egi-csirt presentation - terena · egi-csirt presentation adam smutnicki wroclaw centre for...
TRANSCRIPT
![Page 1: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/1.jpg)
EGI-InSPIRE
EGI-CSIRT presentation
Adam Smutnicki
Wroclaw Centre for Networking and SupercomputingPoland
10 May 2012 36th TF-CSIRT Meeting 1EGI-InSPIRE RI-261323 www.egi.eu
![Page 2: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/2.jpg)
European Grid Infrastructure
• a federation of over 350+ resource centres in 50+ contries• approx 400k compute cores• continuation of EGEE I–III projects• computing and storage resources for researchers• cooperation of European and national projects• in practice not only European countries but also, Americas,
Asia and Pacific
10 May 2012 36th TF-CSIRT Meeting 2EGI-InSPIRE RI-261323 www.egi.eu
![Page 3: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/3.jpg)
EGI in the world
10 May 2012 36th TF-CSIRT Meeting 3EGI-InSPIRE RI-261323 www.egi.eu
![Page 4: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/4.jpg)
EGI-CSIRT
• top level CSIRT team for all the European GridInfrastructure• formally operational since 01.05.2010• created based on OSCT from EGEE• TI listed team• distributed team consisting of NGI’s representatives• not purely a virtual team, we meet each other few times a
year
10 May 2012 36th TF-CSIRT Meeting 4EGI-InSPIRE RI-261323 www.egi.eu
![Page 5: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/5.jpg)
EGI Security Structure
10 May 2012 36th TF-CSIRT Meeting 5EGI-InSPIRE RI-261323 www.egi.eu
![Page 6: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/6.jpg)
EGI-CSIRT Teams
• IRTF — Incident Response Task Force• SMG — Security Monitoring Group• SDG — Security Drill Group• TDG — Training and Disemination Group
10 May 2012 36th TF-CSIRT Meeting 6EGI-InSPIRE RI-261323 www.egi.eu
![Page 7: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/7.jpg)
EGI-CSIRT Teams
• IRTF — Incident Response Task Force• SMG — Security Monitoring Group• SDG — Security Drill Group• TDG — Training and Disemination Group
10 May 2012 36th TF-CSIRT Meeting 6EGI-InSPIRE RI-261323 www.egi.eu
![Page 8: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/8.jpg)
EGI-CSIRT Teams
• IRTF — Incident Response Task Force• SMG — Security Monitoring Group• SDG — Security Drill Group• TDG — Training and Disemination Group
10 May 2012 36th TF-CSIRT Meeting 6EGI-InSPIRE RI-261323 www.egi.eu
![Page 9: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/9.jpg)
EGI-CSIRT Teams
• IRTF — Incident Response Task Force• SMG — Security Monitoring Group• SDG — Security Drill Group• TDG — Training and Disemination Group
10 May 2012 36th TF-CSIRT Meeting 6EGI-InSPIRE RI-261323 www.egi.eu
![Page 10: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/10.jpg)
Incident Response Task Force
• 14 actively participating, among 34 NGI’s• Vulnerability Assesment Team• incident handling and coordination• forensics• strong and good cooperation within group→ forensics
done by members for other NGI’s• good cooperation with EGI Software Vulnerability Group• direct communication with IM
10 May 2012 36th TF-CSIRT Meeting 7EGI-InSPIRE RI-261323 www.egi.eu
![Page 11: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/11.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 12: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/12.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 13: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/13.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 14: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/14.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 15: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/15.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 16: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/16.jpg)
Security Monitoring
• Security Dashboard:• Pakiti• Nagios• metrics• stats
• monitoring of a distributed infrastructure on a system levelrather than network level• active monitoring with notifications• in a short time, we can easily deploy, a dedicated security
checks, to be run on all sites; e.g. when there is a newvulnerability• Security Intelligence Group• we are very close/part of our constituencies (NGI’s), so we
know them very well, we are focused on proactive actions
10 May 2012 36th TF-CSIRT Meeting 8EGI-InSPIRE RI-261323 www.egi.eu
![Page 17: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/17.jpg)
Security Dashboard
10 May 2012 36th TF-CSIRT Meeting 9EGI-InSPIRE RI-261323 www.egi.eu
![Page 18: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/18.jpg)
Security Dashboard
10 May 2012 36th TF-CSIRT Meeting 9EGI-InSPIRE RI-261323 www.egi.eu
![Page 19: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/19.jpg)
Security Drills
Separate presentation“Security Drills in a Grid Environment”on Friday 11.05 at 11:00 by Oscar Koeroo from Nikhef.
