Incident Response Scenarios

Incident 1

Initial Scenario: The NREN reports suspicious mailing activity from the site's CE.

OSCT reviewers: Romain Wartel

Responder: Local site administrator (LSA)

Proposed actions:

  • LSA reports the incident to his local security contact
  • Local security contacts would contact project-lcg-security-csirts@cernNOSPAMPLEASE.ch
  • LSA reports a downtime for the CE on the GOCDB
  • LSA isolates the compromised system and runs appropriate forensics
  • Potential help from OSCT could be added throught the LSA's ROC Security Contact
  • LSA sends out a closing report containing lessons learn and resolution to project-lcg-security-contacts@cernNOSPAMPLEASE.ch
  • LSA restores the service and update the GOCDB

Responder needed:

  • To know who is his local security contact, his email and/or his phone number
  • To have sufficient credentials on the GOCDB
  • To have sufficient forensics skills

Comments

  • Local procedure followed by NREN or ISP will be to firewall out the CE. Consequently the CE will fail SFTs, appear in
ERROR in gstat, and site administrator will notice this anyways.
  • I would put "isolates the compromised system" more to the top of the list.
  • LSAs that do not know who is their security contact should not exist. The current procedure
is that if the really do not know him, or he is away, they contact project-lcg-security-officer@cernNOSPAMPLEASE.ch. It is possible that they contact ROC security contact, who will then escalate to project-lcg-security-csirts@cernNOSPAMPLEASE.ch.

Incident 2

Initial Scenario: A user claims his certificate has been used without his knowledge, according to accounting information.

OSCT reviewers: Emanouil Atanassov

Responder: ROC Security Contact (RSC) as GGUS Security support staff

Proposed actions:

  • One of the RSC takes responsibility for handling this case because the user seems to come from his ROC or the site mentioned is from his ROC. RSC evaluates the importance of the case. We assume incident is classified by RSC as genuine, and of MEDIUM importance.
  • RSC forwards this information to project-lcg-security-csirts@cernNOSPAMPLEASE.ch, asking site security contacts to ban the user from their sites.
  • RSC forwards this information to the respective CA, asking for this certificate revocation. CA contacts at http://lcg.web.cern.ch/LCG/users/registration/certificate.html
  • RSC forwards this information to the VO manager, requesting temporary suspension of the user from the VO. VO contacts are in http://lcg.web.cern.ch/LCG/activities/security/contacts.html
  • RSC notifies the user about the actions taken.
  • RSC or other authorized personnel may propose establishment of a team, headed by RSC.
  • The team coordinates the investigation and containment of the incident, contacting the sites that run the presumably unauthorized jobs, and the user, asking them to uncover as much information as possible.
  • The emphasys in the investigation is first, to confirm the unauthorized activity, then understanding what kind of activity was going on,
and what kinf of measures are needed in order to confine this activity, and prevent reappearance.
  • Affected sites follow the relevant procedures
  • Discussions of the incident and the related actions happen in project-lcg-security-contacts@cernNOSPAMPLEASE.ch
  • A team is formed if damage from the incident seems to reclassify it as HIGH importance. In this case team members communicate between each other using phones, signed and/or encrypted emails, etc.

Responder needed:

  • To have sufficient authority to request certificate revokation, suspension from VO, ban from the sites.
  • Sites must have sufficient skills to resolve the situation. Specifically, they must know how to ban a particular user,
how to trace a particular job, and how to check for a root compromise of a node.

Incident 3

Initial Scenario: COD receives a report from 3 sites A, B, C complainig about site D submitting too many jobs to their CEs. Site D does not respond to standard CIC escalation procedures (email, phone).

OSCT reviewers: ?

Responder: CIC on duty staff (COD)

Proposed actions:

* * * *

Responder needed:

* *

Incident 4

Initial Scenario: A sysadmin reports a full root compromise on a WN (confirmed by chkrootkit), but does not know what to do!

OSCT reviewers: ?

Responder: ROC Security Contact (RSC) as GGUS Security support staff

Proposed actions:

* * * *

Responder needed:

* *

Incident 5

Initial Scenario: A thread on LCG-ROLLOUT reveals that several malicious users are found to exploit an undocumented vulnerability on the RBs, allowing then to impersonate other users.

OSCT reviewers: ?

Responder: OSCT

Proposed actions:

* * * *

Responder needed:

* *

Incident 6

Initial Scenario: VOM is notified that illegal material from one of his VO users has been found on a SE at site A. The police is involved.

OSCT reviewers: ?

Responder: VO manager (VOM)

Proposed actions:

* * * *

Responder needed:

* *

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2008-10-30 - MichaelRoth
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback