Improving cyber resilience worldwide

Against the backdrop of an ever-changing cyber threat landscape, Cyber Security and Incident Response Teams (CSIRTs) play a key role in managing and mitigating cybersecurity incidents. Celebrating three decades of international collaboration within a global community of trusted experts in Europe, the Open CSIRT Foundation is organising a unique event, the Open Cyber Security Conference at the end of February. To share the historical journey of the CSIRT Task Force, OCSC engaged in a conversation with Silvio Oertli, Chair of the TF-CSIRT Steering Committee.

This interview was originally published at https://www.ocsc.info/insights/news/30-years-a-look-at-the-tf-csirt-community/.  

OCSC: Silvio, as we mark 30 years of the TF-CSIRT Community, could you reflect on the most significant milestones in terms of collaboration and impact within the cyber security incident response landscape?

Silvio Oertli: Even though I haven't been in the community that long, I can imagine the milestones that have had a big impact on the way the community has worked together in these times.

Like everything else, the incident response community seems to have started with a big incident. Back in 1989, the "Wank Worm" incident, which primarily affected NASA, showed that incident response teams around the world needed to improve their cooperation and communication with each other. Based on that, FIRST (Forum of Incident Response and Security Teams) was formed in the US as an answer to that question.

I think the idea of TF-CSIRT was the inspiration that in 1993 a few CSIRT teams, initiated by CERT-NL (SURFcert) and DFN-CERT, got together and decided to have regular meetings. With the fact that more and more universities introduced the Internet and computers at their sites, CSIRTs were established as a national research and education network community in Europe. At that time, the Trans-European Research and Networking Association (TERENA), the forerunner of GÉANT, wanted to create a central EuroCERT to co-ordinate the interaction of teams in Europe in the event of a major incident. For a number of reasons, this approach failed after three years and, in my opinion, this was necessary to form what we have today.

In 2000, at a meeting in Paris, the teams involved in EuroCERT decided that instead of having a central body coordinating the teams and providing fully fledged services supported by the members, each team should have its own portfolio and the teams should remain in a regularly organised and volunteered collaborative environment.

So instead of this planned top-down approach, the peer-to-peer network between the teams that we have today was formed. This Task Force (TF-CSIRT) has been more than well supported by TERENA and later by GÉANT over the years. The community has been able to grow, to include new teams, to develop training for new and old members of this community. Each for itself, but all together.

The TF-CSIRT was formed from the CSIRTs of the NRENs but was never limited to them. From the beginning, the TF-CSIRT also liked to work with other organisations such as FIRST or CERT/CC, so that even in different organisations a common sense of cooperation was established worldwide.

Another milestone was the establishment of ENISA, the European Union Agency for Cyber Security, in 2004, and in 2016, with the entry into force of the NIS Directive 1, the "CSIRTs Network" consisting of the national teams of the EU Member States and CERT-EU was established. The fact that each EU Member State now has a CSIRT team connected to peers in this formal network, and that many of the teams were already members of the TF-CSIRT before joining the CSIRTs Network, has extended the network and made incident handling even easier.

In 2010, the community developed a framework called SIM3 to measure the maturity of security incident management in teams. The TF-CSIRT community started with the ability to certify your team against this framework. The framework is not only to show others how mature you are, but the fact that you have to be re-certified every three years always gives you an indication of where you need to improve. So, even in 2010, no one expected that many teams would go for certification, but more and more are doing so.

The last milestone for the TF-CSIRT community was September 2022, when we changed the organisational structure from a task force as part of GÉANT to a foundation, the Open CSIRT Foundation. This move should allow us to deliver more value to the community by integrating the great input and support from GÉANT and RIPE NCC. Yes, we have used the move to get closer to the RIPE community, as we have seen that in addition to academic, government and commercial teams, more and more teams from Internet Service Providers are joining us.

Looking ahead, what are the strategic priorities for the TF-CSIRT Community? How do these priorities align with global cyber security trends and the emerging challenges that incident response teams face?

The main focus of the community is to enable the sharing of information, techniques and best practices. I think today it is not possible for everyone to know everything about cyber security. So, it is more important that you know someone who knows someone who can help you in an incident. Also, that you know what kind of mistake others have made when building a service, during an incident or when trying to analyse something. But it's important that people share their successes and failures. With this in mind, we have introduced training sessions at our meetings to share knowledge and have kept the closed session for teams to talk about failures. In the case of the TRANSITS training, we also like to stick to a volunteer model, so that trainers from the community can talk about the "daily life of an incident responder".

Given the challenges of lack of funding and lack of computer specialists, we try to keep our meetings and training as affordable as possible.

Collaboration is vital in effective incident response. How is the TF-CSIRT Community working to deepen engagement and cooperation among its members, and potentially, with other global incident response entities?

When you have a community like this, it is always a challenge to build up the level of trust needed for good collaboration. Most of the time this collaboration is held together by personal contacts. We like to support these bridges with time for social interaction at our meetings. However, it can happen that teams disagree about certain things or even distrust each other because of a problem that has happened. For this reason, TF-CSIRT has always had a formal "Dispute Resolution Procedure" to talk to each other with the aim of resolving the situation.

Considering the themes of this year's Open Cyber Security Conference, how does TF-CSIRT's mission resonate with the discussions and initiatives being highlighted at the OCSC? Additionally, could you share any specific expectations or outcomes that TF-CSIRT anticipates from this conference in terms of forging new partnerships, knowledge exchange, or strategic developments?

We're looking forward to seeing new people at the conference, expanding our peer-to-peer network, welcoming representatives from similar initiatives around the world and building trust with colleagues. We believe that the success of good incident handling today is the result of fast and good cooperation between teams.

Links

Open CSIRT Foundation
GÉANT
TF-CSIRT
FIRST
SURFcert
DFN-CERT
EuroCERT
ENISA
RIPE NCC
TRANSITS