strategies and discussions
-Thursday 10:50 - 18:30 Incident Response in a Grid-Environment
10:50 - 12:30 - Introduction, Incident Response for Grid Admins (30min) - Teams get introduced to their Grid-Site - 12:30 - 14:00 Lunch break
14:30 - 15:00 - Demo of CVE 4073 [Group that handled this case / Sven]
15:00 - 16:30 - Group Presentations (15 minutes per Group)
16:30 - 17:30 - Presentation of what the sites could have found / hints which attack was taken from which incident - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
17:30 - 18:30 - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else
