| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
Information Sharing SIG
Mission
In recent years it has become clear that in order to better protect both enterprises, governments and academia, there is a need for the fast, machine-to-machine exchange of threat related information. Using such mechanisms, there only needs to be a first victim, and all others can immediately protect themselves against the new known malicious activity.
While FIRST has for some time not had a operational incident response component, the organization maintains mailing lists and IRC channels which are still frequently used for the exchange of threat related information. We believe the organization would benefit from allowing such exchange to take place using an automated channel. This way, threat information could be exchanged in the most effective way possible, while security responders can use the mailing lists and other non-structured information for the exchange of higher level analysis. "The computers can do the hard work, while the engineers can do the smart work."
We are proposing the development of a SIG within FIRST which focuses on the development and management of standards for information sharing and threat intelligence amongst the membership. This will include the development of a small information exchange platform for the FIRST membership to validate these concepts and enable our members to use them. However, the group will focus less on tooling and more on how to make the information usable to the membership. It will produce sample code, guidelines on how to encode information, and where necessary identify methods to connect various information exchanges together.
While the platform will be open to all FIRST members, and not just members of the SIG, the SIG will coordinate the direction and development of the platform as a formal FIRST service.
The core mission is to support existing and new FIRST members to practice information sharing and acquire feedback from the members to improve the information sharing practices.
Goals & Deliverables
During the first year, we aim to develop:
- Deploy an information sharing platform for FIRST mainly used for educational purposes;
- Develop initial ties to other platforms to ensure access to valuable initial data sets for FIRST members;
- Develop guidelines for FIRST members on how to encode their own threat information for use with the Information Sharing platform;
- Identify core other platforms to target for interoperability in year 2, including on-premise MISP, other systems such as CRITS and new developments within the community.
Over time, we plan to work towards the following goals:
- Contribute to the development of standards for threat intelligence;
- Contributing to develop to sample import and export scripts from our platform to common tools within the CSIRT community or to a core information exchange protocol (e.g. STIX);
- Participate or contribute from the FIRST community to external working groups and standards organizations on information sharing;
- Either extend existing taxonomies, or propose new ones where needed.
Chairs
- Jeff Boerio, Intel, co-chair
- Alexandre Dulaunoy, CIRCL, co-chair
Initial Members
- Thomas Schreck, Siemens
- Aaron Kaplan, CERT.at
- Maarten Van Horenbeeck, Amazon
FIRST MISP Instance
The FIRST operates a Malware Information Sharing Platform (MISP) instance supported by CIRCL. MISP is a community-driven software project that enables sharing, storing and correlation of Indicators of Compromise of targeted attacks. The instance is open and automatically enabled for all FIRST members.