Global Forum of Incident Response Guiding Towards a Threat-Free Cyber-Space With Expertise and International Collaboration

[TL;DR] FIRST(Forum of Incident Response and Security Teams) is an internationally recognized organization in field of CSIRT(Computer Security and Incident Response Teams) and has a reign of over 100 years in this field. Using modern communication and strategized collaborations, they aim to prevent and control incidents of global cyber-security threats. We interviewed Dr. Serge Droz, Vice President, CERT at Open Systems and also the member of board of directors in FIRST 2019.

With ever-increasing resources of global connectivity, usage of the Internet and its related aliases has increased exponentially in recent years. With such large scale participation, like any other technologies, significant threats are lurking around in this deep ocean.

The initial tremors came when the threat known as “Internet Worm” was exposed in November 1988 and crippled the Internet. The responses during this incident were novice, resulting in conflicting and duplicated views. This incident laid the foundation of CERT and CIAC, the preliminary organizations to coordinate response teams.

Due to ongoing difficulties in these organizations, another similar attack, “Wank Worm” made evident the lack of proper coordination among them.

It is after this time, under CSIRT, FIRST was born in year 1990. With growing incidents and years, FIRST has now evolved to be a top service provider and collaborator in CSIRT. Over these years, they have successfully enrolled over 450 members from every continent of world.

The main task of such an organization is to isolate the cause, analyze the cyber threats, and collaborate accordingly to either stop these threats or minimize their effects. This is conducted before, during, or after the attacks. With increased communication and collaboration of many brains, they try to make the Internet a safe and secure platform.

Conclusion from Century-Old Practices in CSIRT

With everyday rise in news of cyber threats, there are still minds which are confused about the need for such organizations. To clear their doubts, our spokesperson Dr. Serge Droz tells us in brief about these threats.

He said “ Businesses face different challenges today: Cyber criminals are out there to make money: Stealing financial information, e.g., access to online banking is one way, holding your data ransom by encrypting it is another way to make a quick buck. Especially in the latter case, a business may go bankrupt because it can’t function anymore.”

These threats are now very common among online businesses. Many new startups are affected everyday by these threats owing to their lack of overseeing these situations. From minor data loss to complete DDOS attacks, along with identity thefts from an existing database and these hackers can do much worse things.

Not only these, but a breach can also cause regulatory consequences. ”But a breach bears regulatory risks too: Not handled properly, large fines may be due. For example, under the EU General Data Protection Regulation (GDPR), fines up to four percent of the annual turnover may be due,” said Dr. Serge. “Breaches happen. But failing to react properly may undermine customer and investor trust.”

To manage the integrity of services, hiring many top IT experts is not the only step to go. Also, for smaller organizations with little experience, the chances are that they get manipulated advice by these IT experts only to fill their pockets and deliver mediocre efforts.

This bears a necessity for these companies and organizations to be part of incident response teams such as FIRST.

Dr. Serge explained, “The chances of being the victim to a breach are real. In such a moment, proper reaction can be the decisive factor for a business’ future. Experience shows that organizations which are prepared to handle an incident properly suffer much less damage. Building up your crisis response after a breach has occurred usually does not work.”

Using First-Hand Standardized Experience to Minimize Risks With FIRST

In CSIRT systems like FIRST, it is critical to work out protocols that will not only lay the procedure of an incident response, but also for pre and post-incidence tasks.

The delivery of these services is conducted in a set manner across all centers. These centers collaborate steps as per data collected while analyzing the breaches. The primary steps in it are making incident reports from affected constituency, analyzing the incident, and validating the scenario, making a full report on breaches with each available information collected from various centers, and provide the summary of report. Coordination among various teams to follow appropriate measures to neutralize the breaches is needed.

As Dr. Serge says, “Incident responders hardly ever work in isolation: They typically collaborate across organizations and countries to handle incidents. This is especially true for a mass breach, such as WannaCry or NotPetya a few years ago. In such situations, Incident responders will support each other through their trust networks and share information that helps everybody on the case.”

The implementation can be divided to local professionals while CSIRT conducts the weight of developing and organizing the response techniques and services, instead of doing them all by-self.

The primary goals associated with FIRST includes,

  • Creation and distribution of data, technologies, procedures, and sequences.
  • Boost the production of security tools, their quality and improve their services, along with promoting best computer practices.
  • Boost incident response teams and their memberships across the globe.
  • Using cooperative knowledge, experience, and assistance to combat cyber threats.

He quotes it as, “FIRST members are happy to share their experience. Attending FIRST events is a great opportunity to learn first-hand from the experience of others.

Collaborating Incident Response With Controlled Hierarchy

The goal of these CSIRT institutes is accomplished by a controlled cooperation between various groups and among individual members. CSIRT operates on standard organization models.

These models include the hierarchy in CSIRT organization. The main structures include CSIRT as in centralized, distributed, coordinating, hybrid, and outsourced manner.

