SlideShare ist ein Scribd-Unternehmen logo

Talk at the Security Workshop, GridKA Summerschool 2010

Stefan Freitag
Stefan Freitag
Bildung
1 von 24
Downloaden Sie, um offline zu lesen
Incident reporting S. Freitag, F. Feldhaus Incident reporting Before you report GridKa Summer School 2010 Incident Scenarios Incident handling Stefan Freitag, Florian Feldhaus Robotics Research Institute TU Dortmund September 10, 2010
Contents Incident reporting S. Freitag, F. Feldhaus Before you report 1 Before you report Incident Scenarios Incident handling 2 Incident Scenarios 3 Incident handling
Do you know....? Incident reporting Security Incident Response Policy1 S. Freitag, F. Feldhaus objective: ensure that all incidents are investigated as fully Before you report as possible and that sites promptly report intrusions. Incident Scenarios As a grid participant, you agree to Incident report suspected security incidents that have impact or handling relationship to grid resources, services, or identities respond to and investigate incident reports regarding resources, services, or identities for which you are responsible perform appropriate investigations and forensics and share the results with the incident coordinator follow the incident response procedure Next question: what is the incident response procedure? 1 https://edms.cern.ch/document/428035/7
EGEE incident response procedure2 Incident reporting S. Freitag, F. Feldhaus Audience Before you report grid site security officers and site administrators Incident Scenarios Incident Definition of security incident handling The act of violating an explicit or implied security policy Definition of actions for the case of a security incident More on this in a few minutes . . . 2 https://edms.cern.ch/document/867454
Security incident - scenario A (2009) Incident reporting S. Freitag, F. Some grid sites allow gsissh-based access to VoBoxes (e.g. Feldhaus for VO software managers) Before you report On a VoBox Grid users are mapped to local accounts Incident Scenarios Initial step for an attacker Incident handling gain access to user credentials (certificate or proxy) What happens next ? Connect to VoBox using stolen credentials Running e.g. a kernel exploit to gain root privileges
Security incident - scenario A (2009) Incident reporting S. Freitag, F. Feldhaus # s h −x w u n d e r b a r e m p o r i u m . s h Before you report [...] Incident [+] got r i n g 0 ! Scenarios [+] d e t e c t e d 2.6 s t y l e 4k s t a c k s Incident [ + ] D i s a b l e d s e c u r i t y o f : n o t h i n g , what an handling i n s e c u r e machine ! [ + ] Got r o o t ! sh −3.00# i d u i d =0( r o o t ) g i d =0( r o o t ) g r o u p s =64004( hepcg ) c o n t e x t=u s e r u : s y s t e m r : i n i t r c t
Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling
Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus CERTIFICATE X.509 Before you report CERTIFICATE Incident X.509 Scenarios Incident handling
Security incident - scenario B (2010) Incident reporting S. Freitag, F. Department A The Grid Feldhaus CERTIFICATE Before you X.509 report Incident Scenarios CERTIFICATE X.509 Incident handling Alien attacker
Security incident - scenario B (2010) Incident reporting S. Freitag, F. Feldhaus The Grid Before you report Incident Scenarios stolen Incident CERTIFICATE X.509 handling Alien attacker
Incident handling Incident reporting S. Freitag, F. Feldhaus For the next slides please keep in mind: Before you report Incident The red block describes actions required by the EGEE Incident Scenarios Response Procedure document Incident handling The blue block contains information about actions carried out during a security incident at the Grid resource in Dortmund Down here you will find additional information, e.g. max. response times
Incident handling Incident reporting First action S. Freitag, F. Feldhaus Inform immediately your local security team and your ROC Before you Security Contact report Incident Scenarios Action Incident handling Sent E-Mail to Ursula Epting Read Incident response procedure Informed 2nd site security officer and local security team max. 4 hours or
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident In case no support is shortly available [...] try to contain the Scenarios incident. For instance by unplugging the network cable Incident handling connected to the host. Do NOT reboot or power off the host. Action Disconnected affected workernodes from network
Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Assist your local security team and your ROC Security Contact to confirm and investigate the incident. Announce the incident Before you report to all the sites. Incident Scenarios Actions Incident handling Send a heads-up e-mail (template: next slide) Arranged meeting with local security team Network guys were asked to check logs max. 4 hours (Announcement)
Heads-up E-mail Incident reporting S. Freitag, F. Feldhaus Before you report ** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531) Incident ** This message is sent to the EGEE CSIRTs and must NOT be publicly archived ** Scenarios Dear CSIRTs, It seems a security incident has been detected at <your site>. Incident Summary of the information available so far: handling Ex: A malicious SSH connection was detected from XXXXX. The extent of the incident is unclear for now, and more information will be published in the coming hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from XXXXX as a precautionary measure.
Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Report a downtime for the affected hosts on the GOCDB Before you report → Send an EGEE broadcast announcing the downtime for Incident the affected hosts Use ”Security operations in progress” as Scenarios the reason with no additional detail both for the broadcast Incident handling and the GOCDB. Actions Created downtime for possibly affected hosts udo-ce01/ udo-dcache01 max. 1 day after discovery
Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus Perform appropriate forensics and take necessary actions to Before you report prevent further damage Incident Scenarios Identify and kill suspicious process(es) as appropriate, but Incident aim at preserving the information they could have handling generated If it is suspected that some grid credentials have been abused or compromised, you MUST ensure the relevant accounts become suspended If it is suspected that some grid credentials have been abused, you MUST ensure that the relevant VO manager(s) have been informed.
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Perform appropriate forensics and take necessary actions to Scenarios prevent further damage Incident handling If it is suspected that some grid credentials have been compromised, you MUST ensure that the relevant certification authority gets informed. If needed, seek for help from your local security team or from your ROC Security Contact
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you report Action Incident Scenarios Banned affected users on our compute elements by adding Incident their DN to the blacklist in handling /opt/glite/etc/lcas/ban users.db E-Mail to VO manager regarding compromised user Contacted the certification authority
Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus As part of the security incident resolution process, sites are Before you report expected to report the following information: Incident Scenarios affected hosts and hosts used as entry point to the site Incident remote IP address(es) of the attacker handling evidence of the compromise, including timestamps what was lost, details of the attack list of other sites possibly affected (if available) possible vulnerabilities exploited by the attacker (if available) actions taken to resolve the incident
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Scenarios Tracked down the UI that was used by the attacker for job Incident submission (checking logs of batchsystem, Compute handling Element, . . . ) Analyzed netflow to/fro affected workernode Analyzed executables deployed by the attacker Updated incident report regularly
Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you Coordinate with your local security team and your ROC report Security Contact to send an incident closure report including Incident Scenarios lessons learnt and measures taken to prevent future incidents. Incident handling Actions Preparation and submission of final report max. 1 months
Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you report Restore the service, and if needed, send an EGEE broadcast, Incident Scenarios update the GOCDB, service documentation and procedures to Incident prevent recurrence as necessary handling Actions Re-installation of affected workernode Safety tuning
Incident reporting S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling Thanks for your attention!

