By Kyle Lewis, Chair, Sirtfi Exercise Planning Working Group
On November 17–23, 2023, 16 university, federation, and government security teams came together to participate in InCommon’s second annual cybersecurity cooperation exercise and practice using the REFEDS Sirtfi framework in a scripted scenario. Sirtfi is part of InCommon’s baseline expectations. In addition to InCommon organizations, the exercise saw participation from the Australian Access Federation and the Research and Education Advanced Network New Zealand.
The Framework: The Sirtfi framework provides federation identity providers (IdPs) and service providers (SPs) a means to communicate and coordinate security incident responses when bad actors go after multiple federation organizations.
The Scenario: This year’s scenario expanded the narrative complexity from last year with a background story of two unrelated malicious actors going after SP data at the same time, using (simulated) compromised accounts from participating IdPs.
Once IdPs became aware of a compromised account, they investigated to find out where else in the federation that account had accessed while compromised. The IdPs would then notify each affected SP’s security team, using the published security contact information as required by the Sirtfi framework. SPs practiced taking in multiple inputs from multiple IdPs, managing the unfolding event, and making notifications to further affected parties when applicable.
The Response: Response from the participants was positive, and they communicated a shared desire to do an exercise again next year. During the feedback session, one of the themes that emerged from the participants was that this exercise helped strengthen their organizations’ internal ties between their security and identity and access management teams. Several security teams noted that until the exercise, they hadn’t been familiar with the federation and the identity and access management world, and they were grateful for the increased scope of understanding.
Next Steps: The Sirtfi Exercise Planning Working Group (SEPWG) will seek to reconvene in early 2024 and continue to grow and expand opportunities to practice intra- and inter-federation incident response. The planned capstone event will be another distributed tabletop exercise in November 2024.
Kyle Lewis is vice president of cybersecurity strategy at InCommon Catalyst RDCT.
About the SIRTFI Exercise Working Group
The SIRTFI Exercise Working Group prepares members of the InCommon Federation community to handle a federated security incident by conducting one or more tabletop exercises to simulate aspects of responding to the real thing. Exercises are aimed to be learning opportunities, increasing familiarity with and shared understanding of key concepts and practices in the SIRTFI framework. The SIRTFI Exercise Working Group is chartered by the InCommon Community Trust and Assurance Board. Additional information is available on the working group wiki.
ICYMI
InCommon to Host Second Annual Cybersecurity Cooperation Exercise This Fall