10 May 2012 36th TF-CSIRT Meeting 10EGI-InSPIRE RI-261323 www.egi.eu
![Page 20: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/20.jpg)
Training and Disemination
• wiki with a lot of operational information• Security Training sessions for staff during project meeting,
there was a big interest• involved in GridKa School trainings in Karlsruhe• real case incident scenarios in preparation with SDG
10 May 2012 36th TF-CSIRT Meeting 11EGI-InSPIRE RI-261323 www.egi.eu
![Page 21: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/21.jpg)
IRTF Operational actions
• 1 week duties with backups• continuous monitoring• critical vulnerabilities handling• preparing and distributing advisories• incident response coordination• well known, systematized security staff structure• all security and administrative contacts in a single
dedicated database• NGI SO (from IRTF) are the first point of contact with
shortest reaction time• even though some sites has their own security staff and
has access to all security tools, in practice CSIRTmembers “take care” about them
10 May 2012 36th TF-CSIRT Meeting 12EGI-InSPIRE RI-261323 www.egi.eu
![Page 22: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/22.jpg)
Procedures
• Critical Vulnerability Handling• Incident Response and information distribution to all sites• information sharing model is implemented in procedures. . .
and is working
10 May 2012 36th TF-CSIRT Meeting 13EGI-InSPIRE RI-261323 www.egi.eu
![Page 23: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/23.jpg)
Procedures
• Critical Vulnerability Handling• Incident Response and information distribution to all sites• information sharing model is implemented in procedures. . .
and is working
10 May 2012 36th TF-CSIRT Meeting 13EGI-InSPIRE RI-261323 www.egi.eu
![Page 24: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/24.jpg)
Procedures
• Critical Vulnerability Handling• Incident Response and information distribution to all sites• information sharing model is implemented in procedures. . .
and is working
10 May 2012 36th TF-CSIRT Meeting 13EGI-InSPIRE RI-261323 www.egi.eu
![Page 25: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/25.jpg)
Procedures
• Critical Vulnerability Handling• Incident Response and information distribution to all sites• information sharing model is implemented in procedures. . .
and is working
10 May 2012 36th TF-CSIRT Meeting 13EGI-InSPIRE RI-261323 www.egi.eu
![Page 26: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/26.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 27: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/27.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 28: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/28.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 29: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/29.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 30: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/30.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 31: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/31.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 32: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/32.jpg)
Critical Vulnerability Handling
• used for vulnerabilities assessed critical by RiskAssessment Team, eg. local root exploit• all sites are checked against such vulnerability (monitoring
tools)• while patch not released, mitigations are suggested and
checked (if possible)• while patch available, site has 7 days to apply• for old, reoccurring vulnerabilities: 2 days to apply• vulnerabilities tend to reappear even 1.5 year after patch
released (eg. CVE 2010-3081)• death penalty: site suspension — works pretty well
10 May 2012 36th TF-CSIRT Meeting 14EGI-InSPIRE RI-261323 www.egi.eu
![Page 33: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/33.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 34: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/34.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 35: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/35.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 36: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/36.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 37: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/37.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 38: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/38.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 39: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/39.jpg)
Incident Response
• CSIRT SO on duty is an incident coordinator (sometimesNGI SO)• NGI SO involved as a NGI level coordinator if needed (eg.
multisite incident)• site response time requirements• first guidelines, what kind of information need to be
checked/provided• all sites are informed constantly — updates send by CSIRT
SO on duty• final report required and circulated among all sites (not
only involved ones)• templates for reporting, updates and final report
10 May 2012 36th TF-CSIRT Meeting 15EGI-InSPIRE RI-261323 www.egi.eu
![Page 40: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/40.jpg)
Incidents info/stats (1)
• our incidents can spread very quickly through “leaf” sites indifferent countries, belonging to different NREN’s anddifferent jurisdictions• spread easily with compromised users’ credentials• since 05.2010 we had 18 incidents, most of them single
site• incidents due to: stolen/week passwords, unprotected ssh
keys, vulnerable services open to the world and unpatchedsoftware. . .
10 May 2012 36th TF-CSIRT Meeting 16EGI-InSPIRE RI-261323 www.egi.eu
![Page 41: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/41.jpg)
Incidents info/stats (1)
• our incidents can spread very quickly through “leaf” sites indifferent countries, belonging to different NREN’s anddifferent jurisdictions• spread easily with compromised users’ credentials• since 05.2010 we had 18 incidents, most of them single
site• incidents due to: stolen/week passwords, unprotected ssh
keys, vulnerable services open to the world and unpatchedsoftware. . .
10 May 2012 36th TF-CSIRT Meeting 16EGI-InSPIRE RI-261323 www.egi.eu
![Page 42: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/42.jpg)
Incidents info/stats (1)
• our incidents can spread very quickly through “leaf” sites indifferent countries, belonging to different NREN’s anddifferent jurisdictions• spread easily with compromised users’ credentials• since 05.2010 we had 18 incidents, most of them single
site• incidents due to: stolen/week passwords, unprotected ssh
keys, vulnerable services open to the world and unpatchedsoftware. . .
