## Crisis Simulation for the REFEDS Community Hannah Short (CERN), Charlie van Genuchten (SURFnet) --- # Motivation * Our community (notably through eduGAIN) has over **4000** organisations who may be affected by security incidents * Incident Response is significantly **improved with planning and practice** * As a community we may not be doing enough to prepare --- ## What have we done already? * AARC Incident simulations deemed helpful * Compromised Identity accesses multiple SPs * Incident Simulation Report [#1](https://aarc-project.eu/wp-content/uploads/2018/04/20180326-Incident-Simulation-Report.pdf) and [#2](https://aarc-project.eu/wp-content/uploads/2018/11/Incident-Response-Test-Model-for-Organisations-Simulation-2.pdf) * Experience gained through crisis exercises for NRENs (see [TNC19 session 9B](https://tnc19.geant.org/programme/#Wednesday)) ![](https://codimd.web.cern.ch/uploads/upload_904e86117ed7f272538226d5823e966b.png =200x120) --- ## Could we do more? * Security Day at TNC19 * 20 minute un-conference session on crisis simulation for eduGAIN * Mostly security, not federation, participants * Great participation * Conclusion, that it would be interesting to extend to (inter)federation --- ## What could we do? Charlie proposed 3 questions to help understand this 1. What is the worst that can happen? 2. What do we want the outcome to be? 3. Who are the players? --- ## What is the worst that can happen? * Wide-scale malware outbreak * Loss of integrity of trust infrastructure * Loss of service at critical time * Publisher * TNC programme * Time-critical science analysis --- ## What do we want the outcome to be? * Train individuals * Discover weaknesses (unknown unknowns) * Improve processes (coverage of security contacts, fewer technical problems) * Test and build collaboration * Clarify incident response procedure (who should be doing what?) --- ## Who are the players? ![](https://codimd.web.cern.ch/uploads/upload_6a7c752c66a0068deb0085f1527ffc6e.jpg =300x400) --- ## Questions for you * Are any Federations doing this already? * Should this be a crisis exercise (i.e. strategic level), or incident response? * How should we approach it? * An eduGAIN wide exercise? * Train-the-trainer model for smaller groups? *There are relevant activities in Sirtfi WG, WISE and GN4* --- ## Next Steps 1. If we want to go for it... * Decide on type of exercise (virtual, scripted, per-federation vs all etc) * Define possible timeline * Understand participation model 1. Realisticly takes 1 year with a lot of hours, cannot be just one person :) (could we have a small steering group?) --- # This week 1. Take some time to consider what your organisation/federation needs 2. Join an un-conference session on Thursday