SlideShare a Scribd company logo

Talk at the Security Workshop, GridKA Summerschool 2010

Stefan Freitag
Stefan Freitag

The document discusses incident reporting and handling procedures for grid computing resources. It outlines the steps involved in reporting a security incident, including informing relevant parties, containing the incident, investigating through forensics, updating affected users and systems, and reporting lessons learned. Examples of specific security incident scenarios are provided to illustrate the process.

1 of 24
Download to read offline
Incident reporting S. Freitag, F. Feldhaus Incident reporting Before you report GridKa Summer School 2010 Incident Scenarios Incident handling Stefan Freitag, Florian Feldhaus Robotics Research Institute TU Dortmund September 10, 2010
Contents Incident reporting S. Freitag, F. Feldhaus Before you report 1 Before you report Incident Scenarios Incident handling 2 Incident Scenarios 3 Incident handling
Do you know....? Incident reporting Security Incident Response Policy1 S. Freitag, F. Feldhaus objective: ensure that all incidents are investigated as fully Before you report as possible and that sites promptly report intrusions. Incident Scenarios As a grid participant, you agree to Incident report suspected security incidents that have impact or handling relationship to grid resources, services, or identities respond to and investigate incident reports regarding resources, services, or identities for which you are responsible perform appropriate investigations and forensics and share the results with the incident coordinator follow the incident response procedure Next question: what is the incident response procedure? 1 https://edms.cern.ch/document/428035/7
EGEE incident response procedure2 Incident reporting S. Freitag, F. Feldhaus Audience Before you report grid site security officers and site administrators Incident Scenarios Incident Definition of security incident handling The act of violating an explicit or implied security policy Definition of actions for the case of a security incident More on this in a few minutes . . . 2 https://edms.cern.ch/document/867454
Security incident - scenario A (2009) Incident reporting S. Freitag, F. Some grid sites allow gsissh-based access to VoBoxes (e.g. Feldhaus for VO software managers) Before you report On a VoBox Grid users are mapped to local accounts Incident Scenarios Initial step for an attacker Incident handling gain access to user credentials (certificate or proxy) What happens next ? Connect to VoBox using stolen credentials Running e.g. a kernel exploit to gain root privileges
Security incident - scenario A (2009) Incident reporting S. Freitag, F. Feldhaus # s h −x w u n d e r b a r e m p o r i u m . s h Before you report [...] Incident [+] got r i n g 0 ! Scenarios [+] d e t e c t e d 2.6 s t y l e 4k s t a c k s Incident [ + ] D i s a b l e d s e c u r i t y o f : n o t h i n g , what an handling i n s e c u r e machine ! [ + ] Got r o o t ! sh −3.00# i d u i d =0( r o o t ) g i d =0( r o o t ) g r o u p s =64004( hepcg ) c o n t e x t=u s e r u : s y s t e m r : i n i t r c t
Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling
Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus CERTIFICATE X.509 Before you report CERTIFICATE Incident X.509 Scenarios Incident handling
Security incident - scenario B (2010) Incident reporting S. Freitag, F. Department A The Grid Feldhaus CERTIFICATE Before you X.509 report Incident Scenarios CERTIFICATE X.509 Incident handling Alien attacker
Security incident - scenario B (2010) Incident reporting S. Freitag, F. Feldhaus The Grid Before you report Incident Scenarios stolen Incident CERTIFICATE X.509 handling Alien attacker
Incident handling Incident reporting S. Freitag, F. Feldhaus For the next slides please keep in mind: Before you report Incident The red block describes actions required by the EGEE Incident Scenarios Response Procedure document Incident handling The blue block contains information about actions carried out during a security incident at the Grid resource in Dortmund Down here you will find additional information, e.g. max. response times
Incident handling Incident reporting First action S. Freitag, F. Feldhaus Inform immediately your local security team and your ROC Before you Security Contact report Incident Scenarios Action Incident handling Sent E-Mail to Ursula Epting Read Incident response procedure Informed 2nd site security officer and local security team max. 4 hours or
