What's New

FIRST published its eighth Annual Report which covers the organization’s accomplishments towards its vision of bringing together incident response and security teams from every country across the world to ensure a safe internet for all. The report is available at FIRST Annual Report 2023-2024.

As usual we like to verify our previous forecast before we make the next one. Due to travel, I must do this a few days before I should (normally on the 1st of June).

Message from the Chair; Message from the Chair; FIRST Standards Committee; CTI Conference in Berlin; FIRST Newcomers & Membership Committee; On the Road to Fukuoka - See you soon!; FIRST as a Diana Initiative Community Partner; Growth Stack Media PR Updates; Special Interest Group Updates; FIRST Impressions Podcast; FIRST on Social Media

Message from the Chair; Christmas CTF in Norway; Incentivizing anti-abuse proactivity among online service providers; FIRST Newcomers & Membership Committee; Growth Stack Media Appointed as FIRST's Agency of Record; On the Road to Fukuoka - Registration is Open!; FIRST Standards Committee update (aka “the wheel reinvention prevention committee”); Special Interest Group Updates; FIRST on Social Media; Upcoming Events

Join us for the second edition of Balkan Cybersecurity Days! Organized by DCAF in collaboration with partners AKCESK and FIRST, the event will take place from March 20-22, 2024, in Durrës, Albania.

The Call for Speakers for this event is open through February 9th. Interested presenters can learn more at here.

Bringing together cybersecurity professionals from the public and private sectors, the agenda includes a high-level opening, a panel on promoting cybersecurity talent, and plenary sessions in response to FIRST’s call for papers. Days two and three feature technical training sessions.

Every year we make a prediction to the number of vulnerabilities we expect to see published by NVD. We define this as the number published between New Year’s Day in 2023 to New Year’s Eve 2023, which is not the same as CVE’s that begin with 2023 as an identifier.

WHEN: Monday, March 25 through Wednesday, March 27, 2024.

LOCATION North Carolina State University, McKimmon Center 1101 Gorman Street Raleigh, NC, 27606

We are seeking individuals to submit abstracts for talks, panels, birds-of-a-feather sessions. Any interested persons can submit no later than January 31, 2024.

Back in the early days of the Internet, when everybody knew everybody, the way that you validated yourself to a Certificate Authority (CA) for an X509 certificate for Secure Sockets Layer (SSL) was to send a fax on company letterhead.

Are you interested in getting involved in FIRST’s 2024 events? If so, take special note of the details and dates below.

This digest covers…

  • FIRSTCON24 Call for Speakers and Trainings Closing This Month

  • 2024 Events Speaking and Sponsorship Opportunities

  • 2024 Events Save the Date Information

Focused on the Global Vulnerability Management Ecosystem, attendees will have the opportunity to advance the art and science of vulnerability management with industry leaders.

Message from the Chair; CVSS v4.0 is now available; The Board in Oslo; Migrating to the new FIRST SSO; SIGs; On the Road to Fukuoka / Call for presentations; New Teams Members: August, September, October; Upcoming Events

FIRST Impressions Podcast has been selected as one of the Top 10 Incident Response Podcasts on the web.

The FIRST Impressions podcast brings you regularly scheduled content focused on discussions from across the incident response and security spectrum. Hosted by Chris John Riley and Martin McKeay, new episodes released first Friday of the month!

Message from the Chair; Conference Roundup; Special Interest Groups; Weekend Training; Training on DNS Prevention, Detection, Disruption and Defense; Diversity and Inclusion; New Board Member Introduction; M3AAWG 58 Meeting; 36th Annual FIRST Conference to take place June 9-14, 2024 in Fukuoka, Japan; New Members; Standards; Communications; Upcoming Events.

FIRST’s AGM took place during the 35th Annual Conference in Montréal, Canada at the start of June 2023. Senior cybersecurity expert Tracy Bills, CERT/CC was elected to lead FIRST’s Board of Directors with the organization’s leadership team further strengthened with the appointment of Carlos Alvarez from ICANN to the Board.

