Security Workshop: Simulated Security Incident in Grid- and Cluster environment with Forensic Analysis
From Gridkaschool
- Tuesday 13:30 -- 18:30
Introduction to the Security Track at GKS 20min (Sven Gabriel) - Classical Incident / Grid-Incident, agenda - All attacks the participants will deal with have been seen recently at different sites, we compiled from these a fictionary scenario.... Die Geschichte ist frei erfunden, Ähnlichkeiten zu wahren Gegebenheiten und Personen sind rein zufällig und nicht beabsichtigt.:) - The Players and their roles here: Leif, Toby, Heiko, Ursula, Aram - Coffeebreak
- Ursula: Story/Introduction - Give the Participants their sites, let them get familiar with it (Ursula) - Try to harden the systems (Rules: don't remove Leifs access and ?? add general firewall rule?)
Introduction to the Forensic Tools which might be of help here (Toby/Heiko) - Tools, check-list
- Start Attack 1
- Participants work on the case - Give the Participants a last Hint which makes clear what to head for End of Day 1: having found the password of the intruder
- Wednesday 10:50 - 18:30
10:50 - 12:30 - First summary of day one, what was found, get all sites on the same level: - If there is a site that sticks out and solved everything as in Leifs scenario, give them the Bonus-Challenge - Other sites: Keep working on the case - Reports from teams - Close case
- Lunch break
14:00 - 18:30 14:00 - 14:30 - Introduction to the grid specific part of incident response (Sven Gabriel) (Working on certificate-DNs, what takes how long to take effect (CA/VOMS/local banning) - tracing a job to the originating WMS or UI - suspending a user at the site - trace activity of a certain DN
14:30 - 18:30 - Work on the case
End of day 2: - users banned
-Thursday 10:50 - 18:30
10:50 - 12:30 - First summary of day two, what was found, get all sites on the same level: 12:30 - 14:00 Lunch break
14:30 - 15:00 - Demo of CVE 4073 [Group that handled this case / Sven]
15:00 - 16:30 - Group Presentations (15 minutes per Group)
16:30 - 17:30 - Presentation of what the sites could have found / hints which attack was taken from which incident - Presentation on SSC-Framework (15 - 30 min.), how to use it for a site training. (Aram)
17:30 - 18:30 - Ursula: wrap up, hand out prices, gather feedback ... Meeting in TenForward with a "Tannenzaepfle" or something else