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident In case no support is shortly available [...] try to contain the Scenarios incident. For instance by unplugging the network cable Incident handling connected to the host. Do NOT reboot or power off the host. Action Disconnected affected workernodes from network
Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Assist your local security team and your ROC Security Contact to confirm and investigate the incident. Announce the incident Before you report to all the sites. Incident Scenarios Actions Incident handling Send a heads-up e-mail (template: next slide) Arranged meeting with local security team Network guys were asked to check logs max. 4 hours (Announcement)
Heads-up E-mail Incident reporting S. Freitag, F. Feldhaus Before you report ** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531) Incident ** This message is sent to the EGEE CSIRTs and must NOT be publicly archived ** Scenarios Dear CSIRTs, It seems a security incident has been detected at <your site>. Incident Summary of the information available so far: handling Ex: A malicious SSH connection was detected from XXXXX. The extent of the incident is unclear for now, and more information will be published in the coming hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from XXXXX as a precautionary measure.
Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Report a downtime for the affected hosts on the GOCDB Before you report → Send an EGEE broadcast announcing the downtime for Incident the affected hosts Use ”Security operations in progress” as Scenarios the reason with no additional detail both for the broadcast Incident handling and the GOCDB. Actions Created downtime for possibly affected hosts udo-ce01/ udo-dcache01 max. 1 day after discovery
Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus Perform appropriate forensics and take necessary actions to Before you report prevent further damage Incident Scenarios Identify and kill suspicious process(es) as appropriate, but Incident aim at preserving the information they could have handling generated If it is suspected that some grid credentials have been abused or compromised, you MUST ensure the relevant accounts become suspended If it is suspected that some grid credentials have been abused, you MUST ensure that the relevant VO manager(s) have been informed.
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Perform appropriate forensics and take necessary actions to Scenarios prevent further damage Incident handling If it is suspected that some grid credentials have been compromised, you MUST ensure that the relevant certification authority gets informed. If needed, seek for help from your local security team or from your ROC Security Contact
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you report Action Incident Scenarios Banned affected users on our compute elements by adding Incident their DN to the blacklist in handling /opt/glite/etc/lcas/ban users.db E-Mail to VO manager regarding compromised user Contacted the certification authority
Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus As part of the security incident resolution process, sites are Before you report expected to report the following information: Incident Scenarios affected hosts and hosts used as entry point to the site Incident remote IP address(es) of the attacker handling evidence of the compromise, including timestamps what was lost, details of the attack list of other sites possibly affected (if available) possible vulnerabilities exploited by the attacker (if available) actions taken to resolve the incident
Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Scenarios Tracked down the UI that was used by the attacker for job Incident submission (checking logs of batchsystem, Compute handling Element, . . . ) Analyzed netflow to/fro affected workernode Analyzed executables deployed by the attacker Updated incident report regularly
Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you Coordinate with your local security team and your ROC report Security Contact to send an incident closure report including Incident Scenarios lessons learnt and measures taken to prevent future incidents. Incident handling Actions Preparation and submission of final report max. 1 months
Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you report Restore the service, and if needed, send an EGEE broadcast, Incident Scenarios update the GOCDB, service documentation and procedures to Incident prevent recurrence as necessary handling Actions Re-installation of affected workernode Safety tuning
Incident reporting S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling Thanks for your attention!