(v1. Approved by FIRST Board 05-17-2023)

At FIRST, we believe that diversity is essential to achieving our missions of global cooperation and shared language. We embrace diversity in all its forms, reflecting the global and diverse membership of FIRST.

SIG updates: Human Factors in Security (HFS-SIG), EPSS SIG, SecLounge SIG; Remembering Andrew Cormack - by Serge Droz; Profile Deactivation on FIRST Portal; Board in Tokyo; Team Profiling - RWANDA NATIONAL CSIRT; Suguru Yamaguchi Fellowship Program; and New Teams.

The DNS Abuse SIG is very pleased to announce the publication of the DNS Abuse Techniques Matrix, the work of many months and a great number of people from various parts of the security and DNS worlds.

The Forum of Incident Response and Security Teams (FIRST) plans to hold its 35th Annual Conference with the theme ‘Empowering Communities,’ in Montreal, Quebec, Canada, from June 4 to 9, 2023. This six-day event brings the incident prevention community together with cyber security experts to foster information sharing, cooperation, and coordination. Typically, over 1,000 people from around the world attend.

"Long time no see!” was the most popular phrase at the TF-CSIRT – FIRST Regional Symposium in Bilbao, Spain. And it has been a long time indeed – last time we met all together was in Malaga in 2020. We had some virtual events in the meantime, but it was certainly nice to see old faces and meet new colleagues in real life. The first joint post-pandemic event took place from 30th of January to 2nd of February, kindly hosted by the Basque Cybersecurity Centre.

Upcoming Events - Bilbao, Kigali, Amsterdam; TF-CSIRT Meeting & 2023 FIRST Regional Symposium Europe; 2023 FIRST & AfricaCERT Symposium: Africa and Arab Regions; Date for your Diaries - Amsterdam 2023 FIRST Technical Colloquium, April 17-19; Chair Sherif Hashem and Board Member Michael Hausding participate in the FIRST & ITU-ARCC Regional Symposium for Africa and Arab Regions; First 100 days on the FIRST board; Are you interested in becoming a future board member?; Be a FIRST trainer! David Rüfenacht, Senior Threat Intelligence Analyst, provides a first-hand account; Special Interest Groups Update; Messaging Malware and Mobile Anti-Abuse Working Group (M3AAWG) and Forum of Incident Response and Security Teams (FIRST) Join Forces to Address Global Internet and Security Issues; Twenty More Members Join FIRST;

In September, ICANN invited me to talk about DNS Abuse at the ICANN75 AGM in Kuala Lumpur, Malaysia. It was a great success! My presentation ‘The Challenge of Defining DNS Abuse’ was well received, and many attending industry specialists asked good questions, especially about FIRST's work. I made many valuable connections, including people from ICANN, the DNS Abuse Institute, registries, registrars, CERTs, commercial companies, government organizations, and many more.

Traffic Light Protocol Version 2.0 is Now Available; FIRST delivers training in Uganda, and the Western Balkans; Peter Lowe speaks about DNS Abuse at ICANN75 AGM in Kuala Lumpur; FIRST Chair Sherif Hashem participates in the Cyber Diplomacy and Norms panel at The Second Community of African Cyber Experts; The World Opens - FIRST Events Round Up; Special Interest Groups Update and New NETSEC SIG Formed; The Board meets in Davos; Board of Directors Organization and Roles for 2022/23; Twenty new members join FIRST

The European Union Agency for Cybersecurity is dedicated to achieving a high common level of cybersecurity across Europe.
For more than 15 years, ENISA has played a key role in enabling digital trust and security across Europe, together with its stakeholders including the Member States and EU bodies and agencies.

The Forum of Incident Response and Security Team (FIRST) has updated the globally renowned Traffic Light Protocol (TLP) for the cybersecurity industry - a vital system used by organizations all around the world to share sensitive information. The new version of the TLP results from a thorough consultation with over 50 security industry experts over three years with the goals to standardize, unify and modernize the content and language and provide improved supporting materials.