From maintaining things in a small organization to bigger, in worldwide incidents, hierarchy plays a vital role in distributing roles across various personals and assists in undertaking things subsequently.

However, things are relatively different in FIRST as said by Dr. Serge. “What is special in the incident response community, is that there really is no hierarchy: Teams operate on eye level, and typically no team has authority over another one. This may sound surprising at first, but does make sense, considering that incidents almost always cross borders. There is just no way to exert authority to another team.”

Contrary to the bookish procedure of CSIRT systems, real-life scenarios can be challenging and may often hinder in the pyramid. Because of such a random nature of threats and their applications, team members only need to rely on each other’s knowledge and trust.

Dr. Sege further explains it and says that “This requires a lot of trust: You work on eye level with others: FIRST is providing a platform to bring teams together to build trust, and to get a common terminology.”

This exquisite collaboration is the reason for control over cyber-threat incidences across the globe with an ever-increasing userbase each second. Even with teamwork, there is no point of running wild towards musketeers barehand.

CSIRT systems need to collect incident data, organize it, analyze it, generate reports, and then submit those reports to generate proper response steps. He added, “There are a couple of things a team needs to successfully handle a breach: Obviously, there needs to be a solid understanding of how the technology involves, and the appropriate tools. But that alone is not enough”.

This must also include handling various center across nations and manage things in case of a global breach. As he elucidates it further, “Incident responders need trusted partners across the globe to handle all aspects of the incident. And lastly: Incidents are also always a tome where good communication is of the essence. Thus, Incident response teams need to be able to talk to technical staff and C-level management alike.”

Utilizing FIRST Services to Save Resources and Get Pro-Level Assistance

Having amazing experience from personal instances and on handwork with FIRST, Dr. Serge gave us a detailed insight on FIRST services and its benefits.

One of the benefits of being part of FIRST is professional communication and information exchange in the form of wikis, e-mail lists, and contacts across the organization.

One of the other methods is using structured groups and standardized concepts to isolate issues and work on them, like using CVSS(Common Vulnerability Scoring System). These ratings allow to isolate the threats and make it easier to categorize and assign team members accordingly.

After that, comes knowledge sharing via seminars, conferences, sessions, other similar events. Organization and members of FIRST attend them get a preset experience of issues faced earlier and methods that could have been adopted to prevent or minimize them. This is the most critical part of FIRST membership, i.e., exchange of knowledge across the globe.

As he further adds on FIRST membership, “Every incident response or security team can become a FIRST member. This gives the team access to the global community of incident responders. But it also gives access to training, real-time information. At FIRST meetings, members exchange and collaborate: Frequently teams from competitors are spotted sitting together discussing cases of tactics: When it comes to security we cannot afford to compete, and FIRST provides the environment that makes this exchange possible.”

This is valid for most top organizations, but then what about smaller firms or startups? The best way to get full out of FIRST memberships is via key of collaboration. More the number of teams join it, more information exchange can happen, and more threat scenarios can be replicated and analyzed.

For startups and SMEs, Dr. Serge advices that, “Collaboration is key during incident response: Teams joining FIRST will not only be able to profit from a technical exchange but will find teams that help them during a crisis. This is particularly important for new teams, which are not yet established in the international community.”

How Can One Become a Part or a Partner of the FIRST

Partnerships in FIRST involves helping to achieve incident response effectively. Many organization across the globe have become partners with FIRST, and that has allowed generating more streamline response methods.

The top partners of FIRST include organizations from main continents across the globe. These are GEANT, LACNIC, International Telecommunication Union(ITU), Global Forum on Cyber Expertise, Organization of the Islamic Cooperation CERT (OIC-CERT), Asia Pacific Network Information Center(APNIC), and Organization of American States(OAS).

For becoming partners of FIRST, Dr. Serge advices as follows; “Becoming a FIRST member is not difficult: Every new team needs two sponsors, ideally teams they already know. The FIRST Secretariat is happy to help finding sponsors. One of the sponsors will then conduct a site visit, more to establish a closer contact with the team and less to assess. This ensures that expectations are met on both sides, and new teams have a good experience joining FIRST.”

Not only mere partnerships, but they also offer plans for smaller organizations that are still in learning phase. Around the year 2015, they launched the FIRST Fellowship Programme. This is used to offer smaller companies access to CSIRT in a more natural way, with lesser budget. It is essential for the organization to be good enough to understand their goals and have maturity in participating with FIRST, along with low costing.

On the qualification of joining FIRST, he states; “New teams typically already are operational and handle incidents. After finding two sponsors, FIRST will guide teams through the process. There really are very few hard requirements: FIRST wants to be sure member are enthusiastic about their work and are trustworthy. FIRST realizes that everybody has to start, and we pride ourselves supporting new teams to mature.”

Joining FIRST to be part of global CSIRT community is one of the ways for organizations to be alert and counter the security breaches. It is always better to be part of such a time tested organization in case of disastrous cyber-attacks, as they say, sharing lessens the sorrow.