Recommended

02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles
Don McClain
 
Collective Id Ocr 2010
Collective Id Ocr 2010Collective Id Ocr 2010
Collective Id Ocr 2010
Julian McDougall
 
old presentation
old presentationold presentation
old presentation
lifshitsi
 
Study Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathStudy Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The Sabbath
Don McClain
 
Turmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFTurmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOF
kingargyle
 
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Community Empowerment Coalition
 
Data sheet eng
Data sheet engData sheet eng
Data sheet eng
SEABERY
 
Draft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderDraft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonder
Rainier Beach Community Empowerment Coalition
 

Recommended

02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles02 wrath of_god_against_gentiles
02 wrath of_god_against_gentiles
Don McClain
 
Collective Id Ocr 2010
Collective Id Ocr 2010Collective Id Ocr 2010
Collective Id Ocr 2010
Julian McDougall
 
old presentation
old presentationold presentation
old presentation
lifshitsi
 
Study Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The SabbathStudy Of The Ten Commandmest (3) - The Sabbath
Study Of The Ten Commandmest (3) - The Sabbath
Don McClain
 
Turmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOFTurmeric SOA - EclipseCon 2011 BOF
Turmeric SOA - EclipseCon 2011 BOF
kingargyle
 
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Environment Action Team Presentation 2010
Rainier Beach Community Empowerment Coalition
 
Data sheet eng
Data sheet engData sheet eng
Data sheet eng
SEABERY
 
Draft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonderDraft rainier beach2010-wallofwonder
Draft rainier beach2010-wallofwonder
Rainier Beach Community Empowerment Coalition
 
Web2 0
Web2 0Web2 0
Web2 0
Mónica Gómez
 
BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power Users
Healthy City
 
Future of education
Future of educationFuture of education
Future of education
V
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.comVladimi
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
Ben9
 
Osasuna
OsasunaOsasuna
Osasunaaltzaeskola
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the masses
C
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizzakirvesc
 
Promdex.com
Promdex.comPromdex.com
Promdex.comVladimi
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of Geographies
Healthy City
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10
Healthy City
 
Big data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenBig data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkheden
Marcel Maassen (Connectricity)
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1
Pendidikan
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You Baptized
Don McClain
 
Sant Cugat
Sant CugatSant Cugat
Sant Cugat
RoviraBeatriz1rC
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-reliance
WLC
 
3.31.2011
3.31.20113.31.2011
3.31.2011
claire9831
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)
Healthy City
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced Training
Healthy City
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12
Don McClain
 
Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FStefan Freitag
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS VorstellungStefan Freitag
 

More Related Content

Viewers also liked

Web2 0
Web2 0Web2 0
Web2 0
Mónica Gómez
 
BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power Users
Healthy City
 
Future of education
Future of educationFuture of education
Future of education
V
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.comVladimi
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
Ben9
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the masses
C
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizzakirvesc
 
Promdex.com
Promdex.comPromdex.com
Promdex.comVladimi
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of Geographies
Healthy City
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10
Healthy City
 
Big data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenBig data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkheden
Marcel Maassen (Connectricity)
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1
Pendidikan
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You Baptized
Don McClain
 
Sant Cugat
Sant CugatSant Cugat
Sant Cugat
RoviraBeatriz1rC
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-reliance
WLC
 
3.31.2011
3.31.20113.31.2011
3.31.2011
claire9831
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)
Healthy City
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced Training
Healthy City
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12
Don McClain
 

Viewers also liked (20)

Web2 0
Web2 0Web2 0
Web2 0
 
BHC webinar_Power Users
BHC webinar_Power UsersBHC webinar_Power Users
BHC webinar_Power Users
 
Future of education
Future of educationFuture of education
Future of education
 
Start work in promdex.com
Start work in promdex.comStart work in promdex.com
Start work in promdex.com
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
 
Osasuna
OsasunaOsasuna
Osasuna
 
Religion is the opiate of the masses
Religion is the opiate of the massesReligion is the opiate of the masses
Religion is the opiate of the masses
 
Moto Telepizza
Moto TelepizzaMoto Telepizza
Moto Telepizza
 
Promdex.com
Promdex.comPromdex.com
Promdex.com
 
Solving the Mystery of Geographies
Solving the Mystery of GeographiesSolving the Mystery of Geographies
Solving the Mystery of Geographies
 
Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10Healthy City Hands On Training For Partners 3 26 10
Healthy City Hands On Training For Partners 3 26 10
 
Big data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkhedenBig data: de mogelijkheden en de moeilijkheden
Big data: de mogelijkheden en de moeilijkheden
 
Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1Komunikasi data pendahuluan_rev1
Komunikasi data pendahuluan_rev1
 
Why Were You Baptized
Why Were You BaptizedWhy Were You Baptized
Why Were You Baptized
 
Sant Cugat
Sant CugatSant Cugat
Sant Cugat
 
18005421 hr-reliance
18005421 hr-reliance18005421 hr-reliance
18005421 hr-reliance
 
3.31.2011
3.31.20113.31.2011
3.31.2011
 
Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)Using Maps in Community-Based Research (3/12/15)
Using Maps in Community-Based Research (3/12/15)
 
Healthy City Hands-on Advanced Training
Healthy City Hands-on Advanced TrainingHealthy City Hands-on Advanced Training
Healthy City Hands-on Advanced Training
 
The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12The Gospel Demands A Godly Attitude- Chapter 12
The Gospel Demands A Godly Attitude- Chapter 12
 

More from Stefan Freitag

Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FStefan Freitag
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS VorstellungStefan Freitag
 
Vorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face MeetingVorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face Meeting
Stefan Freitag
 
D-Grid Infrastructure
D-Grid InfrastructureD-Grid Infrastructure
D-Grid Infrastructure
Stefan Freitag
 
Cloud Computing in D-Grid
Cloud Computing in D-GridCloud Computing in D-Grid
Cloud Computing in D-Grid
Stefan Freitag
 
gLite Administration Workshop, Slides
gLite Administration Workshop, SlidesgLite Administration Workshop, Slides
gLite Administration Workshop, Slides
Stefan Freitag
 
Virtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusVirtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusStefan Freitag
 
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Stefan Freitag
 
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Stefan Freitag
 
Cloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridCloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridStefan Freitag
 
Integration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZRIntegration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZR
Stefan Freitag
 

More from Stefan Freitag (11)

Globus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2FGlobus Toolkit Status @ bwGrid F2F
Globus Toolkit Status @ bwGrid F2F
 
D-Grid IaaS Vorstellung
D-Grid IaaS VorstellungD-Grid IaaS Vorstellung
D-Grid IaaS Vorstellung
 
Vorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face MeetingVorstellung IGE bei bwGrid Face2Face Meeting
Vorstellung IGE bei bwGrid Face2Face Meeting
 
D-Grid Infrastructure
D-Grid InfrastructureD-Grid Infrastructure
D-Grid Infrastructure
 
Cloud Computing in D-Grid
Cloud Computing in D-GridCloud Computing in D-Grid
Cloud Computing in D-Grid
 
gLite Administration Workshop, Slides
gLite Administration Workshop, SlidesgLite Administration Workshop, Slides
gLite Administration Workshop, Slides
 
Virtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - StatusVirtuelle Organisation dgOps - Status
Virtuelle Organisation dgOps - Status
 
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
Erweiterung einer D-Grid-Ressource um eine Compute-Cloud-Schnittstelle
 
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
Zusammenfassung Open Issue Session "Cloud Computing im Kontext des D-Grid"
 
Cloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-GridCloud Computing im Kontext des D-Grid
Cloud Computing im Kontext des D-Grid
 
Integration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZRIntegration of Cloud and Grid Middleware at DGRZR
Integration of Cloud and Grid Middleware at DGRZR
 

Recently uploaded

Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
National Information Standards Organization (NISO)
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
Celine George
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
Nicholas Montgomery
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
amberjdewit93
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
IreneSebastianRueco1
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
Celine George
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
Celine George
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
RitikBhardwaj56
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 

Recently uploaded (20)

Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.Types of Herbal Cosmetics its standardization.
Types of Herbal Cosmetics its standardization.
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
writing about opinions about Australia the movie
writing about opinions about Australia the moviewriting about opinions about Australia the movie
writing about opinions about Australia the movie
 
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental DesignDigital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
 
How to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRMHow to Manage Your Lost Opportunities in Odoo 17 CRM
How to Manage Your Lost Opportunities in Odoo 17 CRM
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17How to Fix the Import Error in the Odoo 17
How to Fix the Import Error in the Odoo 17
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 

