Building Resilience Through Reporting

By Hadyn Green Monday, December 1st, 2025

Building Resilience Through Reporting

Cybersecurity has a lot of problems that don't have easy solutions. Most people think this means cryptography or some other technical problem. Actually, the hardest problem is getting people to listen when you say there's a threat.

That was the idea behind the Actioning Alerts and Advisories (A4) project, one of the main pieces of work for FIRST's Community and Capacity Building (CCB) team for the 2024/25 financial year. The project was designed around the idea of creating systems to gather threat intelligence and then produce reports that will actually be used by those who receive them.

How much do organizations want this? Well, a session at FIRSTCON on this topic received a packed room of response teams looking for help.

Photo 1

The point is, so many CSIRTs are built to respond to and solve cybersecurity incidents, that when it comes to taking threat feeds and turning them into something actionable, they run into a wall.

Partly this is because to do effective threat reporting you need technical expertise to create the systems to ingest the feeds, analysis expertise to understand which threats to prioritise and communications expertise to produce advice that is understandable and actionable.

A4 started out with funding from the UK Government, focusing on four NatCSIRT teams: The Bahamas, Cameroon, Malawi, and Trinidad and Tobago. The team was made up of Barry Greene -- a well-known expert in the cybersecurity community who has worked with dozens of security teams over the years including Shadowserver -- and Hadyn Green -- a former journalist and communications specialist who created a Communications Framework for cyber incidents while at CERT NZ and NCSC NZ.

Each CSIRT had unique issues and localized requirements. For example, Malawi and Trinidad and Tobago were both facing upcoming elections which brought associated security risks, as well as the threat of disinformation and AI 'deep fakes'. The Bahamas was implementing its new Cyber Reef project, which monitors infrastructure and businesses for vulnerabilities and potential attacks through the deployment of sensors. Cameroon was launching a new anti-scam website and looking to boost awareness of its services, although the team was also unique in the A4 group because they had a full operational digital forensics team and were the mandated DNS authority. This means CIRT CM didn't need to ask telecommunications companies for DNS information.

But one of the strengths of the A4 project is its agility and working in-country alongside the teams rather than remotely doing workshops or "parachuting" in to solve problems. We also made sure that none of the work was tied to a particular piece of software or intelligence feed and that, where possible, everything was open source. It's very hard to be agile and of long-term use if the team requires a license renewal every year and ongoing specific tech support.

Agility also means understanding where you have gaps in your knowledge. There were two incidents that occurred while the A4 project team was on in-county visits, both of these required the team, and Barry specifically as the tech lead, to learn about new ransomware strains and new techniques for deployment of the malicious software. [Note: due to the sensitive nature of this attack type we won't reveal the affected organization or country]. Similarly, to help The Bahamas troubleshoot their Cyber Reef system, Barry reached out to trust groups to determine best practices for the gathering and analysis of the telemetry data from the new sensors.

In Malawi, the organizational structure of Malawi's Communication Regulatory Authority (MACRA) had the communications experts shared across various teams, meaning they were separated from the more technical Malawi CERT. This created a gap that was hard to bridge. Working with both teams in the same room and running through stakeholder mapping exercises meant the Malawi CERT team was able to create a plan for dealing with potential threats during the election cycle.

It is surprising how often we were locked away in a windowless room, hunched over laptops alongside our CSIRT colleagues to solve problems and optimize solutions and pitching in like the rest of the team if an incident popped up.

Photo 2

The in-country work also allowed us to reach out further than the CSIRT. We ran workshops with stakeholder groups including the financial sector, telcos, law enforcement and infrastructure as well as key businesses. This grew trust in the CSIRTs and enabled them to show off the great work they had been doing.

For the technical part of the Malawi work, FIRST reached out to Sebastian Wagner from IntelMQ --- a threat intelligence tool for CSIRTs for collecting and processing security feeds, pastebins, tweets and log files --- which was already in use by the CERT team. Sebastian was a useful addition to the team, so much so that Malawi CERT requested he stay for an extra day to help them in the office (he graciously accepted on the condition that he be given a tour around Lilongwe, the capital).

These sorts of connections are the other strength of A4. Being very well connected in the cybersecurity community and adjacent areas means when the CSIRTs needed specific assistance with topics that weren't in their exact wheelhouse, the A4 team had answers, advice and contacts at the ready.

The best example is the use of the Multi-Stakeholder Ransomware Special Interest Group (MSR SIG) within FIRST. This trust group is run by international experts from across the globe and they regularly share information about new attacks and strains of ransomware, it is a vital resource for most CSIRTs. In each country the teams were given an introduction to the group via Barry and Hadyn, and since then they have been constant contributors, expanding their knowledge and feeding back useful intel to the other members.

These introductions were also a way for the CSIRTs to gain reputation in the global community by sharing the great work they've been doing. Information sharing happens mostly through trusted groups and, while not an official accreditation, the A4 team was able to vouch for the teams allowing them access.

In essence that's what A4 is about, creating usable information from threat intelligence, but also empowering and building capability within and between CSIRTs.