| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
FIRST Multi-Stakeholder Ransomware SIG
Mission
The FIRST Multi-Stakeholder Ransomware SIG will foster collective action among the FIRST constituents, peer security organizations, and other groups who are focusing on the Ransomware Response, mitigation, remediation, investigation, and prevention. The SIG will focus first on empowerment tools that help the constituent communities and resource collection to allow the SIG participants to have one point to “check first” for ransomware investigation resources. A focus on curating and instigating data collection and analysis will be a key focus, providing the community tools to track impact, consequences, and loss. This would allow the SIG to select the next phase joint action whose impact can be measured.
The Multi-Stakeholder element would include M3AAWG, APWG, and other allied efforts whose trust interests with FIRST member participation in those groups.
Goals & Deliverables
FIRST Multi-Stakeholder Ransomware SIG’s initial goals would be focused on quick wins of pulling together all the resources into one location, build a rhythm of consultation, and finding elements of action. As mentioned in the lead of the SIG,
- Ransomware cannot be solved by a single stakeholder, country, or organization. It is a global problem with multiple stakeholders that damage society.
- Ransomware would not be solved with short-term solutions. The growth is rooted in the ability of criminals to succeed without consequence. Coordinated multi-stakeholders persistent energy of action is required to inflict consequences on the threat actors. This requires long-term institutionalized thinking.
The initial goals and deliverables of the group are:
-
Establish three regular working groups/consultation times.
1.1. The first would focus on collecting materials to enable a “one stop” for any organization looking for the best ransomware help.
1.2. The second would focus on collective action and data analytics action that influence 1.1 and 1.3.
1.3. The third focuses on International Policy recommendations that can be adopted. The focus would be to empower the FIRST members to constructively interact with their government policy-making constituents. -
FIRST Ransomware Resources Center: Public web page that helps any organization to find ransomware prevention, incident response, mitigation, remediation, response, investigation, and long term policy efforts. The first wave would collect all the resources from the FIRST constituents and their allies.
-
Listening and Learning from the Multi-Stakeholder Community. The Multi-Stakeholder Ransomware SIG be mindful of changing assumptions, priorities, pain points, and shifts in the ransomware battle. We will start with a series of panel session workshop pulling in stakeholders to give them a voice to their most urgent priorities. For example, we will facilitate a series of sessions with law enforcement ransomware investigators who give voice to their aggravations and aspirations. We would hold several to cover multiple geographies and timezones. Over time, we would integrate these “giving voices” to our Multi-Stakeholder Community to ensure our collective work is on an effective path.
Additional goals and deliverables would be dictated through successful action and activities within the participants.
Core Factors in the SIG’s Theory of Change
Ransomware cannot be solved by a single stakeholder, country, or organization. It is a global problem with multiple stakeholders that damage society.
Ransomware would not be solved with short-term solutions. The growth is rooted in the ability of criminals to succeed and profit without consequence. Coordinated multi-stakeholders persistent energy of action is required to inflict consequences on the threat actors. This requires long-term institutionalized thinking.
Scoping the Work Ahead
Inflicting consequences on the criminals behind ransomware requires long-term thinking. Given this, we can craft our scoping consultations to build materials, and tools that would be of service to peers who would be part of a multi-stakeholder effort.
Ransomware “Who, What, Where, and Why” Resource Guide
We would start our work by building a resource guide to find all the trust groups, organizations, efforts, studies, University Research, and other work that is trying to push back against Ransomware. Many times, new groups start to “solve the ransomware problem” fail to seek out what is already happening. They also tend to focus on a single discipline such as anti-virus and computer science or money laundering and financial forensics. It is important to break those silos to enumerate the potential solutions space, which should incorporate many of these elements in concert. This guide would capture this “survey of potential allies” and be of service to the Multi-Stakeholder participants.
- Who is focused on Ransomware? This would be a comprehensive compilation of groups are focused on Ransomware mitigations, remediations, and investigations. Who are in each of the groups, how to join those groups (vetting policies), and the outcomes would be included?
- What are people trying to do about Ransomware? Update all the mitigation, rumination, and investigations ransomware tools in one location.
- Where are these efforts focused? What geographic and languages are these “forces of good” residing? What type of victims are they trying to protect or restore? Are they just focused on specific company groups in specific industries? Or, are they broader in focus? Are the efforts clouded by biases that help one group vs another group?
- Why do they care about Ransomware? Capture the motivation behind the efforts. Are they doing this work to boosting their companies’ products? Are they gaining money for their policy efforts? Many times “good intentions” are driven by “hidden/no-so-hidden motivations. Alliances work best when the motivations are transparently known and weaved into the alliance.
This becomes a living doc for the FIRST community (and others) ... but also becomes a survey that helps identify “what is missing,” “who are the players on the field,” “what can be done now,” and “where does the effort instigate the biggest change."
Dashboard for Ransomware Situational Awareness
Within our peer communities, we have a multitude of available data that can be integrated to provide the task forces with full situational awareness. . Before we can even attempt to talk to policymakers we need to have facts, not just InfoSec Propaganda. That means we need to demonstrate what the losses are and how they impact the economy.
Build our Ransomware Response Ecosystem
We have teams doing different things at different times with minimal to no coordinating between the teams. We would research the roles and responsibilities of different stakeholders and look for how these roles - working together - can be more effective. We would capture and understand who needs to do what, and what should be avoided (e.g. pay ransoms). This affects security professionals as well as insurance Companies.
Gaps to Capabilities, Capacity, and Barriers to Success
Identify gaps/stumbling stones, i.e. why does this not happen: Let's see why things go foul. Often, it is because of wrong legal or economic incentives.
Changes to Policy, National, and International Law
Approach policymakers. This is what FIRST, and others have been doing in the past, often in the background. The hope is to convince decision-makers of the right thing to do.
Meetings
- At the Annual Conference (in person)
- Weekly, Bi-Weekly (virtually)
Chairs
- Barry Greene
- Declan Ingram
- Lorenzo Nicolodi
- Nadia Meichtry
- Yuhei Nakamura
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)