Annual FIRST Conference in Dublin, the Republic of Ireland, is a triumph; Dr. Sherif Hashem is the new Chair of FIRST, and four new members join the FIRST Board of Directors; Four new additions to the FIRST Board of Directors; The FIRST 2021-22 Annual Report is now available; FIRST adds a New Director of Community and Capacity Building to the team; 34 new members join FIRST;

Just a few years ago, security orchestration, automation and response (SOAR) was the new buzzword associated with security modernization. Today, however, SOAR platforms are increasingly assuming a legacy look and feel. Although SOARs still have their place in a modern SecOps strategy, the key to driving SecOps forward today is no-code security automation. Read on to learn what lightweight security automation means, how it compares to SOAR and why SOARs alone won’t help you stay ahead of today’s security threats.

Last week FIRST learned that it is among a large group of organizations that were rejected from participating in the Open ended Working Group (OEWG) process, despite the groups expressed commitment to work with non-governmental organizations.

I want the needle, and the haystack to go along with it. Attackers take advantage of siloed data and security tools to exploit systems using misconfigurations and move laterally. This lateral movement across different attack surfaces has attackers flowing between the control plane and data plane of your environment to escalate privileges and seek out targeted access.

Over the past five days, 1,000 specialists representing six continents united in the cyber-crime fight at the Forum of Incident Response and Security Teams (FIRST) conference in Dublin, Ireland

From how Ukraine is dealing with cyber attacks against its critical infrastructure, to the rapidly growing access to online child sexual abuse material and the sophisticated approaches to ransomware, phishing, and online fraud as well discussing cooperation with the United Nations and with INTERPOL and law enforcement– no stone was left unturned for delegates working together to protect societies world-wide

DNS Abuse is a pretty widely used term. On the surface, it might seem like a simple term that's easily understood. But when you look more closely, the definition depends on your perception of the issue—and can be defined both broadly, or more narrowly.

I had the absolute pleasure of participating in and attending the recent FIRST Technical Colloquium at the W Hotel in Amsterdam, Netherlands, April 12–14. It was great to see nearly 100 people attend and over 50 people participating in training at this long-awaited in-person event. The program featured 17 speakers and two on-site trainers who held several popular workshops.

New Director of IT & Security role to bolster FIRST’s Business Plan; Upcoming Technical Colloquia, Symposiums, and Annual Conference; Last chance to nominate individuals or teams for the Incident Response Hall of Fame; FIRST contributes to important global policy and governance discussions; Mentors sought for new FIRST Mentorship Program; Eleven more member teams join FIRST; FIRST Infrastructure Updates - New Application Process

The Board of Directors strongly believes that FIRST should be an inclusive organization with broad global participation and collaboration to make the internet safe for everyone.

Three new Special Interest Groups created by FIRST members; FIRST partcipates in several important UN actvites; 19 events organized in 2021 - registraton opens for FIRST Annual Conference in 2022; Twelve more member teams join FIRST

Every incident response team globally is facing a serious increase of workload. As attackers scan and penetrate networks via automation, so must defenders look at automation.

Last month, I was honored to be one of the planners and participants of the FIRST Technical Colloquium (TC) in Norway. Organized by FIRST members, the event was held just outside of Oslo at the Telenor Expo, Telenor headquarters in Fornebu.

Norwegian members of FIRST to host a technical colloquium in Oslo in November; More FIRST events to add to your calendar; The FIRST Board of Directors meets across two continents to build our two-year business plan; Empowering Women in Cybersecurity: ITU, FIRST, and EQUALS Global Mentorship Pilot Program concludes; 16 more member teams join FIRST;

Did you miss our Virtual 33rd FIRST Annual Conference?; ICASI integrates into FIRST PSIRT SIG, bolstering the incident response and security team industry; FIRST Welcomes a new Chair and Five New Board of Directors; FIRST publishes its fifth Annual Reportt; A new fellowship team joins FIRST - Malawi CERT; Jeffrey Carpenter and Dan Kaminsky newly inducted into FIRST’s Incident Response Hall of Fame; FIRST membership continues to grow - we’re now at 575 members from 98 countries.

FIRST published its fifth Annual Report which covers the organization’s accomplishments towards its vision of bringing together incident response and security teams from every country across the world to ensure a safe internet for all. The report is available at FIRST Annual Report 2020-2021.

ICASI – the Industry Consortium for Advancement of Security on the Internet was officially integrated into the Forum of Incident Response and Security Teams (FIRST) on May 28, 2021. Established in 2008, ICASI’s purpose was to strengthen the global security landscape by driving excellence and innovation in security response practices; facilitating collaboration among members to analyze, mitigate, and resolve multi-stakeholder, global security challenges. This role will continue but as part of the existing FIRST PSIRT SIG, expand and improve the community’s ability to respond to vulnerabilities across multiple vendors. Founded in 1990, FIRST is the global leader in incident response.

33rd FIRST Annual Conference: Crossing Uncertain Times; Mark your calendars: FIRST reveals 2021 events calendar; FIRST welcomes its 97th country and member 562: Benin bjCSIRT; FIRST, ITU and Equals launches Women in Cyber Mentorship Program for Arab and Africa Regions; Get your nominations in for the third edition of The Incident Response Hall of Fame; New Podcast - FIRST Impressions - is launched!

This evolving and brutally effective threat can have a significant impact on an organization’s resources, finances, and reputation, but it can be stopped

Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.

Over 2500 Cybersecurity Professionals Participate In 32nd FIRST Annual Conference - Where Defenders Share. 2021 33rd Annual Conference Theme And Call For Papers. 2020 FIRST Virtual Symposium For Africa And The Arab Region - Supporting The Effectiveness Of Incident Response Within Africa. Ian Cook And Don Stikvoort Receive Joint Honors In The Incident Response Hall Of Fame Awards. New Code Of Ethics Launched On Global Ethics Day. FIRST Partners With Itu And Equals Global Partnership To Empower Women In Cybersecurity. FIRST To Contribute To Itu National Cybersecurity Strategy Guide. Mou Signed Between First And Ocf To Advance Membership Of Incident Responders And Security Teams Across The Globe. Reminder - 2021 First Membership Renewal.

Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.

Last weekend we issued a ransomware alert about a wave of attacks using a never-seen-before strain dubbed ‘Pay2Key.’ Our investigation suggested the ransomware operators were mostly targeting Israeli companies. The ransomware used in the attacks spread rapidly across victims’ networks, leaving significant parts of the network encrypted along with a ransom note, threatening to leak stolen corporate data unless the ransom is paid.

Los equipos de respuesta a incidentes de seguridad necieron tras el considerado primer gran ciberataque mundial, provocado por el 'virus Moris', en 1988.

October 21, 2020 – following a global consultation, the Forum of Incident Response and Security Teams (FIRST) is launching new ethics guidelines for incident response and security teams today on Global Ethics Day. ethicsfIRST provides guidance for cybersecurity professionals on how to conduct themselves professionally and ethically during incidents. Inspired by Earth Day, Global Ethics Day provides an opportunity for organizations to explore the meaning of ethics in international affairs

2020-2022 Board Announced. Welcoming a new board member – Shawn Richardson. FIRST reveals its new Vision and Mission. FIRST 32nd Annual Conference – Virtual Edition. Tips on how to publish your ideas in peer-reviewed journals. Code of Conduct – A Reminder. Infrastructure update. Have you read our new Annual Report yet?

The results of the 2020 FIRST Board of Directors election follow:

  • Alexander Jaeger (Google IRT)
  • Serge Droz (Liaison,Proton-CERT)
  • Dave Schwartzburg (Cisco Systems)
  • Javier Berciano (Liaison,One eSecurity)
  • Shawn Richardson (NVIDIA)

The full board list can be found here. Thank you to all of the candidates who ran in the election.