Talk at the Security Workshop, GridKA Summerschool 2010

  • 1. Incident reporting S. Freitag, F. Feldhaus Incident reporting Before you report GridKa Summer School 2010 Incident Scenarios Incident handling Stefan Freitag, Florian Feldhaus Robotics Research Institute TU Dortmund September 10, 2010
  • 2. Contents Incident reporting S. Freitag, F. Feldhaus Before you report 1 Before you report Incident Scenarios Incident handling 2 Incident Scenarios 3 Incident handling
  • 3. Do you know....? Incident reporting Security Incident Response Policy1 S. Freitag, F. Feldhaus objective: ensure that all incidents are investigated as fully Before you report as possible and that sites promptly report intrusions. Incident Scenarios As a grid participant, you agree to Incident report suspected security incidents that have impact or handling relationship to grid resources, services, or identities respond to and investigate incident reports regarding resources, services, or identities for which you are responsible perform appropriate investigations and forensics and share the results with the incident coordinator follow the incident response procedure Next question: what is the incident response procedure? 1 https://edms.cern.ch/document/428035/7
  • 4. EGEE incident response procedure2 Incident reporting S. Freitag, F. Feldhaus Audience Before you report grid site security officers and site administrators Incident Scenarios Incident Definition of security incident handling The act of violating an explicit or implied security policy Definition of actions for the case of a security incident More on this in a few minutes . . . 2 https://edms.cern.ch/document/867454
  • 5. Security incident - scenario A (2009) Incident reporting S. Freitag, F. Some grid sites allow gsissh-based access to VoBoxes (e.g. Feldhaus for VO software managers) Before you report On a VoBox Grid users are mapped to local accounts Incident Scenarios Initial step for an attacker Incident handling gain access to user credentials (certificate or proxy) What happens next ? Connect to VoBox using stolen credentials Running e.g. a kernel exploit to gain root privileges
  • 6. Security incident - scenario A (2009) Incident reporting S. Freitag, F. Feldhaus # s h −x w u n d e r b a r e m p o r i u m . s h Before you report [...] Incident [+] got r i n g 0 ! Scenarios [+] d e t e c t e d 2.6 s t y l e 4k s t a c k s Incident [ + ] D i s a b l e d s e c u r i t y o f : n o t h i n g , what an handling i n s e c u r e machine ! [ + ] Got r o o t ! sh −3.00# i d u i d =0( r o o t ) g i d =0( r o o t ) g r o u p s =64004( hepcg ) c o n t e x t=u s e r u : s y s t e m r : i n i t r c t
  • 7. Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling
  • 8. Security incident - scenario B (2010) Incident reporting Department A The Grid S. Freitag, F. Feldhaus CERTIFICATE X.509 Before you report CERTIFICATE Incident X.509 Scenarios Incident handling
  • 9. Security incident - scenario B (2010) Incident reporting S. Freitag, F. Department A The Grid Feldhaus CERTIFICATE Before you X.509 report Incident Scenarios CERTIFICATE X.509 Incident handling Alien attacker
  • 10. Security incident - scenario B (2010) Incident reporting S. Freitag, F. Feldhaus The Grid Before you report Incident Scenarios stolen Incident CERTIFICATE X.509 handling Alien attacker
  • 11. Incident handling Incident reporting S. Freitag, F. Feldhaus For the next slides please keep in mind: Before you report Incident The red block describes actions required by the EGEE Incident Scenarios Response Procedure document Incident handling The blue block contains information about actions carried out during a security incident at the Grid resource in Dortmund Down here you will find additional information, e.g. max. response times
  • 12. Incident handling Incident reporting First action S. Freitag, F. Feldhaus Inform immediately your local security team and your ROC Before you Security Contact report Incident Scenarios Action Incident handling Sent E-Mail to Ursula Epting Read Incident response procedure Informed 2nd site security officer and local security team max. 4 hours or
  • 13. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident In case no support is shortly available [...] try to contain the Scenarios incident. For instance by unplugging the network cable Incident handling connected to the host. Do NOT reboot or power off the host. Action Disconnected affected workernodes from network
