Interview with– Mr.Maarten Van Horenbeeck,  Chairman of First.org

1. Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history) ?

I’m originally from Belgium, where my career in information security started over ten years ago, when I took up a job as a technical writer for the security website Securitywatch.com. The web site closed a year later, but I stayed on for eight years as a security engineer with its parent security company, Ubizen.

After a number of different roles there, working on managed security services, security assessments and forensic investigations, I moved to Seattle, Washington where I joined Microsoft, as part of the team that addresses software vulnerabilities in their products. After some time on Google’s security team, today, outside of my work for FIRST, I manage a security team at Amazon.

My passion has always been understanding and investigating complex security attacks. I am very fortunate to have had numerous opportunities to investigate targeted attacks in my career so far. Not only are these investigations interesting and often unusual, but they are also a great learning experience. As adversaries are intelligent, and actively aim to identify weaknesses in the security controls we build, they continuously change tactics, and staying on top of these changes is an exciting endeavor.

2. Can you give us a brief overview about FIRST? What is its role, activities and initiates ?

FIRST is an international association of computer security incident response teams. We are truly global, with over 300 member teams in 70 countries. Our goal is to enable our members to improve their response to security incidents by providing them with access to tools, best practices and a trusted community. We were founded in 1990, shortly after the Morris worm, one of the first internet worms to gain widespread attention.

We organize events which allow for knowledge transfer between members, and support working groups between both members and non-members that want to collaborate on a technical incident response or security topic. In addition, we drive standards development, organize training and education efforts, and reach out to other communities on behalf of our members. Much of FIRST is driven by our membership, and we maintain our quality standards by making sure that any new member is vetted by at least two other member teams – ensuring they are able to productively contribute and work on incidents with other members.

FIRST also actively works to expand the community of incident response teams. When you deal with an incident, it’s important to be able to find a peer who has some amount of influence over the network which is attacking you. Just a year ago, we launched the FIRST Fellowship Programme, which offers CSIRT teams from across the world which may not have the means or experience to participate in our community, a gentler way in. Provided they have a basic level of maturity, and can show us the role they play in their local community, FIRST will help them, both financially and through training, to play a bigger part in the community and become a member.

Another area where we want to grow is by expanding into different industries. While we have members across all major sectors, a year ago we realized that FIRST had few participants from the energy sector. We organized a symposium specifically focused on this sector in Washington DC, and invited a few members to come and present their incident response challenges, as well as teach a course on incident response. We see connecting our members with other industries as an important goal of FIRST.

3. What type of memberships exist in FIRST? Is it per individual or per organization ?

FIRST membership is, in principle, organizational. Organizations can apply to become a member and will need to find two sponsors from the existing FIRST community to assess their level of capability against a checklist. If both teams agree that the organization would be a great fit for FIRST, its membership will be considered.

FIRST does have another membership type, FIRST liaison membership, which is for representatives of organizations other than incident response teams that  have a legitimate interest in FIRST. We have a small number of liaison members at any given time and their applications also need to be supported by an existing member of the community.

4. What are the benefits for joining FIRST ?

Teams that join FIRST gain a number of benefits, but I’ll focus on three specific ones. First of all, they gain access to a community of professionals who are dealing with very similar problems. We provide tools for communication, such as a wiki, e-mail lists and ways to quickly find contacts at other member organizations.

Second, we support and nurture working groups between members. These can take various forms: from discussion groups at conferences, to more structured working groups with a particular technical goal.  This might range from creating better standardized methods for describing and coordinating security incidents, to real standard building efforts that may end up being external standards bodies. A great example of the latter that we’ve supported for quite some time now is the Common Vulnerability Scoring System (CVSS), which is a standard for describing the impact of security vulnerabilities. The FIRST group working is currently preparing the third iteration of the standard. Previous versions have been widely adopted by security vendors and vulnerability coordinators.

Finally, we give members the opportunity to exchange experiences directly, through   training sessions, conferences, and smaller events . Every year we have at the very least our annual conference on incident handling, a number of training sessions with regional partners, and a symposium – a smaller conference which is aimed at bringing incident response knowledge to the wider community – not just our members. In addition, FIRST members regularly organize smaller events which focus on getting members together and sharing best practice and experience.

5. Can you tell us more about FIRST annual conference ?

The Annual FIRST Conference on Computer Security and Incident Handling takes place in June, and has travelled the world to bring together our members and their peer incident responders from government, industry and academia. The conference has previously taken place in Boston, Bangkok, Malta and Vienna. This year it will be held 14^th-19^th June in Berlin, Germany.  More information can be found here – https://www.first.org/conference/2015. Our conference focus this year is on unified security: how do we improve the future of incident response and make it a more integral part of business processes, and help us understand the security landscape.

