Based on recent incidents in the EGI environment, we would like to point out some of the guidelines and best practices to enhance the security resilience of the resource providers.

Prevention

  • Central logging: Ensure that logs are collected centrally by a remote service. In case of a compromise, logs are usually deleted from the compromised server. With a remote logging service in place, you can conserve them on an external location, which helps in the investigation to identify the attacker’s entry point, and the changes that have been done on the system. The latter is necessary to establish the timeline of the incident. Providing a central logging service is also part of the policy that all EGI sites need to comply with [1].
  • General security recommendations: Follow EGI CSIRT’s security guidelines [2] that include the essential security measures to mitigate risks and quickly detect anomalies.

Incident Response

  • Procedure Adherence: Follow the defined incident response procedures [3,4]; they will help you to stay focused and to avoid missing important steps during the investigation
  • Communication and gathering indicators of compromise: Accurate documentation and communication are critical:
    • Provide clear and detailed information to the security team. For example: on the host (IP/DNS) we have found evidence of a successful login in the /var/log/secure log, an SSH login has been established for user <username>, from host (IP X.X.X.X) at 10:08:57 am CET.
    • All communications should be in English. It is necessary that the messages are clear, these help to understand how the investigation is going.
  • Coordination: Do not take actions without coordinating them with the VO and the EGI CSIRT team. Uncoordinated actions could compromise evidence and adversely affect the investigation.

Post Incident

  • Post-incident analysis is essential to ensure that the security gaps and any flaws in the set-up of your resource center that caused the incident or hindered your incident response are removed or mitigated. This could be achieved, for example, by having a central log facility, applying access rules, restricting SSH access or patching vulnerabilities where needed.
  • Review your internal security policies and procedures, and address any issues you identify to make your handling of security matters as effective as possible.
  • Review security controls: Ensure that all recommended security measures are implemented. This iterative process strengthens the security posture and improves the protection of your system against threats.
  • These reviews should become part of a continuous improvement process to ensure that the effectiveness of your resource center security implementation does not degrade over time.

[1]
https://documents.egi.eu/public/RetrieveFile?docid=2934&filename=EGI-SPG-Traceability-Logging_V2.pdf&version=4

[2]
https://confluence.egi.eu/display/EGIBG/Server+management+guidelines

[3]
https://confluence.egi.eu/display/EGIPP/SEC01+EGI+CSIRT+Security+Incident+Handling+Procedure

[4]]
https://documents.egi.eu/public/RetrieveFile?docid=2935&filename=EGI-SPG-Security-Incident-Response_V2.pdf&version=4