Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo.

Similar presentations


Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo 09/23/11 1 Together with:

2 2 www.egi.eu EGI-InSPIRE RI-261323 acknowledgements NON INTRUSIVE DO NOT affect actual production FULL control of the distributed infection Detailed LOGGING of all infection activity Have an emergency FULL STOP of the drill 2

3 3 www.egi.eu EGI-InSPIRE RI-261323 Goal Simulate a grid wide security incident Means: ~40 sites, globally, all at once Challenge the procedures on IR handling Focus on the communication channel capabilities 3

4 4 www.egi.eu EGI-InSPIRE RI-261323 Architecting the attack 4

5 5 www.egi.eu EGI-InSPIRE RI-261323 t0: Initial tickets 5

6 6 www.egi.eu EGI-InSPIRE RI-261323 t1: Informing NGI and EGI teams 6

7 7 www.egi.eu EGI-InSPIRE RI-261323 t2: Checking the logs 7

8 8 www.egi.eu EGI-InSPIRE RI-261323 t3: Contacting the VO 8

9 9 www.egi.eu EGI-InSPIRE RI-261323 t4: EGI informs T1 & T2 9

10 10 www.egi.eu EGI-InSPIRE RI-261323 t5: NGI containment 10

11 11 www.egi.eu EGI-InSPIRE RI-261323 t6: Forensics & Reporting 11

12 12 www.egi.eu EGI-InSPIRE RI-261323 Bot network deployment through PanDa pilot job submission 12 Worker Node Bot PanDa* SSC5: Portal C&C Submit host IP NAT

13 13 www.egi.eu EGI-InSPIRE RI-261323 The challenge viewed from our side 13

14 14 www.egi.eu EGI-InSPIRE RI-261323 Build-in features in the bot Use plain HTTP as the C&C protocol Packing libevent for HTTP Encrypt the HTTP JSON payload with AES Packing libjson, AES and SHA1/SHA256 Fake (deadcode) for cron/atd tests & others Search for writeable file locations and leave files Command set through JSON incl arbitrary command execution “Look busy” Calculate SHA256 hashes and create 70% load on a Core i7 14

15 15 www.egi.eu EGI-InSPIRE RI-261323 Bot kill switches Through a command; HTTP/JSON-AES Time based; two weeks DNS A specific return value was expected from a DNS service; otherwise stop 15

16 16 www.egi.eu EGI-InSPIRE RI-261323 Anti-debugging features Used: GDB detection ptrace detection Not used: encrypted binary; Not open sourced 16

17 17 www.egi.eu EGI-InSPIRE RI-261323 Future ideas to hide our tracks... 17

18 18 www.egi.eu EGI-InSPIRE RI-261323 SSC-Monitor: the coordination hub 18

19 19 www.egi.eu EGI-InSPIRE RI-261323 Questions? 19


Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo."

Similar presentations


Ads by Google