The following table is updated after every review of this procedure.
This procedure is aimed at minimising the impact of security incidents by encouraging post-mortem analysis and promoting cooperation between Resource CentersCentres.
It is based on the Security Incident Response Policy.
- EGI-CSIRT Security Officer on Duty: irtf at mailman.egi.eu
- NGI Security Officer: NGI Security E-Mail as defined in GOC-DB Configuration Database
- Resource Center: RC CSIRT E-Mail as defined in GOC-DB Configuration Database
- abuse at egi.eu: Address to be used for reporting security Incident (In case of TLP:RED data, use GPG: A97F 3BDD F0EE 01A1 176C C13A 93BF 7F91 5696 F750)
- site-security-contacts at mailman.egi.eu: Mailing list containing all Resource Center "CSIRT E-Mail" as defined in GOC-DB Configuration Database
- ngi-security-contacts at mailman.egi.eu: Mailing list containing all NGI "Security E-Mail" as defined in GOC-DB Configuration Database
A Security incident has been identified.
The following table describes the actions to be taken when an incident potentially affecting EGI users, data, services, infrastructure is suspected. Administrators are recommended to take note of every action (with timestamp) they take, for later analysis or legal cases.
|1||Inform your local security team, your NGI Security Officer and the EGI CSIRT via firstname.lastname@example.org. You are encouraged to use the recommended templates.||Within 4 hours of discovery|
|2||In consultation with your local security team and the EGI CSIRT, act to isolate the compromised systems and contain the incident whilst preserving forensic data. Take a snapshot of affected VMs. Isolate at the network level if possible. Do NOT reboot or power off hosts. Do NOT destroy VMs. Physically disconnect systems from the network ONLY where other options are not available.||Within 1 day of discovery|
|3||Together with your local security team and the EGI CSIRT decide if it is an incident that requires further investigation or action.|
|4||If applicable, announce downtime for the affected services in accordance with the EGI Operational Procedures||Within 1 day of isolation|
|5||Perform appropriate analysis and take necessary corrective actions, seeIncident Analysis Guideline||Within 4 working hours of any EGI CSIRT request|
Coordinate with your local security team and the EGI CSIRT to send an incident closure report to the EGI CSIRT via email@example.com, including lessons learnt and resolution. This report should be labelled AMBER or RED, according to the
|Within 1 month of incident resolution|
|7||Restore the service and, if needed, update the service documentation and procedures to prevent recurrence as necessary.|
Resource Centre Checklist
View file name SEC01-RC.pdf height 400
- Evaluate the initial incident report and determine whether it appears to be part of an incident covering multiple RCs, in particular, whether it is related to a previously known incident (e.g. do the same attacking IP addresses appear, are the attacker's tools and methodology strongly similar):
- If this is a new, unrelated incident, assign an identifying tag (of the format [EGI-YYYYMMDD-NN]) to the incident and announce it to all RCs via firstname.lastname@example.org, all NGIs via email@example.com and the EGI CSIRT via firstname.lastname@example.org using the recommended templates.
- If the incident is part of an incident covering multiple RCs, the incident coordinator MAY choose not to announce each incident separately, but instead issue regular updates on the overall incident.
- Take any appropriate actions in order to:
- Contact affected parties to obtain accurate information at an appropriate level of detail and in a timely manner.
- Investigate to determine the cause and extent of the incident, what assets have been compromised (credentials etc.), and how to resolve the incident.
- Help involved RCs to resolve the incident by providing recommendations, promoting collaboration with other RCs and periodically checking their statuses.
- Maintain communications with any other involved parties inside and outside EGI.
- When appropriate, send updated:
- Summary reports to all RCs, NGIs and the EGI-CSIRT (email@example.com, firstname.lastname@example.org and email@example.com), containing the status of the incident and indicators of compromise that can be used by RCs to evaluate their implication
- Detailed reports to the RCs directly involved and affected by the incident, containing interesting findings or possible leads that could be used to resolve the incident
- If malicious behaviour or a policy violation can be linked to a user account or identity:
- Add the account or identity to the emergency suspension list following the appropriate procedure.
- If applicable, report the incident to the VO providing access. Coordinate any user suspension and job termination with the VO.
- Without hindering the investigation, verify the legitimacy or otherwise of the activity with the owner of the account or identity
- If user credentials have been exposed or compromised, report it to the relevant credential provider. In particular, CA contacts are available on https://www.eugridpma.org/showca.
- When suspended accounts or identities no longer represent a threat, typically when the incident is resolved and compromised credentials have been re-issued, remove them from the emergency suspension list
- When a virtual appliance is identified as being vulnerable or malicious, ensure that:
- Its endorsement is revoked on APP-DB
- All instantiated and running VMs using this virtual appliance are properly handled
- Based on the incident closure report received from the affected RC, send a closure report with the relevant information to all partners.
- Report any action taken to the EGI CSIRT as often as necessary
- Identify and kill suspicious process(es) as appropriate, but aim at preserving the information they could have generated, both in memory and on disk by dumping them beforehand, see Forensic_ Forensics Howto.
- If it is suspected that any credentials have been abused or compromised, you MUST inform the EGI CSIRT who take appropriate action. Inform the EGI CSIRT of any direct contact with the involved VO, CA or any other credential provider.
- If it is suspected that a virtual appliance used to instantiate an affected virtual machine is vulnerable or malicious, you MUST report it to the EGI CSIRT.
- Seek help from your local security team, from your NGI Security Officer or from the EGI CSIRT
- If relevant, additional reports containing suspicious patterns, IP addresses, files or evidence that may be of use to other infrastructure parties SHOULD be sent to the EGI CSIRT.