EGI-InSPIRE. Security Drill Group: Security Service Challenges. Oscar Koeroo. Together with: 09/23/11 1 EGI-InSPIRE RI

Similar documents
Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

Security Service Challenge & Security Monitoring

AAI in EGI Current status

LCG User Registration & VO management

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Scientific data processing at global scale The LHC Computing Grid. fabio hernandez

Prototype DIRAC portal for EISCAT data Short instruction

Security Architecture

The LGI Pilot job portal. EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers

Grid Security Policy

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

Travelling securely on the Grid to the origin of the Universe

Security+ SY0-501 Study Guide Table of Contents

Evolution of the ATLAS PanDA Workload Management System for Exascale Computational Science

SECURITY & PRIVACY DOCUMENTATION

Grid-CERT Services. Modification of traditional and additional new CERT Services for Grids

Grid Computing: dealing with GB/s dataflows

IT Services IT LOGGING POLICY

The PanDA System in the ATLAS Experiment

Introduction to Programming and Computing for Scientists

WP3: Policy and Best Practice Harmonisation

Federated Security Incident Response. Tom Barton, University of Chicago Jim Basney, NCSA Vincente Brillault, CERN Scott Koranda, LIGO

Introduction to Programming and Computing for Scientists

OpenIAM Identity and Access Manager Technical Architecture Overview

VMs at a Tier-1 site. EGEE 09, Sander Klous, Nikhef

Pan-European Grid einfrastructure for LHC Experiments at CERN - SCL's Activities in EGEE

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

Grid Experiment and Job Management

Verasys Enterprise Security and IT Guide

SLATE. Services Layer at the Edge. First Meeting of the National Research Platform Montana State University August 7-8, 2017

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

GÉANT Community Programme

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

RUSSIAN DATA INTENSIVE GRID (RDIG): CURRENT STATUS AND PERSPECTIVES TOWARD NATIONAL GRID INITIATIVE

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

The ATLAS PanDA Pilot in Operation

Stakeholders Analysis

The LHC Computing Grid

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT

European Grid Infrastructure

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

Argus Vulnerability Assessment *1

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DHIS2 Hosting Proposal

HammerCloud: A Stress Testing System for Distributed Analysis

Technical Brief SUPPORTPOINT TECHNICAL BRIEF MARCH

Cyber Defense Operations Center

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Grid Architectural Models

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

glite Grid Services Overview

CCISO Blueprint v1. EC-Council

April Appendix 3. IA System Security. Sida 1 (8)

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

Maintaining Traceability in an Evolving Distributed Computing Environment

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Virtualization in a Grid Environment. Nils Dijk - Hogeschool van Amsterdam Instituut voor Informatica

The Case for National CSIRTs

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Vocera Secure Texting 2.1 FAQ

Feasibility study of scenario based self training material for incident response

EGI-InSPIRE. EGI Applications Database (TNA3.4) William Vassilis Karageorgos, et al.

Open Group Security Forum Overview

ForeScout Extended Module for Carbon Black

The EU DataGrid Testbed

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Awareness Technologies Systems Security. PHONE: (888)

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

Layer Security White Paper

Software Development & Education Center Security+ Certification

Scalable Computing: Practice and Experience Volume 10, Number 4, pp

Argus Authorization Service

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Canada Life Cyber Security Statement 2018

Cisco Tetration Analytics

Ansible for Incident Response

Site Builder Privacy and Data Protection Policy

The University of Oxford campus grid, expansion and integrating new partners. Dr. David Wallom Technical Manager

The Role and Functions of European Grid Infrastructure

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

Data Security & Operating Environment

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

CounterACT Check Point Threat Prevention Module

The following chart provides the breakdown of exam as to the weight of each section of the exam.

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Advanced Diploma on Information Security

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

IOT Security More than just the network..

Ivane Javakhishvili Tbilisi State University High Energy Physics Institute HEPI TSU

Design your network to aid forensics investigation

Transcription:

EGI-InSPIRE Security Drill Group: Security Service Challenges Oscar Koeroo Together with: 09/23/11 1

index Intro Why an SSC? SSC{1,2,3,4} SSC5 Future 2

acknowledgements NON INTRUSIVE DO NOT affect actual production FULL control of the distributed infection Detailed LOGGING of all infection activity Have an emergency FULL STOP of the drill 3

Who am I Work at Security (grid middleware) expert, 2003- Multiple EU FP7 projecten Account mapping framework (LCMAPS) Standardization (Open Grid Forum) Security training for grid infra (SSC) Risk Analysis Team (EGI-SVG) 4

European Grid Infrastructure 372 sites globally 10 40 Gbps network 296 000 CPU cores 140 000 TByte storage Oscar Koeroo Nikhef Amsterdam PDP & Grid

Why perform security drills? Our own research infrastructure with small and large data centers Non-standard/custom/special software stack Distributed skill levels Training and learn from doing 6

Objectives Goal Investigate whether sufficient information is available to be able conduct an audit trace as part of an incident response and to ensure that appropriate communications channels are available 7

Objectives SSC Addresses Compliance with audit requirements Understanding of the incident handling and response guide The overall execution of the incident handling procedures 8

Security Service Challenge 1 Compute workflow analyses Functional email address Registered in a central database Responsive email address Send a reply within 4 hours (SLA-test) 9