Empfohlen

02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles02 wrath of_god_against_gentiles
02 wrath of_god_against_gentilesDon McClain
 
Collective Id Ocr 2010
Collective Id Ocr 2010Collective Id Ocr 2010
Collective Id Ocr 2010Julian McDougall
 
old presentation
old presentationold presentation
old presentationlifshitsi
 
Study Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathStudy Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathDon McClain
 
Turmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFTurmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFkingargyle
 
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Community Empowerment Coalition
 
Data sheet eng
Data sheet engData sheet eng
Data sheet engSEABERY
 
Draft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderDraft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderRainier Beach Community Empowerment Coalition
 

Empfohlen

02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles02 wrath of_god_against_gentiles
02 wrath of_god_against_gentilesDon McClain
 
Collective Id Ocr 2010
Collective Id Ocr 2010Collective Id Ocr 2010
Collective Id Ocr 2010Julian McDougall
 
old presentation
old presentationold presentation
old presentationlifshitsi
 
Study Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathStudy Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathDon McClain
 
Turmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFTurmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFkingargyle
 
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Community Empowerment Coalition
 
Data sheet eng
Data sheet engData sheet eng
Data sheet engSEABERY
 
Draft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderDraft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderRainier Beach Community Empowerment Coalition
 
Web2 0
Web2 0Web2 0
Web2 0Mónica Gómez
 
BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power UsersHealthy City
 
Future of education
Future of educationFuture of education
Future of educationV
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.comVladimi
 
Media Evaluation
Media EvaluationMedia Evaluation
Media EvaluationBen9
 
Osasuna
OsasunaOsasuna
Osasunaaltzaeskola
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the massesC
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizzakirvesc
 
Promdex.com
Promdex.comPromdex.com
Promdex.comVladimi
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of GeographiesHealthy City
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City
 
Big data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenBig data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenMarcel Maassen (Connectricity)
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Pendidikan
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You BaptizedDon McClain
 
Sant Cugat
Sant CugatSant Cugat
Sant CugatRoviraBeatriz1rC
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-relianceWLC
 
3.31.2011
3.31.20113.31.2011
3.31.2011claire9831
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Healthy City
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12Don McClain
 
Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FStefan Freitag
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS VorstellungStefan Freitag
 

Weitere ähnliche Inhalte

Andere mochten auch

BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power UsersHealthy City
 
Future of education
Future of educationFuture of education
Future of educationV
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.comVladimi
 
Media Evaluation
Media EvaluationMedia Evaluation
Media EvaluationBen9
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the massesC
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizzakirvesc
 
