Trusted communities for greater cybersecurity

Trusted communities are the lifeblood of cybersecurity, even when they work in the background, and they are vital to effectively keeping attackers at bay.

Text: Frank Herberg, published on 29.04.2021

In 1988, one of the first pieces of computer malware – named the Morris worm after its developer – incapacitated a large share of the internet, which at the time was still a modest system comprising about 60,000 computers. This development gave birth to the idea of responding to future online security incidents with Computer Emergency Response Teams (CERTs). These teams of computer experts would be deployed whenever someone caused trouble on the internet and the resulting damage needed to be contained as quickly as possible. The launch of the first-ever ransomware attack – the AIDS Trojan – just one year later further confirmed the need for CERTs.

But the teams of IT security experts soon realised that there was often a limit to what they could do on their own. The CERTs had to network with one another so they could coordinate countermeasures to attacks that crossed national borders. And another factor was also key in this exchange: each team of specialists needed to learn about new security incidents from other groups as quickly as possible so it could efficiently protect its own infrastructure. The global Forum of Incident Response and Security Teams (FIRST) was established in 1990 for this very purpose. Its goal was to enable and encourage exchange between CERTs around the world through networking, communication, building trust and cooperation.

Now, over three decades later, the threat situation has fundamentally changed. The damage caused by cybercrime is growing every year, with global damage estimated at a trillion dollars for 2020 alone. What might be a lucrative business field for attackers is a growing challenge for IT security experts, which is why the issue of trusted communities has become all the more important. The reasons are the same as they were 30 years ago: CERTs need to learn from one another quickly and work together efficiently whenever an incident occurs.

Here are a few examples of trusted communities:

  • Sector-specific CERTs: SWITCH operates sector-specific CERTs with trusted communities for Swiss universities, banks, industry and logistics, as well as the energy sector. The parties involved have known one another for many years and openly exchange detailed information about the latest security incidents in the sector in regular teleconferences and meetings. If dialogue is to remain open, it is vital that the group of individuals remains manageable and that everyone knows one another, that they strictly adhere to the agreed rules, and that they contribute.
  • Security researchers: Security researchers and malware analysts are dealing with far more than just the Morris worm and the AIDS Trojan these days. Modern malware and the infrastructure behind it are far more complex. No individual working alone could ever capture all the active families of malware. The only way for today’s experts to succeed is to work closely together on a global scale in confidential, closed ‘lists’. This requires them to maintain an excellent reputation and an active presence over the years. In a group like this, spying on colleagues or failure to abide by the rules would have fatal consequences.
  • CERT forums: CERTs often organise themselves into geographical and sector-specific forums. Here, too, the focus is on exchanging information about – and cooperating during – acute security incidents. During FIRST conferences, CERTs with the same sector-specific problems arrange themselves into smaller groups, facilitating closer exchange than a larger forum generally allows. Clear rules and active involvement are vital here too.

As different as trusted communities are, the basic rules for success always remain the same: participants need to make themselves personally known and get involved in the group. And information must only be used under the agreed conditions. What’s more, many of these communities aren’t open to the public, and admission is often by invitation only following a security check. And just like anything else in life, trust is something that takes time to build up, but it can be destroyed in an instant.

A trusted community with eight to ten participants naturally operates differently than one with over 500 parties. I asked Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies, what role cooperation plays in cybersecurity, both on a national and an international level:

 

The global cybersecurity community is highly unusual in that we share our information and knowledge with the competition because we have a common enemy. Often, this adversary doesn’t care who they attack, as long as the end result is right for them. So it’s clear that security teams have to work together. Simply put, we don’t stand a chance of achieving anything on our own. This rings true for private companies and countries alike. At FIRST conferences, the individuals exchanging ideas are usually from similar organisations, so they’re actually in competition with each other. The reason for this is clear: you talk because you have the same problems.

Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies

I also asked Dr Droz what role trust plays and how to achieve it in a global context:

Trust is the air that CERTs breathe. You can’t survive without it. Trust is something human that can’t be automated or contracted. Incident responders build trust through joint collaboration and social sharing. It’s important to have a common goal. In our community, it’s to protect internet users. Experience shows that contracts and NDAs are irrelevant. What is important, though, is that teams clearly understand their roles and that they are transparent. Establishing a CERT within an intelligence agency doesn’t exactly inspire trust. FIRST has published a code of ethics to help teams act in a way that builds trust.

Dr Serge Droz, Chair of FIRST and Senior Security Engineer at Proton Technologies

Today, FIRST comprises 566 teams worldwide. At the forum’s conferences, you can really sense the outstanding commitment to the common cause, despite geographical distances. And this, in turn, is the ideal condition for building trusting relationships that can then be specifically expanded in smaller groups - or in trusted communities. SWITCH has been an active FIRST member since 1995.

FIRST code of ethics

About the author
Frank   Herberg

Frank Herberg

Frank Herberg has been working for SWITCH since 2012 and, as Head of SWITCH-CERT (Commercial Sectors), he is responsible for the Banking, Industry & Logistics and Energy customer sectors.

E-mail

#Security

This article was first published at inside-it.ch and inside-channels.ch (in German only) as part of SWITCH's #Security column. The column appears six times a year. Security experts from SWITCH independently express their opinions on topics relating to politics, technology and awareness of IT security.

Other articles