This is a compilation of their answers.
Brief summary: Computer security incidents are often international in nature. Each incident response team can assist their constituency and coordinate with other teams to provide efficient global response.
The mailing lists provide an opportunity for us to share information about exploits, threats, tools and techniques in a secure and restricted forum.
Some teams have this goal of networking as part of their mission, or perhaps we should say, they believe in the mission of FIRST (in part, to promote the formation of incident response teams all over the world), and so attendance at the conference and involvement in FIRST is a natural part of their activities.
Other teams are interested mostly in self-improvement - their mission isn't so much to help create teams around the globe, but they want to be the best they can be, and an important part of that is meeting with their peers and sharing ideas. This sharing goes both ways - teams that are weak in one area are strong in others, and we can benefit from one anothers strengths when we have the opportunity to meet, compare notes, and share problems (and solutions). The best way to do this is through meeting face to face - the FIRST conference provide an excellent forum for this sort of discourse.
Finally, new teams and groups that are interested in forming teams can obviously benefit greatly from the experience of existing teams. Involvement as a member of FIRST, and attendance at the conferences gives new teams an opportunity to learn from the best and become an active member of the international incident response community.
Several teams use these external contacts to identify experts that they have invited to get involved with their constituencies in various ways (e.g. providing consulting, giving talks). Often times bringing in an outside authority lends extra credibility that can convince people where we couldn't. FIRST provides an excellent forum for finding these sorts of experts.
FIRST helps build that trust between teams in several respects.
The conferences provide an opportunity to meet with people from other incident response teams. through our conversations and efforts to help one another, we build personal trust between us.
FIRST members go through an interview process of sorts, and that lends at least a limited sort of trust to any FIRST member. When I contact another FIRST team, even if we haven't met anyone from that team, we know that someone from FIRST has, that they probably know how to handle my incident at their end in a discrete and secure fashion, and that they will probably cooperate with me to solve our mutual incident. as we work together on incidents, we also build more trust and credibility with one another.
Also, we often need to contact organizations that have not been involved with FIRST. we haven't met them, their incident response team (if they even have one) isn't a FIRST member, we don't know whether we should communicate with them or not. we can often contact regional incident response teams who are FIRST members (e.g. a national team) to solicit their advice, or even just ask around FIRST to see whether anyone also has had dealings with that group before. FIRST can help us find and build trusted contacts with non-FIRST teams, and to avoid disclosing sensitive information to suspicious groups.
FIRST also helps incident response teams to understand one another. Although we share common goals and problems, there are significant differences between the teams for software vendors, Internet service providers, colleges and universities, military groups, national teams and commercial teams. Through networking and presentations we can learn more about both the problems and solutions we hold in common, as well as gain mutual understanding. This facilitates cooperation and helps alleviates frustration when we try to work together.
The FIRST Technical Colloquia (available to FIRST members only) provide additional opportunities for us to share sensitive information with one another.
Incident response teams share information about threats, exploits, incident response tools and techniques through contact at the conference, and through the technical colloquia and mailing list.
Attendance at FIRST events can be a productive part of training new team members - bring them along, let them associate with other incident response personnel and develop their own network of contacts, in addition to learning a lot. It also gives other teams a chance to meet the newer members of your team.
The USENIX Security Symposium is focused more on "security research". The value of FIRST is that the focus is on real world incident response experiences - what are other teams doing that I can learn and apply now?
Incident response teams are (mostly) isolated - we are spread all over the globe, and most don't have teams nearby to consult with on a regular basis. FIRST provides a unique forum for us to break through the barriers that separate us and meet together.
International travel isn't necessarily more expensive than other travel. Compare the costs.
A concern for many teams in the U.S.A. is that international travel is perceived as a "vacation". Travel for a conference in Mexico or Bristol (or Australia) isn't any more of a vacation than is travel to San Diego or Baltimore.
Management likes to be on top of things. Involvement with FIRST is one step they can take to help ensure that their team will be among the best. When someone asks what they are doing to ensure that their company is on top of things with regard to incident response, they can say that they are actively involved with FIRST, the premier incident response forum in the world.
One respondent worked attendance at the FIRST conference into their job as part of their benefits package when they signed on.
Some groups list involvement with FIRST as a mission-critical part of their job.
Last modified: 25 February 1999
Copyright © 1999 by FIRST.ORG , Inc. / Contact: firstname.lastname@example.org