Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo.

Published byHope Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo 09/23/11 1 Together with:

2 2 www.egi.eu EGI-InSPIRE RI-261323 acknowledgements NON INTRUSIVE DO NOT affect actual production FULL control of the distributed infection Detailed LOGGING of all infection activity Have an emergency FULL STOP of the drill 2

3 3 www.egi.eu EGI-InSPIRE RI-261323 Goal Simulate a grid wide security incident Means: ~40 sites, globally, all at once Challenge the procedures on IR handling Focus on the communication channel capabilities 3

4 4 www.egi.eu EGI-InSPIRE RI-261323 Architecting the attack 4

5 5 www.egi.eu EGI-InSPIRE RI-261323 t0: Initial tickets 5

6 6 www.egi.eu EGI-InSPIRE RI-261323 t1: Informing NGI and EGI teams 6

7 7 www.egi.eu EGI-InSPIRE RI-261323 t2: Checking the logs 7

8 8 www.egi.eu EGI-InSPIRE RI-261323 t3: Contacting the VO 8

9 9 www.egi.eu EGI-InSPIRE RI-261323 t4: EGI informs T1 & T2 9

10 10 www.egi.eu EGI-InSPIRE RI-261323 t5: NGI containment 10

11 11 www.egi.eu EGI-InSPIRE RI-261323 t6: Forensics & Reporting 11

12 12 www.egi.eu EGI-InSPIRE RI-261323 Bot network deployment through PanDa pilot job submission 12 Worker Node Bot PanDa* SSC5: Portal C&C Submit host IP NAT

13 13 www.egi.eu EGI-InSPIRE RI-261323 The challenge viewed from our side 13

14 14 www.egi.eu EGI-InSPIRE RI-261323 Build-in features in the bot Use plain HTTP as the C&C protocol Packing libevent for HTTP Encrypt the HTTP JSON payload with AES Packing libjson, AES and SHA1/SHA256 Fake (deadcode) for cron/atd tests & others Search for writeable file locations and leave files Command set through JSON incl arbitrary command execution “Look busy” Calculate SHA256 hashes and create 70% load on a Core i7 14

15 15 www.egi.eu EGI-InSPIRE RI-261323 Bot kill switches Through a command; HTTP/JSON-AES Time based; two weeks DNS A specific return value was expected from a DNS service; otherwise stop 15

16 16 www.egi.eu EGI-InSPIRE RI-261323 Anti-debugging features Used: GDB detection ptrace detection Not used: encrypted binary; Not open sourced 16

17 17 www.egi.eu EGI-InSPIRE RI-261323 Future ideas to hide our tracks... 17

18 18 www.egi.eu EGI-InSPIRE RI-261323 SSC-Monitor: the coordination hub 18

19 19 www.egi.eu EGI-InSPIRE RI-261323 Questions? 19

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 1 SSC5 a Multi Site Security Drill code name: “World Domination” Oscar Koeroo."

Similar presentations

PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.

PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group Summary EGI TF David Kelsey 6/28/2015 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.

DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.

Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
SICSA student induction day, 2009Slide 1 Social Simulation Tutorial Session 6: Introduction to grids and cloud computing International Symposium on Grid.

SICSA student induction day, 2009Slide 1 Social Simulation Tutorial Session 6: Introduction to grids and cloud computing International Symposium on Grid.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
Project 2 Presentation & Demo Course: Distributed Systems By Pooja Singhal 11/22/2011 1.

Project 2 Presentation & Demo Course: Distributed Systems By Pooja Singhal 11/22/
Scalable Systems Software Center Resource Management and Accounting Working Group Face-to-Face Meeting October 10-11, 2002.

Scalable Systems Software Center Resource Management and Accounting Working Group Face-to-Face Meeting October 10-11, 2002.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Similar presentations

Ads by Google