October is Cybersecurity Awareness Month in some regions — and ITU News is running a series of articles related to cybersecurity.
In late 2016 and early 2017 a new botnet called Mirai emerged and was used to attack various targets across the Internet. As expected, it exploited devices which did not have proper built-in security mechanisms.
A more interesting fact was that Mirai used so called Internet-of-Things (IoT) devices to propagate. These devices (e.g. wireless access points, modems) are frequently used in our homes and their owners were not even aware that their devices were part of an ongoing attack.
Responding to such attacks is very challenging as it is not possible to contact every single homeowner and solicit their help to stop Mirai. But a global and trusted network of Computer Security Incident Response Teams (CSIRTs) can help spread the message within their respective countries and can be used to a great effect to combat such dispersed sources of attacks.
The Forum of Incident Response and Security Teams (FIRST) is the oldest forum of such kind and was founded in 1989 with exactly that goal – to establish communication channels between CSIRTs that can be used to share best practices and, during incidents, to exchange information about attacks and coordinate response.
The mission of FIRST is to “Improve security together.” What this really means is that each and every FIRST member can:
In order to fulfill this mission, FIRST organizes various initiatives.
In order to find local teams that can mitigate an incident, we have developed a member database with all necessary information: (1) Contact information, such as email address of the team; (2) information about the responsibility of the team, like the IP address ranges; (3) public key material, so that teams can communicate securely.
Further we built an Application Programming Interface (API), so that teams can automate various tasks, such as mass-communication during an incident.
Even though we have almost 400 member teams in 83 countries, with 193 ITU Member States there’s still a lot of room for growth.
For this reason, in the last years we focused on developing an education and training program. This is both important to educate teams in developing countries, but also to accomplish our second mission, that teams speak the same language. When a team needs to ask another team from a totally different region, to perform a certain task like taking down a system, they both need to understand what action is being requested and is performed.
With our education initiative we convened a community of practitioners to help develop a “CSIRT Services Framework” which describes the services a CSIRT may offer to its constituency. Using this framework, we started to develop trainings for the different services. All of our training material is freely accessible under a “Creative Common” license. We partner with different members and organizations, such as ITU, to host this training in the different regions of the world.
Having a similar understanding of the world is important, but insufficient.
Given the high complexity of systems and the size of the attacks we are seeing, it is also important to automate as much as possible, so that humans can focus on performing the more complex and challenging tasks, leaving machines to do the sharing.
For this you need common standards. FIRST is developing several today, such as CVSS, TLP, IEP, and passiveDNS. To facilitate widespread adoption of such standards FIRST cooperates with international standards bodies,such as ITU, ISO and OASIS.
In particular, FIRST has contributed to development of X.1500 “Cybex” recommendation and CVSS is also published by ITU as the recommendation X.1521 Common vulnerability scoring system.
Finally, we think that it is important as a technical community to support policy makers to better understand our procedures and working spirit. If our community doesn’t tackle these challenges, future legislation and policy may be less informed of our work, and make it more difficult in future to cooperate on a trusted basis.
Therefore, FIRST members are actively engaging in various initiatives such as GFCE, GCCS, and in the IGF. One example here is the participation of FIRST in several IGF meetings, starting with Azerbaijan in 2012. This year, we will host a panel during the event and also conduct a training for policymakers, covering incident response basics.