Identities on the Grid Authentication using PKI International Grid Trust Federation - www.igtf.net Globally unique name - users and hosts Traceable to a real person Virtual Organisation membership Registration based on the unique name Membership can grant access to resources Group and role based 10

Security Service Challenge 2 Storage challenge Regional operation center were targeted File stored on the mass storage system Who stored/transferred a file? Revealed limitations in log file quality Missing features in the storage solutions 11

Workflow: Storage access Storage headnode Authentication Role: Scientist / end-user Internet Authorisation: Subject + VO Enforce: Storage pool selection Storage pool 12

Security Service Challenge 3 Operational diligence challenge Submitting a grid job to various sites First friendly malware Malware tested site setup and revealed problems Admins & security contacts are forced to track down the malware on their cluster Revealed problematic cluster setups 13

Workflow: Compute with regular job Internet Gatekeeper Authentication Role: Scientist / end-user Authorisation: Subject + VO Enforce: Account mapping Batch system scheduler 14

Security Service Challenge 4 Challenging a sites and a VO (LHC: ATLAS) Job submission now using pilot jobs Mimicking physics analyses jobs Malware tested site setup and revealed problems Admins are forced to track down the malware on their cluster Forced distributed teams to communicate Result: ATLAS now has a formal CSIRT 15

Workflow: Compute with Pilot Job Internet Gatekeeper Authentication Role: Production Manager Authorisation: Subject + VO VO task queue Enforce: Account mapping Batch system scheduler Role: Scientist / end-user Internet 16

Workflow: Compute with Pilot Job Internet Gatekeeper Authentication Role: Production Manager Authorisation: Subject + VO VO task queue Enforce: Account mapping Batch system scheduler Role: Scientist / end-user Internet 17

Security Service Challenge 4 SysAdmins see the regular grid job Log: This job is from the production manager Need to dig into the analyses framework Expose the real scientist ==> Requires help Forced to contact CERN-IT and Atlas Learn what to look for Mapping of PanDa-ID <=> Rogue Scientist Follow regular procedures & contain the IRC bot 18

SSC5: a Multi Site Security Drill code name: World Domination 19

Goal Simulate a grid wide security incident Means: ~40 sites, globally, all at once Challenge the procedures on IR handling Focus on the communication channel capabilities 20

Workflow: Pilot jobs and storage Internet Role: Production Manager Gatekeeper Authentication Authentication Storage headnode Authorisation: Subject + VO Authorisation: Subject + VO VO task queue Enforce: Account mapping Enforce: Storage pool selection Batch system scheduler Storage pool Role: Scientist / end-user Internet 21

Workflow: Pilot jobs and storage Internet Role: Production Manager Gatekeeper Authentication Authentication Storage headnode Authorisation: Subject + VO Authorisation: Subject + VO VO task queue Enforce: Account mapping Enforce: Storage pool selection Batch system scheduler Storage pool Role: Scientist / end-user Internet 22

Architecting the attack T2 1 T2 2 T2 3 T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 23

t0: Initial tickets T2 1 T2 2 T2 3 Initial ticket to T2 T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT Initial ticket to T2 T2 4 T2 5 T2 6 24

t1: Informing NGI and EGI teams Informing NGI and EGI CSIRT teams T2 1 T2 2 T2 3 T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 25

t2: Checking the logs Looking for certificate and VO involvement T2 1 T2 2 T2 3 T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 26

t3: Contacting the VO Notify Pilot CSIRTs Request Job/Site list T2 1 T2 2 T2 3 T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 27

t4: EGI informs T1 & T2 T2 1 T2 2 T2 3 Inform T1s and T2s about job/site information T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 28

t5: NGI containment T2 1 T2 2 T2 3 Containment by T1 and T2s T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 29

t6: Forensics & Reporting T2 1 T2 2 T2 3 Forensics and Reporting T1 NGI CSIRT Pilot CSIRT EGI CSIRT T1 NGI CSIRT T2 4 T2 5 T2 6 30

Problems to solve SysAdmins need to keep production up Security contacts need to communicate Don t DDoS the pan-eu coordinators with email Seek help & share data Find the rogue identity Hunt on all other services for similar activity Storage Other grid infrastructure systems 31

Coordinating our quest for World Domination Malware Friendly malware Pakiti tool C n C service Embedded RT-IR service Templated ticket generation Grid MW installed User-Interface Django-based webportal Google Maps themed after Wargames External: a Jabber room 32

SSC-Monitor: the coordination hub 33

Build-in features in the bot Use plain HTTP as the C&C protocol Packing libevent for HTTP Encrypt the HTTP JSON payload with AES Packing libjson, AES and SHA1/SHA256 Fake (deadcode) for cron/atd tests & others Search for writeable file locations and leave files Command set through JSON incl arbitrary command execution Look busy Calculate SHA256 hashes and create 70% load on a Core i7 34

Bot kill switches Through a command; HTTP/JSON-AES Time based; two weeks DNS A specific return value was expected from a DNS service; otherwise stop 35

Anti-debugging features Used: GDB detection ptrace detection Not used: encrypted binary; Not open sourced 36

The challenge viewed from our side 37

Future of the SSC Regional Latest news is that the Spanish NGI is being challenged right now Challenge-as-a-Service portal SSC6 Disclaimer: Exclusively for grid resources Same concept, different bot, new VO Outreach Sharing our ideas into other communities 38

Questions? Oscar Koeroo okoeroo@nikhef.nl @okoeroo 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback