Projects Closer

Closer

Barriers to CSIRTs cooperation. Challenge in practice – the CLOSER Project.

Beneficial in CSIRT community the main areas of cooperation include:

• Incident handling
• Project conducting
• Information sharing
• Networking

Benefits related to common incident handling:

• Since incidents reported to CSIRTs are international, a good cooperation in incident handling is critical
• An important thing is that an information exchanged during the incident handling process is very often sensitive (activity of internet underground groups, successfully attacked organizations, plans of internet criminals, detailed analysis of malicious code, electronic evidence etc.)
• Long term and effective exchanging of incident data can result in the setting up of a regular exchange of incidents data related to the constituencies of cooperating CSIRTs.
• It gives a big improvement of the quality of the incident handling process and significant reduction of workload of CSIRTs

Benefits related to common project conducting:

• A cooperation between CSIRTs gives them the capability for better recognition of their common areas of interest:
  • their competence
  • their goals and also
  • a chance of building trust.
• Based on this recognition some teams have embarked on closer cooperation.
  • net (http://www.ecsirt.net/) project.
  • European CSIRT teams • TERENA TF-CSIRT
  • Accredited Teams within Trusted Introducer Initiative
  • national level.
  • HoneySpider Project
  • NL / surfCERT / CERT Polska initiative
• There are also examples of not strictly formalized cooperation. Teams work together on similar problems related to their projects. They exchange ideas, solutions or even source code.

Benefits related to information sharing:

• Information sharing – probably one of the most effective ways of cooperation
  • sometimes used as a synonymous term for cooperation
  • should be applied to concrete tasks, initiatives and projects
  • good to relate information sharing to the particular kind of resources and services provided by CSIRTs.

• Different kinds of resources which can be shared and benefits related to them (“information sharing” treated very widely)
  • Knowledge and experience sharing – regular, formal or informal, exchange of information about issues related to IT security.
  • Staff exchange – a method of exchanging information and experience by exchange of personnel.
  • Also a method of mentoring new teams of organizations which just started to establish a CSIRT
  • Benefit: Team staff can learn in detail about methods of daily work, procedures and techniques
  • Technology sharing – by technology sharing CSIRTs
  • give an opportunity of direct usage of concrete technical solutions which can improve the quality of the services .
  • A good examples:
    • Request Tracker for Incident Response as the enhanced version of Request Tracker, made available by JANET CERT , or the CHIHT – Clearing House for Incident Handling Tools – where different teams share their knowledge and software which they use daily – http://chiht.dfn-cert.de/)
    • joint development of new tools (e.g. RTIR group within TF-CSIRT – http://www.terena.nl/activities/tf-csirt/rtir.html).
  • Benefits of technology sharing include:
    • access to well developed and verified incident handling and security tools,
    • support in the resolving of a technology related problems,
    • support in technical analysis of incidents (especially malicious code analysis).

Benefits related to networking:

• Networking is a crucial factor for building trusted relationships between CSIRTs
• Planned meetings, workshops, conferences, regular exchange of information (e.g mailing lists), working groups
  • great benefit resulting from the simple fact that people gather in one place and have an opportunity to talk to each other and to get know each other better
  • in effect, they learn about business more and more and they find the most convenient and effective way areas of common interest.
• Very often – a first step to a closer and more formal cooperation between teams.