The FIRST Conference is a multi-track conference which focuses on the technical, process and even policy requirements of proper security incident handling. For example, in 2014, we had a keynote on how the FBI dealt with investigating the Boston marathon bombings, and sessions ranged from a panel on cybersecurity risk indicators, which governments can use to assess and improve the effectiveness of their cybersecurity programs, to very technical talks on recent security issues, such as open DNS resolvers, status of the CVSS project, and how to process intelligence feeds. The conference is very informative and we aim to make it accessible to everyone involved in the incident response community, whether they approach the issue from a technical, or a people perspective. The conference is also a good opportunity for our members to find out more about FIRST’s activities and to generally catch up on things; we provide an update on the current year and a preview of the next year’s business plan, and there are plenty of opportunities for members to have side-meetings and group discussions.

One of the most amazing things I have seen at a FIRST Conference is different CSIRT teams going out for drinks together, and actually getting out their laptops in the pub to improve the tools and technologies they use during investigations. It shows that we’re really not simply a conference or an association, but a community.

6. What are the objectives and plans for FIRST in 2015 ?

Each year, we have a number of different focus areas, but for 2015 the most important one is training and education. For a number of years, FIRST has partnered with organizations to deliver incident response training. Most recently, we organized a number of courses with the GÉANT Association, which represents the European research and education networks; we also worked with AfricaCERT to organize TRANSITS courses. TRANSITS is affordable, high quality training, mostly focused on the technical elements of the incident response process.

In 2015, FIRST will be continuing to collaborate with a number of organizations involved in training and incident response to develop a comprehensive training curriculum for incident response teams. Our goal is to develop materials and events which are aimed at helping a “team” work well, rather than focusing on individual technical skills. This effort is ongoing, and we plan to make significant progress in a number of meetings throughout the course of the year, in particular at our annual conference.

If our efforts are successful, then I think we can make a massive impact in professionalizing the way we respond to industry wide incidents – a core area of concern for our members.

7. Through your professional experience, what are the most famous cause of incidents ?

Personally, I believe Stuxnet and Conficker were game changers. Since then, there has been a rapid growth in the types of scenarios that we as incident responders have to prepare for and it isn’t showing any signs of slowing down.

In the case of Stuxnet, we saw the complexity of multiple zero day vulnerabilities embedded in a single piece of malware, and the complexity of having to deal with impacts on software which was not widely understood. Even though the malware was well distributed within the community, pools of local talent learned specific things about Stuxnet which were not known to others. It was a prime example of why we need more collaboration in our industry in order to be effective. There are few security teams with all the necessary skills to investigate and truly understand the impact of such an event.

Conficker drove home that same point—a large group of people needed to be involved to contain the incident, and stop the worm from infecting new systems. In addition, we saw a number of new propagation vectors, and an adversary that adjusted tactics as the defenders responded. Some of the entities involved in the response were not necessarily security experts – organizations such as national domain registries. The key in responding to an event like Conficker was communication, and not necessarily the technical challenge which the malware posed.

However, not all cyber security problems are the result of technical complexity and scope. Very simple issues still cause tremendous amounts of grief. Recently, we’ve seen ever larger Distributed Denial of Service attacks. Most of those attacks could be significantly mitigated if more internet service providers and network operators deployed a standard known as BCP38, which was finalized as far back as May of 2008. Yet, this hasn’t happened, and so we are still dealing with basic problems that are affecting even some of the largest providers.

8. If you were asked for a few tips, what are the main recommendations to mitigate an incident?

Successful response to an incident involves careful preparation. Has your organization developed runbooks for the work your team needs to do during an incident? Have you done table-top exercises for a few major incidents, including those for which your team is not actively preparing, but which would have a major impact on your organization?

Second, it’s great to know your partners. For most organizations it’s not reasonable to assume that your team can deal with every problem. Performing a basic forensic investigation of a hard drive is a very different skill to performing memory forensics, assessing the integrity of a router, or analyzing an exploit for a brand new vulnerability. Organizations need to take a close look at their capabilities, understand where they may be lacking, and make sure they have enough friendly teams in the industry they can partner with to get the job done.

This may include agreeing with another team that you can support them with one very technical method of investigation, and in return using their help with another type. Or, it may mean contracting a security vendor to provide particular services. These types of agreements are not something you’d want to decide on during a major incident. Having a contact list available is invaluable, it’s too late to pull out the Yellow Pages when an incident hits.

Finally, make sure your network is designed and improved in such a way that it already rules out some types of incidents happening—this allows your security team to focus on the issues where their expertise is really required. When your team is busy dealing with spam, banking Trojans or small DDoS attacks, they don’t have time to prepare and study the major attacks which may affect your organization next. It helps to have someone focus on assessing trends in security incidents, so you can assess how your organization would fare if it was affected by a similar issue.