Remove use case from Astronomy Dept/Trojaned SSH binaries
Closed this issue · 4 comments
The use case section is long and primarily motivational. This use case looks like it could be removed without loss of any critical concepts:
A group of very fast-moving intruders gained access to systems in Astronomy departments at numerous universities using techniques similar to the above. A core group of computers that were compromised and running Trojaned SSH binaries were associated with a research project being run from a physically remote location with poor network connectivity, and at the time the intrusion was discovered, ALL personnel directly familiar with the configuration and management of these systems were at that location, which greatly hampered investigation and recovery, and extended the period of down time for these systems. Most of the systems involved were run by scientists, not system administrators, who understandably prioritized science over system management and documentation. System names were reused several times, and in some cases servers back at the university had names that indicated a connection with the project, when in fact there was no current relationship with the project. Downtime, widespread credential changes, and general confusion all impacted the research project.
Assets: Staff computing & networking and networks
Concerns: Device inaccessible, devices exposing sensitive information and transport prevented
Consequences: Lost science time
I included it because the particulars of the incident were different from the other trojaned ssh binaries incident, but maybe it can somehow be combined with the other example in the interests of space. To me those two incidents had quite different complicating factors, but maybe that distinction doesn't come through or isn't likely to be of interest to the reader. I'd been working on finding additional examples for this section, but if it's too long already should I abandon that effort? Are these examples varied enough to serve their intended function?
On Wed, Oct 12, 2016 at 10:27:26AM -0700, kstocks wrote:
The use case section is long and primarily motivational. This use case looks
like it could be removed without loss of any critical concepts:
A group of very fast-moving intruders gained access to systems in Astronomy
departments at numerous universities using techniques similar to the above. A
core group of computers that were compromised and running Trojaned SSH binaries
were associated with a research project being run from a physically remote
location with poor network connectivity, and at the time the intrusion was
discovered, ALL personnel directly familiar with the configuration and
management of these systems were at that location, which greatly hampered
investigation and recovery, and extended the period of down time for these
systems. Most of the systems involved were run by scientists, not system
administrators, who understandably prioritized science over system management
and documentation. System names were reused several times, and in some cases
servers back at the university had names that indicated a connection with the
project, when in fact there was no current relationship with the project.
Downtime, widespread credential changes, and general confusion all impacted the
research project.
Assets: Staff computing & networking and networks
Concerns: Device inaccessible, devices exposing sensitive information and
transport prevented
Consequences: Lost science time—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.*
RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu
626-395-2671
How about this, a combination of the two incidents listed under Possibly Targeted, since it is true that the second incident shared many features with the first:
A group of hackers gained access to a vulnerable scientific computing cluster at University A and quickly determined that these computers were used by collaborators at other universities. The intruders used credentials captured on systems at University A to get into multiple compute clusters in research labs at University B and University C, collecting new captured credentials along the way and gaining additional access to other university systems. Compromised systems were down and unusable for several days in waves at the affected sites, while sysadmins and security personnel investigated the intrusions and rebuilt the affected systems. Users were affected by the downtime and urgent credential change requirements -- in same cases, more than once while the nature of the intrusions was still being investigated. Affected systems were re-hacked during this incident as a result of some privileged users' failure to change credentials. Investigation and remediation were complicated further at University A because the research project these systems served involved a physically remote location with poor network connectivity. At the time the intrusion was discovered, all personnel directly familiar with the configuration and management of these systems were at the remote location, with little in the way of explanatory documentation left for local IT staff to rely on while attempting to investigate and resolve the incident. Downtime, widespread credential changes, and general confusion all impacted the research project.
Asset: Servers (compute clusters), staff computing & networking and networks
Concerns: Devices inaccessible and devices exposing sensitive information and transport prevented
Consequences: Lost science time
I like the new text!
Thanks - I've added it. I'll close this issue.