Towards efficient cyber resilience

by Serge Droz, FIRST Board of Directors
Monday, November 27th, 2017

Under this title more than 350 delegates from predominantly middle eastern countries met this month at the 6th regional cybersecurity summit in Muscat, Oman. The good news: Universal agreement that collaboration is a must to face the ever-increasing professionalization of criminals and state actors in the cyber realm. However, little was said about what this collaboration should look like. Many of the countries present at the summit run impressive national initiatives encouraging information sharing. Many of these initiatives are sector specific, with the financial services industry taking the lead. But there is also growing awareness in the utilities and energy sector as well as health care that more is needed than just a firewall. At the same time, many multinational private sector actors struggle to find ways to share information across their own organizational boundaries. These are encouraging steps: Enterprises realize that while they are competitors they need to collaborate against cyber threats. This was not the case only a few years ago. But is it enough?

Last year’s announcement of the Avalanche network's takedown may be a good gauge to assess this question. The Avalanche infrastructure was a true underground CDN, with infrastructure distributed over 30 jurisdictions, misusing more than 800’000 (!) domains in 60 TLDs. In 2009 2/3 of all phishing traffic was rerouted over the network and it served more than 20 malware families. Its takedown took four years of dedicated work by law enforcement agencies, the AV industry as well as CSIRTs and volunteer organizations.

Global coordination

The global spread of the Avalanche infrastructure required global coordination for the takedown. Worse, it needed collaboration across trust boundaries. Criminals are mostly agnostic to everyday political squabbles, in fact they quite like them: Operations across political alliances makes their business more resilient and our lives more difficult. So as private sector companies learned the hard way that they need to collaborate against cybercrime so must the international community learn that sometimes you have to work with even with countries that are on bad terms.

In his keynote speech “The other Billion” at the 2016 FIRST annual conference in Seoul, Professor Kilnam Chon challenged FIRST to not rest before every single country of this planet is represented in FIRST. This is not an easy feat as the map of FIRST members still has many white spots, especially in the Middle East and Africa.

Board members are often asked what the benefits of a FIRST membership are, probably expecting some free or discounted goodies. While those exist, they are not the core of what FIRST is about. Membership makes you part of a global community that is capable of taking action against multinational, organized abuse, attacks and crime. Many times, I have received pleas for help that started with the line: “I found your contact details on the FIRST website …”. One of FIRST’s missions is to make it possible to find a team, wherever you need help, and provide the means for secure communications, i.e. contact information and cryptographic keys.

One language

Global coordination is no easy feat. One of the lead figures in the Avalanche takedown told me that he is exhausted from all the traveling involved to talk to stakeholders. One, often overlooked, barrier to international collaboration are cultural and language differences. FIRST tries to address this by creating services frameworks, documenting possible services CSIRTs may deliver. Based on this training courses are developed and delivered, by volunteers, around the world. The hope is, that in case of an emergency teams speak the same language, have the same understanding of the issues to facilitate incident response. In fact, the GFCE in its 2017 Delhi Communiqué strongly emphasizes the need to capacity building too.

Fast and furious

The sheer number of domains misused by Avalanche shows, the need for automation. Machines are good at doing the boring bulk work, allowing humans to focus on the difficult problems. FIRST enables automation by creating and maintaining standards, such as the Information Exchange Policy (IEP) or the Common Vulnerability scoring system. The standards development is open to all stakeholders, regardless of FIRST membership.

Opening up

The Avalanche takedown led to arrests. That’s the job of law enforcement, not CSIRTs. This kind of collaboration quickly touches on wider issues, from legal procedures to international law enforcement cooperation. CISRTs operate informally across borders, a path not open to many entities playing a role in the operation of the internet. CSIRTs, while bound by national law, are very free in their actions, but in return don’t usually have the power to mandated anything. THeir role is supportive. Other entities such as Registries or ISPs, are typically regulated. Within their regulations they have the power to act, e.g. disable a domain or block an IP. But many times regulations don’t allow certain necessary actions thus giving attackers an advantage. It’s thus important, that regulators, law makers or generally policymakers understand the implications of the rules they make. FIRST has thus decided to support policymakers by informing them about CSIRTs and their way of work. For example, FIRST will host a free training “Incident response for policy makers” at the next IFG meeting this December in Geneva.

Events, like the regional cybersecurity summit, which bring together people from various backgrounds are important to develop a more resilient network. At the end of the day, we are humans, and we make progress by communicating and collaboration. Thus, the meeting was fully in FIRST’s spirit: “Improving security together”.