The Forum of Incident Response and Security Teams (FIRST) is a global organisation that aims to enable its members – incident response teams around the globe – to respond more effectively to security incidents. FIRST builds its success around two major ingredients: trust and cooperation. Here's why and how.
FIRST consists of security incident response teams like SWITCH-CERT, from governmental, commercial and educational organizations. The FIRST mission statement – “FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs” – highlights two important ingredients of a successful response to international security incidents: trust and cooperation. Building trust between teams from 84 countries is one of the biggest challenges for the organisation, as this is the basis for all cooperatrion. Working-relations within the FIRST community are built on trust, not on contracts. This is why FIRST has a special procedure for onboarding new members. New members need to find two sponsors who evaluate the new team on a site visit to make sure it fulfils all the requirements of the FIRST community and has the capacity to protect sensitive incident information shared within the community. Building and expanding a trusted network to share incident information via secure channels is one of the elements of FIRST’s incident response strategy.
Becoming a FIRST member is only the first step. It allows to meet and collaborate with other teams and to start building trust. To enable new teams to develop and enhance their capabilities, FIRST provides an education and training programme for members. On the FIRST training website, multiple courses developed by FIRST are available for free. While providing training material at no extra charge helps educate new teams, it doesn’t help to build trust. That’s why FIRST also offers training for new and developing teams, delivered face to face on site. Serge Droz, FIRST Director of Education explains: "During an incident, teams from different regions need to collaborate. It is important that these teams around the globe have a common understanding of terms and issues, otherwise incident handling becomes impossible. Thus, education is one of FIRST's strategic activities. But a FIRST training course needs to be more than just a means of passing along dry knowledge." Trainers like me are volunteers from the FIRST community. I have volunteered to deliver the FIRST training classes wherever needed.
After delivering basic training in Ulaanbaatar in 2016, I was asked by Otgonpurev Mendsaikhan from the Mongolian CERT MNCERT/CC to conduct advanced training in 2017. Together with Pawel Pawlinski from CERT Polska, we ran a three-day advanced training session for the members of MNCERT/CC and the local incident response community. Having experienced trainers share their knowledge with new teams is exactly what the training program wants to achieve, says Serge Droz: "FIRST trainers, all volunteers, help to welcome participants into the community and share their extensive experience as a living example of 'Improving security together'."
To illustrate the benefits of participation in the FIRST community, I asked Otgonpurev Mendsaikhan from the Mongolian CERT MNCERT/CC some questions:
FIRST gives us the ability to get in touch with organisations with greater expertise directly in case of incidents. We learn from interaction with them and use FIRST as an opportunity to improve ourselves.
Besides quality improvements as a direct result of the training, they make it possible for the security community to meet face to face, which otherwise would not be easy to do given their full-time jobs and other commitments.
In my opinion, capacity building and financial stability are the most critical factors. I believe that our decisions and actions over the next few years will define the long term status of the field of information security in Mongolia.
I think face to face events like the FIRST Annual General Meetings (AGMs) and the Technical Colloquiums (TCs) are crucial for establishing relationships and building a trusted network. Unfortunately, meetings which require extensive travelling, like the AGM, are too expensive for new and struggling organisations like us.