By Kyle Lewis, Chair, Sirtfi Exercise Planning Working Group
On November 14–18, 2022, ten participating organizations from the InCommon Federation came together to practice cybersecurity incident response cooperation using the REFEDS Sirtfi framework. This event culminated ten months of work by InCommon’s Sirtfi Exercise Planning Working Group (SEPWG) to pull off a distributed, multi-organizational cybersecurity tabletop exercise as a proof of concept that our federation can practice cybersecurity cooperation together.
In 2021, InCommon had adopted the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi) as part of its Baseline Expectations for member organizations. Sirtfi provides a basic structure for establishing contact with another organization’s cybersecurity team in the event that a cybersecurity incident spans more than one organization. In our world of federated service providers (SPs) and identity providers (IdPs), a security breach has implications across organizational boundaries:
- For IdPs, what happens if one of their user accounts becomes compromised, and while compromised, that account accesses other SPs in the federation?
- For SPs, what happens if they discover an external user account which enjoys routine access to their service suddenly escalates privileges in an unauthorized manner?
Sirtfi provides a means to contact each other when bad things happen. More than being a passive framework, Sirtfi establishes an expectation that Sirtfi organizations will reach out to each other when they discover an impact to another organization, and that organizations willrespond accordingly when contacted through their published security contact. The fact that InCommon included Sirtfi in its Baseline Expectations reflects an understanding that we need to talk to each other when bad things happen. The SEPWG was established based on a recognition that we need to practice what we do in incident response situations before one occurs, rather than trying to learn what to do after bad things have already happened.
During the exercise, participants from the volunteering organizations practiced identifying when a scenario involved an external organization, finding that organization’s security contacts to notify them, and using the security contact channel to communicate with other affected organizations. The participating organizations took the opportunity to identify internal areas for improvement and practice executing response plans. Overall feedback was positive with organizations identifying opportunities to enrich the training scenario and expressing the need for the community to continue these learning activities in future years.
Kyle Lewis is vice president of cybersecurity strategy at InCommon Catalyst RDCT.