  • 14. Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Assist your local security team and your ROC Security Contact to confirm and investigate the incident. Announce the incident Before you report to all the sites. Incident Scenarios Actions Incident handling Send a heads-up e-mail (template: next slide) Arranged meeting with local security team Network guys were asked to check logs max. 4 hours (Announcement)
  • 15. Heads-up E-mail Incident reporting S. Freitag, F. Feldhaus Before you report ** PLEASE DO NOT REDISTRIBUTE ** EGEE-<DATE> (ex: EGEE-20090531) Incident ** This message is sent to the EGEE CSIRTs and must NOT be publicly archived ** Scenarios Dear CSIRTs, It seems a security incident has been detected at <your site>. Incident Summary of the information available so far: handling Ex: A malicious SSH connection was detected from XXXXX. The extent of the incident is unclear for now, and more information will be published in the coming hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from XXXXX as a precautionary measure.
  • 16. Incident handling Incident reporting Response procedure S. Freitag, F. Feldhaus Report a downtime for the affected hosts on the GOCDB Before you report → Send an EGEE broadcast announcing the downtime for Incident the affected hosts Use ”Security operations in progress” as Scenarios the reason with no additional detail both for the broadcast Incident handling and the GOCDB. Actions Created downtime for possibly affected hosts udo-ce01/ udo-dcache01 max. 1 day after discovery
  • 17. Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus Perform appropriate forensics and take necessary actions to Before you report prevent further damage Incident Scenarios Identify and kill suspicious process(es) as appropriate, but Incident aim at preserving the information they could have handling generated If it is suspected that some grid credentials have been abused or compromised, you MUST ensure the relevant accounts become suspended If it is suspected that some grid credentials have been abused, you MUST ensure that the relevant VO manager(s) have been informed.
  • 18. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Perform appropriate forensics and take necessary actions to Scenarios prevent further damage Incident handling If it is suspected that some grid credentials have been compromised, you MUST ensure that the relevant certification authority gets informed. If needed, seek for help from your local security team or from your ROC Security Contact
  • 19. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you report Action Incident Scenarios Banned affected users on our compute elements by adding Incident their DN to the blacklist in handling /opt/glite/etc/lcas/ban users.db E-Mail to VO manager regarding compromised user Contacted the certification authority
  • 20. Incident handling Incident reporting S. Freitag, F. Response procedure Feldhaus As part of the security incident resolution process, sites are Before you report expected to report the following information: Incident Scenarios affected hosts and hosts used as entry point to the site Incident remote IP address(es) of the attacker handling evidence of the compromise, including timestamps what was lost, details of the attack list of other sites possibly affected (if available) possible vulnerabilities exploited by the attacker (if available) actions taken to resolve the incident
  • 21. Incident handling Incident reporting S. Freitag, F. Feldhaus Before you Response procedure report Incident Scenarios Tracked down the UI that was used by the attacker for job Incident submission (checking logs of batchsystem, Compute handling Element, . . . ) Analyzed netflow to/fro affected workernode Analyzed executables deployed by the attacker Updated incident report regularly
  • 22. Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you Coordinate with your local security team and your ROC report Security Contact to send an incident closure report including Incident Scenarios lessons learnt and measures taken to prevent future incidents. Incident handling Actions Preparation and submission of final report max. 1 months
  • 23. Incident handling Incident reporting S. Freitag, F. Feldhaus Response procedure Before you report Restore the service, and if needed, send an EGEE broadcast, Incident Scenarios update the GOCDB, service documentation and procedures to Incident prevent recurrence as necessary handling Actions Re-installation of affected workernode Safety tuning
  • 24. Incident reporting S. Freitag, F. Feldhaus Before you report Incident Scenarios Incident handling Thanks for your attention!