The security community strives to mitigate zero-day attacks. Timely vulnerability disclosure and incident response/handling is the way to do this. But that depends on the relationship and communication between the security researcher and the product vendor/developer. The industry established standards like Common Vulnerability Reporting Framework (CVRF) and Coordinated Vulnerability Disclosure (CVD) for gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public.
An organization called FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from 575 corporations, government bodies, universities, and other institutions across 97 countries in the Americas, Asia, Europe, Africa, and Oceania.
In an interview with Brian Pereira, Editor-in-Chief, CISO MAG, Chris Gibson, Executive Director, FIRST.Org, Inc. outlines the objectives of this organization and how it works with global teams with a mission to make the internet a safer place.
Gibson brings a wealth of relevant and up-to-date experience in setting up and managing CERTs at the highest levels of the worldwide Information and Cyber Security community. He has spent over 12 years working in the Computer Emergency Response Team (CERT) while at Citigroup and, for 10 years, was part of the leadership of the Forum of Incident Response and Security Teams (FIRST); two as Chair. Within FIRST, he implemented the Fellowship program. This was created to fund CERTs from UN-designated “Least Developed Nations” (LDCs) allowing them both to join FIRST and attend conferences and training.
Gibson joined the U.K. Government’s CERT-UK team in November 2013 to build and launch the U.K.’s first formally chartered national CERT, joined Close Brothers as Chief Information Security Officer in November 2016, moved to Orwell Group as CISO in Jul 2018, and joined FIRST as it’s Executive Director in May 2019.
Gibson’s experience has allowed him to work with colleagues from inside some of the world’s largest global financial institutions, colleagues from proprietary software companies such as Microsoft and Oracle, open-source companies such as Red Hat, with upstream communities and also the global incident response community – the national CERTs of many countries – from Azerbaijan to Zambia.
Edited Excerpts from the email interview:
Can you tell us about the mandate of FIRST (Forum of Incident Response and Security Teams) and how it coordinates with security teams across the world? Do you have chapters in other countries?
FIRST is a forum where incident response and security teams meet, collaborate, learn, share, and network. Our vision is to bring together incident response and security teams from every country across the world to ensure a safe internet for all. We presently have 575 members from 97 countries, approximately 50% of the countries in the world. However, much of our output is freely available to all our community – whether they are members or not.
Trust is vital in our industry. FIRST fosters trust, global coordination, and a global language among our members through several activities including organizing training and developing standards, facilitating special interest groups, hosting global events, influencing policy and governance, and rewarding industry leaders.
We organize events all over the world. The FIRST annual conference promotes worldwide coordination and cooperation among computer security and incident response teams (CSIRTs). The conference provides a forum for sharing goals, ideas, and information on how to improve computer security on a global scale.
We also (normally) host or participate in some 20+ events annually around the world, bringing together both members and non-members. This has since moved online. Part of this is helping other organizations by bringing our expertise (IR) to their events – primarily capacity building with OAS, ITU, FCDO, etc.
We have many Special Interest Groups (SIGs) that are run by the members of the community. They allow smaller groups of members, with specific interests, to get together and further those interests. FIRST facilitates these groups by providing website infrastructure, a conference bridge, a Program Manager, and meeting space at our events. We also initiate quarterly meetings for SIG chairs to gather feedback on support needs, discuss best practices, and identify potential synergies across groups.
The Product Security Incident Response Team (PSIRT) SIG was formed in mid-2014 due to a need for more product-focused response coordination and practical sharing of best practices and experience. We noted that our Incident Response procedures have differences and other practical issues to address and establish working approaches not documented elsewhere. The SIG is extremely active and runs events specifically focused on product security response and coordination. It is this particular SIG that has absorbed ICASI.
You recently announced that ICASI – the Industry Consortium for Advancement of Security on the Internet – was officially integrated into FIRST. How would the community benefit from this integration? How will you synergize and leverage on each other’s strengths?
ICASI was born after a conversation at the FIRST conference in Seville in 2007 — there’s always been a great deal of synergy between the two organizations. At the time FIRST was not in a position to meet the requirements of ICASI.
ICASI offers a methodology for organizational exchanges for coordination, where there is little practical experience. The ability to make this available and repeatable globally is essential as we look forward to addressing supply chain issues and working for broader coordination between vendors.
The Unified Security Incident Response Plan (USIRP) and the work that goes on behind the scenes running a USIRP process are significant. FIRST has evolved since then and is able to support this. The PSIRT SIG has also grown significantly since this time and now brings together teams from some 75 companies globally.
For years, ICASI led the way in advancing multi-vendor coordinated vulnerability disclosure, introducing the Common Vulnerability Reporting Framework (CVRF) standard, developing the principles of a Unified Security Incident Response Plan (USIRP), helping to create the Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure, and modeling a trust group of industry leaders that successfully coordinated multi-vendor responses to numerous security incidents. ICASI will now dissolve as an independent organization and transfer all its assets to FIRST. How does FIRST plan to evolve these standards once these assets are transferred?[The CVRF standard was passed to OASIS and is now preparing to release CSAF 2.0 so that work continues independent of ICASI and FIRST.]
The PSIRT SIG will focus on furthering the USIRP and replicating additional groups with other industry focus. The multi-party disclosure and coordination is an effort that ICASI and FIRST jointly worked on previously and continue to this day, however, we will look at how to expand the organizational coordination and expand the disclosure models to include this broader approach for cybersecurity through vendor and application coordination. The PSIRT SIG / ICASI WG will continue working on security incidents.
Organizations continue to grapple with challenges regarding Security incident response. What is FIRST doing to improve the community’s ability to respond to vulnerabilities across multiple vendors?
ICASI is an example of coordinating across multiple vendors. We believe that expanding the groups of vendors with a like-type model will speed the coordination and bring about an ability also coordinate between the groups to better defend and protect the ecosystems that comprise the internet.
FIRST has also sponsored the creation of CSIRT and PSIRT Services Frameworks. These documents help new security teams get started and existing teams to mature their processes. These documents are available to members and non-members alike.
Do you see more security researchers or product developers engaging in CVD or Coordinated Vulnerability Disclosure? Do you think incentivization will encourage more CVD?
Coordinated Vulnerability Disclosure (CVD) ensures that researchers and developers are aware of how to engage and who to engage. The largest issue has been that most finders were not aware of how to get the disclosure started and in turn, whether the vendor would respond, whether the vendor had a process and whether they would recognize and honor that disclosure.
Some vendors choose to incentivize that coordination through a bug bounty, mainly to incentivize the focus to where the customer interest is and to what is now generally available for the public. This is a choice of organizations to make and while it may assist some and incentivize researchers, we see that as a market issue to determine.
Do you think more regulation is required around vulnerability disclosures?
FIRST supports the work of its members and doesn’t take a position on regulation, however, one of FIRST’s three missions is focused on Policy and Governance. We participate in policy and governance discussions as best we can to make sure others understand what we do, and that they enable us rather than limit us. FIRST engages with relevant stakeholders, in technical and non-technical communities, to ensure teams can work in an environment that is conducive to their goals.
About the Interviewer
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).