The Forum of Incident Response and Security Teams (FIRST) holds an annual conference to promote coordination and cooperation among global Computer Security Incident Response Teams (CSIRTs). This year’s conference ran from 26 June to 1 July, in Dublin, Ireland. Andrew Cormack visited #FIRSTCON22, and these are his notes on various topics relating to CSIRTs.
Knowledge Management for security and incident response
Knowledge Management (KM) isn’t a topic I remember being presented at a FIRST conference before, but Rebecca Taylor made a good case for its relevance. Security and incident response use and produce a lot of information — a KM approach could help us use it better. Most teams quickly recognize the benefits of having knowledge recorded, so most will have contact lists, processes, and playbooks. Many are also asked to provide statistics. But KM could also help with things like internal and external knowledge bases, from tips for effective forensic investigations to threat intelligence or customers’ Frequently Asked Questions.
The first step in making this information useful is to know where it is. After that, attach metadata, such as when it should be used, when it was last checked/updated, and so on. Just establishing these single points of truth can build confidence in the information and make the team’s work more effective. But KM seems to call for a more dynamic approach — it’s ‘knowledge’ management, not just ‘document’ management — where those who use information participate in improving it. So, the knowledge system also needs to help users and authors communicate and collaborate, noting whether the document is still relevant or there were issues with interpretation. Somewhere around here, I think, we should be moving from recorded information to shared knowledge.
Systems need to support this way of working. For example, change control must balance ease of updating and maintaining accuracy, but we also need to promote the right culture. Staff should be encouraged to identify opportunities and problems — those who help to improve knowledge should be recognized and rewarded. One way to do this is to use a KM approach to examine known pain points or inefficiencies. For example, rapid sharing of ‘Indicators of Compromise’ between teams working on different engagements.
KM can even help with future planning. Looking at which information is being actively used (and, conversely, sought but not found) can help us make that easier to find and/or justify efforts to improve it. If those using a process are discussing changes, can we anticipate and pre-approve any variations of policy or mission that may be needed? There’s a connection here to Vilius Benetis’ talk on CSIRT improvement (see next heading). A proactive review, ideally every few months, should check whether this will still work and if it could work better.
While many companies offer KM software, that’s not the only option. Rebecca’s talk included effective examples of both a customized commercial system and one (for forensic practitioners, including a Knowledge Base, processes, and templates) using Microsoft Teams. Starting small/focused is definitely the way to go. Identify an area where there’s an obvious need — whether in a particular team or subject area or for management or funders — and use a KM approach to make their work easier. When that succeeds, you’ll have champions to support your work in the next area. Above all, treat KM as a tool to help make improvements, not a thing that should be ‘done’.
Making CSIRTs (even) better
Incident Response Teams are, as the name indicates, responsive. Often, they will try to provide whatever services their constituency asks for or seems to need. However, over time that can result in a mismatch between what the team offers and what its resources, capabilities and authority can actually deliver. That leads to frustration, both among disappointed customers and among team members who know they are not delivering the best they could. And, as Vilius Benetis asked at the FIRST conference ‘Do their eyes shine with passion?’.
He was presenting a report by the European Union Agency for Cybersecurity (ENISA) that, although titled How to set up CSIRT and SOC, can also help existing teams move to a more consistent and satisfying state. Critically, this adds a feedback loop to the design/implement/operate sequence that many teams, more or less formally, adopt. An ‘improve’ stage considers the results of ‘operate’ and how ‘design’ might be changed to deliver better outcomes for the team and its constituency.
This might involve changes to the CSIRT’s mandate, the services it offers, its processes and workflows, skills and training, facilities, technologies (including automation), cooperation, information security management plan, or implementation requirements. Budgets and other resources may mean it’s only possible to deliver a subset of these ideas, but those selected should be developed into improvement initiatives and detailed design changes. If resources are limited, this might include reducing the range of services offered by the team, to improve the performance of those that are most important.
These feedback reviews should take place regularly, ideally annually. Developing relevant metrics for CSIRT performance will ensure consistent reviews as well as guiding operational activities. The presentation identified several sources that can be used, including:
- SIM3 model: For assessing/benchmarking the current maturity of your CSIRT and the required future status.
- CSIRT services framework: For discussions of key services relevant to the constituency.
- CSIRT roles and competences (draft): For discussions of what will be needed to deliver those services.
The objective of this process is to improve satisfaction, both within the team and among its constituents. So, communicating and celebrating improvement is an important part of that. Shiny-eyed customers may be too much to hope for, but at least we should be encouraging our team members.
Images of cybersecurity
Victoria Baines closed the FIRST conference with a challenge to improve our image. Try searching for ‘cybersecurity’ and you’ll see why — there are several ones, zeroes, padlocks, and faceless figures in hoodies. Some of the latter look a lot like the grim reaper, which makes the task seem hopeless. In fact, cyber bad guys can be resisted. And you don’t need to read binary or work in a data centre to do it.
What’s especially odd is that similar images and phrases are often used for defenders, too. Mystique may make us feel good, but it doesn’t help with recruitment and retention. We need a much wider range of skills, personalities, and people to defend the online world. And referring to them as superheroes doesn’t help either. Everyone can and should contribute to their own and others’ security. Of course, superheroes save the world — that’s what they do. What we need to celebrate is the ordinary people who save the world by their choices and actions. For example, reporting odd-looking websites or double-checking when the CEO asks them to buy gift vouchers.
Victoria’s research traces this hyperbole back two thousand years. If you are trying to draw attention to a threat, overstate it, whether it is a Cybercrime Tsunami in 2003, or flying chamberpots in the streets of 1st century Rome (though Mary Beard thinks Juvenal may not have been overstating much!). Sadly, Victoria’s recent book on the Rhetoric of Insecurity is priced for academic libraries, but her Gresham College lecture series, later in the year, will be free in person, online or on YouTube.
So, what’s the alternative? We need a message and images that encourage everyone to do their bit. Maybe it’s worth returning to the idea of (individual) cyber-hygiene — not so much ‘coughs and sneezes spread diseases’, but ‘catch it, bin it, kill it’ might have promise.
However, if you are thinking ‘cyber-pandemic’, please don’t!
Next in this series, I’ll look at the areas of interest in Incident Response from #FIRSTCON22.
Andrew Cormack is Chief Regulatory Advisor at Jisc, and is responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. Andrew ran the JANET-CERT and EuroCERT Incident Response Teams.
This post is adapted from posts at Jisc Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.