Promdex.com
Promdex.comPromdex.com
Promdex.comVladimi
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of GeographiesHealthy City
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Pendidikan
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You BaptizedDon McClain
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-relianceWLC
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Healthy City
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12Don McClain
 

Andere mochten auch (20)

Web2 0
Web2 0Web2 0
Web2 0
 
BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power Users
 
Future of education
Future of educationFuture of education
Future of education
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.com
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
 
Osasuna
OsasunaOsasuna
Osasuna
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the masses
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizza
 
Promdex.com
Promdex.comPromdex.com
Promdex.com
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of Geographies
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10
 
Big data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenBig data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkheden
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You Baptized
 
Sant Cugat
Sant CugatSant Cugat
Sant Cugat
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-reliance
 
3.31.2011
3.31.20113.31.2011
3.31.2011
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced Training
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12
 

Mehr von Stefan Freitag

Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FStefan Freitag
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS VorstellungStefan Freitag
 
Vorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face MeetingVorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face MeetingStefan Freitag
 
Cloud Computing in D-Grid
Cloud Computing in D-GridCloud Computing in D-Grid
Cloud Computing in D-GridStefan Freitag
 
gLite Administration Workshop, Slides
gLite Administration Workshop, SlidesgLite Administration Workshop, Slides
gLite Administration Workshop, SlidesStefan Freitag
 
Virtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusVirtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusStefan Freitag
 
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Stefan Freitag
 
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Stefan Freitag
 
Cloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridCloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridStefan Freitag
 
Integration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZRIntegration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZRStefan Freitag
 

Mehr von Stefan Freitag (11)

Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2F
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS Vorstellung
 
Vorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face MeetingVorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face Meeting
 
D-Grid Infrastructure
D-Grid InfrastructureD-Grid Infrastructure
D-Grid Infrastructure
 
Cloud Computing in D-Grid
Cloud Computing in D-GridCloud Computing in D-Grid
Cloud Computing in D-Grid
 
gLite Administration Workshop, Slides
gLite Administration Workshop, SlidesgLite Administration Workshop, Slides
gLite Administration Workshop, Slides
 
Virtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusVirtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - Status
 
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
 
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
 
Cloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridCloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-Grid
 
Integration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZRIntegration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZR
 

Kürzlich hochgeladen

Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 

Kürzlich hochgeladen (20)

Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 

Talk at the Security Workshop, GridKA Summerschool 2010

  • 1. Incident reporting S. Freitag, F. Feldhaus Incident reporting Before you report GridKa Summer School 2010 Incident Scenarios Incident handling Stefan Freitag, Florian Feldhaus Robotics Research Institute TU Dortmund September 10, 2010
  • 2. Contents Incident reporting S. Freitag, F. Feldhaus Before you report 1 Before you report Incident Scenarios Incident handling 2 Incident Scenarios 3 Incident handling
  • 3. Do you know....? Incident reporting Security Incident Response Policy1 S. Freitag, F. Feldhaus objective: ensure that all incidents are investigated as fully Before you report as possible and that sites promptly report intrusions. Incident Scenarios As a grid participant, you agree to Incident report suspected security incidents that have impact or handling relationship to grid resources, services, or identities respond to and investigate incident reports regarding resources, services, or identities for which you are responsible perform appropriate investigations and forensics and share the results with the incident coordinator follow the incident response procedure Next question: what is the incident response procedure? 1 https://edms.cern.ch/document/428035/7
  • 4. EGEE incident response procedure2 Incident reporting S. Freitag, F. Feldhaus Audience Before you report grid site security officers and site administrators Incident Scenarios Incident Definition of security incident handling The act of violating an explicit or implied security policy Definition of actions for the case of a security incident More on this in a few minutes . . . 2 https://edms.cern.ch/document/867454
  • 5. Security incident - scenario A (2009) Incident reporting S. Freitag, F. Some grid sites allow gsissh-based access to VoBoxes (e.g. Feldhaus for VO software managers) Before you report On a VoBox Grid users are mapped to local accounts Incident Scenarios Initial step for an attacker Incident handling gain access to user credentials (certificate or proxy) What happens next ? Connect to VoBox using stolen credentials Running e.g. a kernel exploit to gain root privileges
  • 6. Security incident - scenario A (2009) Incident reporting S. Freitag, F. Feldhaus # s h −x w u n d e r b a r e m p o r i u m . s h Before you report [...] Incident [+] got r i n g 0 ! Scenarios [+] d e t e c t e d 2.6 s t y l e 4k s t a c k s Incident [ + ] D i s a b l e d s e c u r i t y o f : n o t h i n g , what an handling i n s e c u r e machine ! [ + ] Got r o o t ! sh −3.00# i d u i d =0( r o o t ) g i d =0( r o o t ) g r o u p s =64004( hepcg ) c o n t e x t=u s e r u : s y s t e m r : i n i t r c t
  • 7. Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling
  • 8. Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus CERTIFICATE X.509 Before you report CERTIFICATE Incident X.509 Scenarios Incident handling
  • 9. Security incident - scenario B (2010) Incident reporting S. Freitag, F. Department A The Grid Feldhaus CERTIFICATE Before you X.509 report Incident Scenarios CERTIFICATE X.509 Incident handling Alien attacker
  • 10. Security incident - scenario B (2010) Incident reporting S. Freitag, F. Feldhaus The Grid Before you report Incident Scenarios stolen Incident CERTIFICATE X.509 handling Alien attacker
  • 11. Incident handling Incident reporting S. Freitag, F. Feldhaus For the next slides please keep in mind: Before you report Incident The red block describes actions required by the EGEE Incident Scenarios Response Procedure document Incident handling The blue block contains information about actions carried out during a security incident at the Grid resource in Dortmund Down here you will find additional information, e.g. max. response times
  • 12. Incident handling Incident reporting First action S. Freitag, F. Feldhaus Inform immediately your local security team and your ROC Before you Security Contact report Incident Scenarios Action Incident handling Sent E-Mail to Ursula Epting Read Incident response procedure Informed 2nd site security officer and local security team max. 4 hours or
  • 13. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident In case no support is shortly available [...] try to contain the Scenarios incident. For instance by unplugging the network cable Incident handling connected to the host. Do NOT reboot or power off the host. Action Disconnected affected workernodes from network
  • 14. Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Assist your local security team and your ROC Security Contact to confirm and investigate the incident. Announce the incident Before you report to all the sites. Incident Scenarios Actions Incident handling Send a heads-up e-mail (template: next slide) Arranged meeting with local security team Network guys were asked to check logs max. 4 hours (Announcement)
  • 15. Heads-up E-mail Incident reporting S. Freitag, F. Feldhaus Before you report ** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531) Incident ** This message is sent to the EGEE CSIRTs and must NOT be publicly archived ** Scenarios Dear CSIRTs, It seems a security incident has been detected at <your site>. Incident Summary of the information available so far: handling Ex: A malicious SSH connection was detected from XXXXX. The extent of the incident is unclear for now, and more information will be published in the coming hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from XXXXX as a precautionary measure.
  • 16. Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Report a downtime for the affected hosts on the GOCDB Before you report → Send an EGEE broadcast announcing the downtime for Incident the affected hosts Use ”Security operations in progress” as Scenarios the reason with no additional detail both for the broadcast Incident handling and the GOCDB. Actions Created downtime for possibly affected hosts udo-ce01/ udo-dcache01 max. 1 day after discovery
  • 17. Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus Perform appropriate forensics and take necessary actions to Before you report prevent further damage Incident Scenarios Identify and kill suspicious process(es) as appropriate, but Incident aim at preserving the information they could have handling generated If it is suspected that some grid credentials have been abused or compromised, you MUST ensure the relevant accounts become suspended If it is suspected that some grid credentials have been abused, you MUST ensure that the relevant VO manager(s) have been informed.
  • 18. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Perform appropriate forensics and take necessary actions to Scenarios prevent further damage Incident handling If it is suspected that some grid credentials have been compromised, you MUST ensure that the relevant certification authority gets informed. If needed, seek for help from your local security team or from your ROC Security Contact
  • 19. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you report Action Incident Scenarios Banned affected users on our compute elements by adding Incident their DN to the blacklist in handling /opt/glite/etc/lcas/ban users.db E-Mail to VO manager regarding compromised user Contacted the certification authority
  • 20. Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus As part of the security incident resolution process, sites are Before you report expected to report the following information: Incident Scenarios affected hosts and hosts used as entry point to the site Incident remote IP address(es) of the attacker handling evidence of the compromise, including timestamps what was lost, details of the attack list of other sites possibly affected (if available) possible vulnerabilities exploited by the attacker (if available) actions taken to resolve the incident
  • 21. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Scenarios Tracked down the UI that was used by the attacker for job Incident submission (checking logs of batchsystem, Compute handling Element, . . . ) Analyzed netflow to/fro affected workernode Analyzed executables deployed by the attacker Updated incident report regularly
  • 22. Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you Coordinate with your local security team and your ROC report Security Contact to send an incident closure report including Incident Scenarios lessons learnt and measures taken to prevent future incidents. Incident handling Actions Preparation and submission of final report max. 1 months
  • 23. Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you report Restore the service, and if needed, send an EGEE broadcast, Incident Scenarios update the GOCDB, service documentation and procedures to Incident prevent recurrence as necessary handling Actions Re-installation of affected workernode Safety tuning
  • 24. Incident reporting S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling Thanks for your attention!