10 May 2012 36th TF-CSIRT Meeting 16EGI-InSPIRE RI-261323 www.egi.eu
![Page 43: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/43.jpg)
Incidents info/stats (1)
• our incidents can spread very quickly through “leaf” sites indifferent countries, belonging to different NREN’s anddifferent jurisdictions• spread easily with compromised users’ credentials• since 05.2010 we had 18 incidents, most of them single
site• incidents due to: stolen/week passwords, unprotected ssh
keys, vulnerable services open to the world and unpatchedsoftware. . .
10 May 2012 36th TF-CSIRT Meeting 16EGI-InSPIRE RI-261323 www.egi.eu
![Page 44: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/44.jpg)
Incidents info/stats (2)
• . . . so far none related to grid technologies/credentials• in most of the cases an attacker is not aware, what kind of
infrastructure he was able to penetrate• it is important to have good relationships with NREN
CSIRT’s• in one case, attackers were caught by LE: dwaan and xS
(KPN incident)
10 May 2012 36th TF-CSIRT Meeting 17EGI-InSPIRE RI-261323 www.egi.eu
![Page 45: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/45.jpg)
Incidents info/stats (2)
• . . . so far none related to grid technologies/credentials• in most of the cases an attacker is not aware, what kind of
infrastructure he was able to penetrate• it is important to have good relationships with NREN
CSIRT’s• in one case, attackers were caught by LE: dwaan and xS
(KPN incident)
10 May 2012 36th TF-CSIRT Meeting 17EGI-InSPIRE RI-261323 www.egi.eu
![Page 46: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/46.jpg)
Incidents info/stats (2)
• . . . so far none related to grid technologies/credentials• in most of the cases an attacker is not aware, what kind of
infrastructure he was able to penetrate• it is important to have good relationships with NREN
CSIRT’s• in one case, attackers were caught by LE: dwaan and xS
(KPN incident)
10 May 2012 36th TF-CSIRT Meeting 17EGI-InSPIRE RI-261323 www.egi.eu
![Page 47: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/47.jpg)
Incidents info/stats (2)
• . . . so far none related to grid technologies/credentials• in most of the cases an attacker is not aware, what kind of
infrastructure he was able to penetrate• it is important to have good relationships with NREN
CSIRT’s• in one case, attackers were caught by LE: dwaan and xS
(KPN incident)
10 May 2012 36th TF-CSIRT Meeting 17EGI-InSPIRE RI-261323 www.egi.eu
![Page 48: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/48.jpg)
Incident Response workflow
One may see our response scheme as:Site→ NGI CSIRT→ NREN CSIRT→ other NREN’s, NGI’sand Sites
In practice:Site→ NGI CSIRT→ EGI-CSIRT→ other NGI’s and Sitesor even:Site→ NGI CSIRT→ Other NGI CSIRT
10 May 2012 36th TF-CSIRT Meeting 18EGI-InSPIRE RI-261323 www.egi.eu
![Page 49: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/49.jpg)
Incident Response workflow
One may see our response scheme as:Site→ NGI CSIRT→ NREN CSIRT→ other NREN’s, NGI’sand Sites
In practice:Site→ NGI CSIRT→ EGI-CSIRT→ other NGI’s and Sites
or even:Site→ NGI CSIRT→ Other NGI CSIRT
10 May 2012 36th TF-CSIRT Meeting 18EGI-InSPIRE RI-261323 www.egi.eu
![Page 50: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/50.jpg)
Incident Response workflow
One may see our response scheme as:Site→ NGI CSIRT→ NREN CSIRT→ other NREN’s, NGI’sand Sites
In practice:Site→ NGI CSIRT→ EGI-CSIRT→ other NGI’s and Sitesor even:Site→ NGI CSIRT→ Other NGI CSIRT
10 May 2012 36th TF-CSIRT Meeting 18EGI-InSPIRE RI-261323 www.egi.eu
![Page 51: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/51.jpg)
Links
EGI: http://www.egi.eu
EGI-CSIRT: https://wiki.egi.eu/csirt
10 May 2012 36th TF-CSIRT Meeting 19EGI-InSPIRE RI-261323 www.egi.eu
![Page 52: EGI-CSIRT presentation - TERENA · EGI-CSIRT presentation Adam Smutnicki Wroclaw Centre for Networking and Supercomputing Poland 10 May 2012 36th TF-CSIRT Meeting 1 ... Nagios metrics](https://reader031.vdocument.in/reader031/viewer/2022031014/5b98970a09d3f2085f8bdfa8/html5/thumbnails/52.jpg)
EGI CSIRT
Questions ?
10 May 2012 36th TF-CSIRT Meeting 20EGI-InSPIRE RI-261323 www.egi.eu