Developing the building blocks for a global Incident Response Capability

News item | 21-11-2017

Authors: Maarten Van Horenbeeck, Board Member and Damir Rajnovic, CFO, Forum of Incident Response and Security Teams (FIRST)

Every year, the internet community faces an ever growing number of data breaches and security incidents. Modern society, growing increasingly reliant on ICT and internet technologies, seems to be at ever greater risk. Just last year, an outage at a DNS provider showed how major sites can be affected by much smaller providers and network operators.  This article describes how the Forum of Incident Response and Security Teams (FIRST) is investing to create a more capable incident response community.

The need for global incident response capability

Security incidents are rarely limited in geography. Last year’s major DDoS attack on the Dyn DNS service saw tens of millions of IP addresses hitting a small set of services, resulting in outages for a large number of major internet properties. The Wannacry malware was reported in at least 150 countries.

In order for corporations and economies to defend themselves successfully against these attacks, some form of coordination with their peers abroad is required. It does not make sense for countries with varying capabilities to autonomously identify, investigate and respond to every single attack from scratch. There is a need for more global awareness of emerging incidents and the ability to share best practices while responding to an incident. Moreover, there is an opportunity for expertise to be pooled across regions, when it is more difficult to build and maintain.

This type of cooperation does not happen by accident, but needs to be architected and planned, leveraging experts across the globe. The Forum of Incident Response and Security Teams FIRST, a leading association of computer security and incident response teams, was founded in 1989 shortly after the first Internet worm. Over the last few years, FIRST has identified and invested in some of the key building blocks we need to make a well-coordinated global Incident Response Capability a reality.

FIRST Trainer Michael Hausding teaches Incident Response skills in Puerto Rico.

Key building blocks for incident response

A global community

As a community, we can only be effective when all major networks, all countries and all industries are represented. That may seem like an ambitious goal, but it is a necessity to deal with attacks that may originate from anywhere. FIRST has actively grown its community in recent years through the Suguru Yamaguchi Fellowship program, which provides subsidized access to our community for incident response teams from the developing world. In recent years, teams from Vietnam, Moldova, Myanmar, Ghana and Mongolia and several other countries have participated in our conference and trainings leveraging this program.

A common understanding

It is also critical that incident response teams have a mutual understanding of what it means to provide incident response services. FIRST helps teams exchange experiences through no less than 28 annual events and trainings globally.

However, in order for these efforts to be successful, it is important to generate a mutual understanding of the work we do. Since 2015, FIRST has convened a global group of incident responders, academics, national government representatives and interested parties to collaborate on a Services Framework for CSIRT. This framework specifies typical services CSIRT provide, and details the work incident responders typically deliver under these services.

A similar effort has been started for Product Security Incident Response Teams (PSIRT), which focusses on addressing security incidents affecting software and hardware products.

Based on these frameworks, FIRST initiated the development of training programs for the key services they describe. Each of these programs is released under a Creative Commons license, and can be used by members, non-members and partners to train new CSIRT teams.

High volume information sharing and coordination

Finally, incident response efforts will only become more effective when they can operate at machine speed. While humans are necessary to gain situational awareness, and make accurate decisions, those decisions need to be executed at speeds only machines can accomplish.

As a result, FIRST has invested in the development of standards that help incident response teams analyze and share information. FIRST Standards include the Common Vulnerability Scoring System (CVSS), a mechanism that incident responders can use to rapidly assess the impact of software vulnerabilities, and the Traffic Light Protocol (TLP). In addition, FIRST community members also work on machine sharing specifications, such as a protocol for exchanging Passive DNS information.

FIRST also enables incident response teams to connect to a threat intelligence sharing mechanism through a Malware Information Sharing Platform (MISP), which allows members to gain a first appreciation of connecting to a threat intelligence exchange.

Ongoing development of the CSIRT community

Leveraging investment in these building blocks, FIRST contributes to build a more mature, and more integrated incident response community. We make these tools and mechanisms available both to our members, to help train their own team members, peer teams and partners who can help us bring these materials to a wider audience. In 2016, FIRST partnered with organizations such as LACNIC, ITU and AfricaCERT to train incident responders and help develop teams across the world.

Moreover, FIRST aims to help other communities, such as civil society and policy makers, to better understand and be comfortable interacting with Incident Response teams. In order to do so, FIRST has become a contributor to internet governance fora such as the IGF and the Global Conference on Cyberspace through their intersessional working groups, as well as in person participation.

By creating a well understood and capable incident response community, the internet community as a whole will be in a better place to respond to the next major incident. This capability will be an important element of ensuring the Internet can fulfill its full potential.

This article first appeared in the fourth issuse of the Global Cyber Expertise Magazine – November 2017