After the serious compromise of 2022, the Zebra Scientific Alliance has been compromised again – hit hard by an attacker. Zebra’s IT experts and computer emergency response teams are on the prowl, trying to get to the bottom of the malicious deeds. The scenario is opaque. Details are unclear. Log files are missing. Time is running out. Pressure rises. The police are pushing. Journalists are inquiring. And nothing is as it seems.
Fortunately, Zebra is not real. Fortunately, nobody has been attacked here. Fortunately, this is just a table-top exercise for system administrators, computing personnel and security experts to better understand the complexity of today’s IT sphere, the interconnectivity of data centres and the problems that can arise when resolving large-scale cyber-security incidents. A mysterious, but serious, crime, for which teams have to join forces. In order to save the Zebra Scientific Alliance from disaster. To protect its reputation. To enable research to resume quickly. And to find the culprit who has put Zebra’s mission at risk.
The exercise has been designed to depict the complexity of real computer security incidents as handled in the past by the CERN, EGI and WLCG computer incident response teams (CSIRTs). Usually, such incidents are vast, involving lots of different partners, several physically distant sites and administrators responsible for different layers of the local software stack, like the operating system, web applications and databases. Some administrators might not understand or know what is running within their data centre, others are busy with daily operations and reluctant to help, and others might not even speak or understand your language. Local computer emergency response teams might lack the necessary skills or tools or simply do not exist. Access and system logs are usually incomplete and almost certainly distributed such that they would need to be gathered together to have a more holistic picture of what goes on. Attackers are using their skills to further obfuscate this picture, trying to hide their traces, manipulate or purge logs and sabotage any incident investigation in order to avoid getting caught. And Management is pressing to get that incident resolved so that personnel resources can get back to focusing on their core work and computing services can resume operations.
In summary, large-scale computer security incident response is stressfully fun. This exercise will bring that fun to you. Teaching you the inherent problems of incident response. Making you aware of the struggles involved. And pointing you towards ways that we all can do better.
So, stay tuned. A Zebra scenario played out just last month at CERN, and another edition will be organised soon, looking to recruit people with a bit of an IT or security background to participate in this table-top exercise designed to promote better understanding of large-scale incident response. Sign up to get the call at firstname.lastname@example.org (https://e-groups.cern.ch/e-groups/EgroupsSubscription.do?egroupName=cert-security-info).
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.