GRID Security Incident Handling...Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 3/16 Incident Handling - Services Provide technical support • Through coordination with

Carlos Fuentes Bermejo <[email protected]>

GRID Security Incident Handling

3rd TERENA NREN-Grids WorkShopParis, 27-28th April 2006

Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 2/16

Index

Incident Handling

How we do with GRID incidents

Future


Incident Handling - Services

Provide technical support

•• Through coordination with others Through coordination with others CSIRTsCSIRTs

•• Forensic analysisForensic analysis

•• Information to detect, prevent, and recover from Information to detect, prevent, and recover from vulnerabilities, attacksvulnerabilities, attacks

Security AuditSecurity toolsDocumentation

Provide a center for incident handling support to system and network administrators and systems user in our community.

Coordinate with other internal/external CSIRTs to analize the basic source of the incidents.

GOAL --> Ensure the security of the network infrastructure


Incident Handling at IRIS-CERT

Incident Life Cycle


Incident Handling at IRIS-CERT (2)

Using RTIR (Request Tracker for Incident Respond)Own whois database

•• Each IP belong to Institution with a verified contact Each IP belong to Institution with a verified contact pointpoint

•• FineFine--grained mapping mechanismsgrained mapping mechanismsComplaints come into RTIR

•• By mail/fax/telephone from other By mail/fax/telephone from other CSIRTsCSIRTs/external /external individualsindividuals

•• By our IDS sensorsBy our IDS sensorsLook through our network flows to verify if possible the complaintRedirect the complaint to the customer

•• Mainly IT staffMainly IT staff•• Work with them to fix the problemWork with them to fix the problem•• Get, if possible, feedbackGet, if possible, feedback








Grid Incident Handling - 1st Approach

Incidents are GRID neutralGRID doesn’t need a special treatment for IH

•• IRISIRIS--CERT will follow/use the same procedure for CERT will follow/use the same procedure for IHIH

IRIS-CERT won’t care about GRID Infrastructure•• An IP belongs to an institutionAn IP belongs to an institution•• Each part of the GRID is under a regular institutionEach part of the GRID is under a regular institution•• Complaints are sent to IT Complaints are sent to IT centerscenters and they are and they are

redirected.redirected.Problems:

•• Slow answer to the problemSlow answer to the problem•• Most IT group treat GRID machines as normalMost IT group treat GRID machines as normal•• Bad feelings between IT Staff and GRID peopleBad feelings between IT Staff and GRID people


Grid Incident Handling - 2nd Approach

IH workflow is still the same

•• Including little exceptionsIncluding little exceptionsA new game zone

•• Institution changes its meaningInstitution changes its meaning

•• A GRID is a superA GRID is a super--institution running over several institution running over several institutionsinstitutions

•• New kind of security problemsNew kind of security problemsMajor coordination

•• A compromised machine affects more users & A compromised machine affects more users & institutionsinstitutions


Grid Incident Handling - 2nd Approach

GRID Institution

•• Security point of contactSecurity point of contact

•• Define the infrastructureDefine the infrastructureGRID Incident MUST require

•• A shorter response time from A shorter response time from GRIDGRID’’ss CERTCERT

•• A deeper analysis of the compromiseA deeper analysis of the compromise

•• A deeper follow upA deeper follow up

•• An answerAn answer


Future

Closer relation between CERT’s NREN and GRID Community

•• IRISIRIS--GRIDGRID

•• EGEE IIEGEE II

Two fields

•• PoliciesPoliciesProposal at e-IRG (e-Infrastructure Reflection Group) about IH Coordination

•• TechnologicalTechnological


Future (2)

Two fields

•• PoliciesPolicies

•• TechnologicalTechnological

Information retrieval (Whois, …)

Specific vulnerabilities

Interchange format (IODEF?, …)

Mutual trust(PKIs, AAIs, …)

Handling tool harmonization (RTIR, …)


RTIR Working Group

Running under TERENA’s task force TF-CSIRTThe aim of this working group

•• Extend the current applicationExtend the current applicationNew functionalities

•• Make it more adaptable for general use of new, as Make it more adaptable for general use of new, as well as established well as established CSIRTsCSIRTs

Members of the project:

•• ACOnetACOnet--CERTCERT•• CERT CERT PolskaPolska•• CERT.PTCERT.PT•• GovCERT.NLGovCERT.NL

•• IRISIRIS--CERTCERT•• JANETJANET--CERTCERT•• LITNETLITNET--CERTCERT•• SUNETSUNET--CERTCERT••SWITCHSWITCH--CERTCERT


RTIR Working Group (2)

Project Status•• Duration is about a year and a halfDuration is about a year and a half•• Cost is $95.350Cost is $95.350•• Contract signed between TERENA and Contract signed between TERENA and

Bestpractical on 6th SeptemberBestpractical on 6th September•• Started on 6th OctoberStarted on 6th October•• First milestone is almost over, under testing periodFirst milestone is almost over, under testing period

New functionalities•• RT Interaction/IntegrationRT Interaction/Integration•• Multiple ConstituencyMultiple Constituency•• Full GPG integrationFull GPG integration•• New reporting toolNew reporting tool•• RTFM (RT FAQ Manager) integrationRTFM (RT FAQ Manager) integration•• Cleaning and Incident Aging toollCleaning and Incident Aging tooll•• DocumentationDocumentation

Considering functionalities•• IODEF integrationIODEF integration


Questions?

Documents

GRID Security Incident Handling...Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 3/16 Incident Handling - Services Provide technical support • Through coordination with