| CARVIEW |
Select Language
HTTP/2 301
content-type: text/html; charset=UTF-8
access-control-allow-origin: *
cache-control: private, no-cache, no-store, must-revalidate, max-age=0, s-maxage=0
content-security-policy: default-src 'none'; style-src 'self' 'unsafe-inline' https:; img-src 'self' https: data:; font-src 'self'; script-src 'self' 'unsafe-eval' https://*.first.org https://unpkg.com; form-action 'self'; media-src 'self' *.first.org; connect-src 'self' https://api.first.org; object-src 'none'; frame-src https:; frame-ancestors 'self' https://*.first.org; base-uri 'self'
location: https://www.first.org/global/sigs/le/
referrer-policy: same-origin
server: nginx
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
accept-ranges: bytes
date: Mon, 06 Oct 2025 01:53:37 GMT
via: 1.1 varnish
x-served-by: cache-bom-vanm7210054-BOM
x-cache: MISS
x-cache-hits: 0
x-timer: S1759715617.871489,VS0,VE1108
strict-transport-security: max-age=31557600
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 119
HTTP/2 200
content-type: text/html; charset=UTF-8
access-control-allow-origin: *
cache-control: public, max-age=3600, s-maxage=3600
content-encoding: gzip
content-security-policy: default-src 'none'; style-src 'self' 'unsafe-inline' https:; img-src 'self' https: data:; font-src 'self'; script-src 'nonce-C_Axt6GVOInuol6CH0bfbQ' 'strict-dynamic' 'self' 'unsafe-eval'; form-action 'self'; media-src 'self' *.first.org; connect-src 'self' *.first.org; object-src 'none'; frame-src https:; frame-ancestors 'self'; base-uri 'self'
last-modified: Mon, 29 Sep 2025 15:17:37 GMT
referrer-policy: same-origin
server: nginx
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
accept-ranges: bytes
age: 0
date: Mon, 06 Oct 2025 01:53:39 GMT
via: 1.1 varnish
x-served-by: cache-bom-vanm7210054-BOM
x-cache: MISS
x-cache-hits: 0
x-timer: S1759715618.993365,VS0,VE1241
vary: accept-encoding, Accept-Encoding
strict-transport-security: max-age=31557600
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 7363
Law Enforcement SIG
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
Law Enforcement SIG
Mission
CERTs / CSIRTs operate within the cybersecurity domain dealing with attacks and incidents, while law enforcement agencies are responsible for countering and combatting cybercrime. The former is generally understood to adopt a more proactive stance of protecting ICT infrastructure while the latter is focused on crime prevention, detection, investigation and disruption. Nevertheless, there are areas of convergence in approaches dealing with cybersecurity and cybercrime since these approaches serve to fulfil the common goal of ensuring a safer cyberspace for citizens, businesses and societies to thrive.
Current factors hindering closer cooperation between law enforcement and CERTs / CSIRTs include a lack of understanding of respective mandates, perceived duplication of responsibilities such as in intelligence analysis and incident response, disparities in capacity and capabilities between agencies, and a lack of trust.
Hence, the proposed Group aims to achieve the following objectives:
- To further co-operation between the CERT / CSIRT community and Law Enforcement through the development of better understanding of organizational missions and specific requirements, and producing practical trust and information-sharing protocols.
- To enable contact, exchange of experiences and best practice and foster better understanding between FIRST members within law enforcement and other private and public FIRST members on work to prevent and counter cybercrime and other cyber threats.
- To provide standards / guidance on how to establish cooperation between CERTs/CSIRTs and law enforcement agencies at national level, and to develop relevant documentation to help the stakeholders understand the importance of cooperation between law enforcement and CERTs / CSIRTs.
Goals & Deliverables
Goals:
- Foster better understanding by CERTs / CSIRTs of the law enforcement components of prevention, detection, investigation and disruption of cybercrime
- Promote better understanding by law enforcement of the CERT / CSIRT components or protection against, detection of and response to cybersecurity incidents
- Enhance knowledge of existing channels, platforms and mechanisms for collaboration in incident response, information sharing and capabilities development,, including FIRST, INTERPOL and regional police organizations
- Enable closer contact between law enforcement and CERT / CSIRT for increased collaboration and coordination of response operations against cybercrime, cyber incidents and threat actors
- Develop processes for engagement and activation of respective capacities (e.g. threshold for activation, processes and legal regulations of such engagement) for:
- Proactive activities including horizon scanning, threats / trends and TTPs
- Reactive activities such as incident response and criminal investigations / prosecution
Deliverables:
- Take stock of current practices for collaboration and exchange between law enforcement agencies and CERTs / CSIRTs
- Examine modalities for collaboration and coordination of joint disruption operations between law enforcement and CERTs / CSIRT
- Threat assessment and notification processes within private entities and non-law enforcement public entities (CERTs / CSIRTs)
- Understanding modus operandi of threat actors and how CERTs / CSIRTs and law enforcement can better align efforts to disrupt these actors
Chair
- Ibrahim Al Mahmoud, INTERPOL
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)