July 27th, 2020 - The Forum of Incident Response and Security Teams (FIRST) is proud to publish its fourth Annual Report today. The report details the organization’s achievements towards building a mature global incident response community. It covers the period between the 2019 conference in Edinburgh, Scotland and July 2020. FIRST Annual Report 2019-2020

2020 Agm & Election. 2020 Conference update and impact of Covid-19. First 2020 CTI Symposium in Switzerland moved online. First to Review the Traffic Light Protocol standard to increase global adoption. First updates coordination principles for Multi-Party Vulnerability Coordination and Disclosure. First and Mitre Engenuity partner to expand The Global Understanding of Adversary Behaviors. More new partnerships forged to make the internet safe for everyone. Virtual site visits currently available for new applicants. Critical VPN vulnerabilities show the need for proactive risk scanning. ISO and standards update. New breach workshop materials available. A new initiative to build trust. First infrastructure update Portal & SSO.

Málaga Hosts the first European Symposium and Tf-Csirt Meeting for Global Security Experts. FIRST participates in the un’s Development of Cyber Norms. FIRST Technical Colloquium - Ljubljana, Slovenia. FIRST releases updated computer security incident response team (CSIRT) Services Framework – Version 2.1. SPECIAL RECOGNITIONS – Member Awarded Order Of Three Stars In Latvia. Raising awareness of FIRST. First Infrastructure Update - Member Portal & Identity Project. Annual Conference and Annual General Meeting update

Internet Hall Of Fame inducts the late Suguru Yamaguchi. FIRST launches Women In Cybersecurity Initiative. FIRST Metrics SIG Webinar series re-launched. FIRST Infrastructure Update. “Insure” you participate in this call. A warm welcome to our 500th member - Versia. Improving Security Together.

The Emergence of Computer Security Incident Response, 1989–2005, by Rebecca Slayton and Brian Clarke (available in PDF).

October 9th, 2019 – As the year draws to a close, it is time for businesses across all industries and sectors to reflect and prepare for the upcoming new year. With this in mind, premier organization and recognized global leader in incident response - Forum of Incident Response and Security Teams (FIRST) has produced 11 vital steps that organizations should take to improve their incident response strategy.

Bringing together Security and Incident Response teams from around the globe.

Is content king? Fisher argues data alone can lead us astray, instead, it is the story we should focus on. With a presentation loaded with artwork and visuals, Fisher hopes to teach statistic savvy security responders to see the bigger picture. What patterns appear when we take a step back? What narrative does the evidence summon? Question your answers and dive into this discussion with Chris and Martin.

Not EVERYONE who tweets from the toilet at 6 in the morning is a Narcissist.” In this episode, Chris and Martin dive into a discussion with data savvy Monica Whitty about how to spot and stop an insider threat. Unfortunately, most insider attacks we never see coming, but as Whitty explains, hindsight can be a tool. Realizing that not every perpetrator is evil or malicious, companies can begin to see the data for what it really is: people. Navigate psychological factors and learn to spot warning signs in this perceptive podcast!

September 18th, 2019 – At FIRST we strongly believe that in order to build a global cybersecurity incident response community, from which every company or user participating in the Internet can benefit, we should all work to limit the impact of sanctions or export regulations on incident responders. This includes being a forum where technology corporations such as Huawei, have the ability to participate the same as others.

No computers, no worries! After favorable feedback from the 2018 Conference, Chiyuki and her team returned this year with even more tabletop fun. Chris and Martin get the inside scoop on how a little friendly competition creates an international platform for learning. Without technology, red and blue teams ultimately work together to solve a handful of security scenarios in this Choose Your Own Adventure style exercise.

July 21st 2019 - The Forum of Incident Security Response Teams, Inc. (FIRST) is pleased to release the CSIRT Services Framework Version 2.0 (PDF). This version is heavily based on the lessons learned from our work on the PSIRT Services Framework and feedback received from practitioners. The volunteers contributing to took time to restructuring the previous versions to address recognized weaknesses. Because of this, we ask for feedback from all interested parties which will then become incorporated in the planned Version 2.1.

July 12th, 2019 - The Forum of Incident Response and Security Teams (FIRST) has published an update of its internationally recognized Common Vulnerability Scoring System (CVSS). CVSS is a common scoring system designed to provide open and universally standard severity ratings of software vulnerabilities for the security community. Used by organizations worldwide, version 3.1 documentation is now available on the FIRST website for members and non-members to reference.