Talk G-3: Simulation of a large-scale Security Incident - Keeping juggling red/blue/white balls

In this presentation we report on a recent global security exercise organised
by the security team of EGI e-Infrastructure (EGI CSIRT), together with the
target user research community and other infrastructures.
The main purpose of the exercise was to challenge current procedures and their usability.

Dozens of research compute sites were targeted by an allegedly malicious
payload and got drawn into the investigation of a large-scale incident.
Hundreds of mails were exchanged among the sites, the coordinating EGI CSIRT
and various infrastructure service providers, from which the blue team was
trying to gradually build the overall picture of the incident and keep all the
parties informed. In the meantime the red team had to fix outages of the
attacking infrastructure, making sure the exercise could smoothly proceed.

We will provide an overview of the whole activity and will summarize findings
and the received feedback. We will discuss organization aspects and experience
how we demonstrated the importance of a close and maintained collaboration of
the relevant Security Teams to bridge between European and US operational
security for participating infrastructures as well as general services, like
AAI facilitated by eduGAIN.

As an additional component, for participating site administrators we prepared a
CTF-like game to guide the attendees through essential forensics investigation
of the payload. We will open the same CTF for the session participants so they
could enjoy a simple technical exercise.