Here at Arctic Security, we’re all about giving Computer Emergency Incident Response Teams (CSIRT) and companies a heads-up before trouble strikes. Early warnings are at the heart of what we do, as we help CSIRTs stay ahead of cyber threats and protect their constituents.
Working with all the current program members has been a pleasure, and we have learned a lot in the first two years. I will include some of those experiences in this blog. This year, we’re also expanding the program and bringing new opportunities for sectoral CSIRTs. We are excited to take Arctic Security’s CSIRT Development Program into its third year!
We are also looking forward to seeing many of you at the upcoming FIRST 2024 Conference, where we are organizing an Arctic Meetup event for all the participants and some guests! Let’s dive into what’s been happening and what’s on the horizon for our community.
Program Overview
Our development program launched in the summer of 2022 at FIRST Dublin. The goal was to strengthen the global cybersecurity infrastructure. In its first year, we enrolled and supported six CSIRT teams. During the second year, we expanded to 14 program participants. The participants come from all over the world, including Central and South America, the Caribbean, Africa, Europe, and Asia. You can see the list of current participants on the program web page.
This rapid growth is a testament to the program’s value and the members’ commitment to enhancing the cybersecurity capabilities that they offer to their national stakeholders. Notably, we recently welcomed two new CSIRT teams directly into the discounted license program, underscoring the program’s broad appeal and effectiveness.
Success Stories from the First Two Years
One standout story comes from Uzbekistan, where the national CSIRT team swiftly leveraged Arctic Hub to meet service demands arising from their new cybersecurity law. The platform’s easy deployment and quick start-up enabled the team to deliver enhanced services to the UZCERT stakeholders soon after adopting it. The ease of use and deployment has been one of the focus areas from the beginning of the Arctic Hub platform, and it was great to see it work out in real life.
One European CSIRTs joined the program in 2023 and began using the Hub for monitoring and reporting to their constituency. Their main advantage has been the automation and ease of data collection and matching it to organizations. The CSIRT team has been hard-pressed on the incident response side, as their country has been the target of severe nation-state cyber attacks in the last few years. Adding Arctic Hub didn’t draw resources from that important defensive work but brought better visibility to help their cyber preparedness.
Another example is an African team that shifted from a typical Kibana-based setup to Arctic Hub. They reported that the upgrade significantly improved their feed analysis, reporting, and ticket automation capabilities. Building early warning capability is a complex undertaking, and basing the work on software developed for different purposes in IT or security can make it even more challenging than it already is. Their initial stakeholder group consisted of all the telecom operators in their country, relying on information from the ASN registry before diving in and defining other important national stakeholders within their constituency.
We often observe the initial under-funding of national CERTs/CSIRTs at the outset. One of our program participants is MNCERT, a CERT established through resource contributions from community support, volunteering, and a dozen different organizations. For MNCERT, what began as a pro-bono initiative with primarily volunteers and few part-time resources evolved into a full-time team of five individuals within a year of the program’s inception. Moreover, they emerged as a leading organization that assisted in the establishment of national and sectoral CERTs. They are now recognized as leading consultants in incident handling and response processes.
These stories highlight the program’s transformative impact on our clients’ operational effectiveness. While the program’s core structure remains intact, continuous feedback has refined our approach, allowing us to offer more targeted support and advice. Each year’s experiences enrich our understanding and ability to assist new and existing participants more effectively.
Onboarding New Members
How does one become a member of the CSIRT Development Program? The process is designed to be as seamless as possible, but before we sign your team up, we ensure that our Arctic Hub platform is a good fit for your team’s needs and development plans.
Our initial meeting focuses on understanding your current infrastructure and services and your plans and goals for the services you want to offer. This helps us see how the program would benefit your CSIRT in the long term and whether your CSIRT is a good fit for joining the program. Understanding your mission and strategic goals is an important step, as starting to develop your own national early warning services for your constituency is a long-term project.
Providing early warning services requires awareness of the national stakeholders and being able to describe them in sufficient detail so that cybersecurity issues can be matched to them. After the initial configuration period, most of the work with the Arctic Hub platform is about adding to and maintaining the database of customers of the CSIRT. In the onboarding and training, we discuss and propose strategies to start documenting those customers.
On the practical side, we will also discuss what you need to operate and maintain such an early warning platform in terms of required people and hardware resources, even though, as a single solution, it is much more straightforward than maintaining a collection of individual tools for the same purpose. This discussion helps tailor the program to your specific needs, ensuring the integration of Arctic Hub into operations.
Operational Changes and Benefits from Arctic Hub
Arctic Hub is a fully-fledged platform developed explicitly to deliver early warning notifications to national constituencies. Here is a summary of the practical operational benefits that the participating teams have reported:
The shift from manual processes to automated notifications has been revolutionary for many participants. Arctic Hub’s automation capabilities have freed up valuable resources, allowing teams to focus on more strategic tasks. The teams that have joined so far have given us feedback that because the platform is not technically complicated to operate and has a user-friendly interface, more of the existing team has been able to participate in building the early warning capability.
Parsing and using the available data from sources such as Shadowserver is often a full-time job for at least one CSIRT team member and many more people if that data is distributed to the national stakeholders. Expanding from Shadowserver, many additional data sources are available to the CSIRT teams, and having a platform in place has made it straightforward to start experimenting with using them.
A customer database of organizations that are your stakeholders provides unique benefits. For example, all the data that has been collected can be classified by the sector or industry that it affects. The resulting data set of issues correlated with industry sectors has been a giant leap for many teams, as it is difficult to accomplish such insights without an automated system. From that point, producing higher-order insights, such as vulnerable systems’ impact on sectors, becomes trivial.
The customer database also allows for better use of internally generated data, such as results of vulnerability scanning activities on a national level. When there is an existing database of customers who can be notified when the scan results match their assets, it is more feasible to provide such services. Much of the laborious work is eliminated.
CSIRT teams have often struggled to establish how well their services are received and whether their notifications are delivered to the right people who review them. Part of the advantage of using Arctic Hub for early warning services has been the ability to track whether your notifications reach the audience and how well you are doing. Having this kind of benchmark data on your work allows you to focus your efforts on stakeholders struggling with taking action.
Additionally, for many, this change has enabled the automated delivery of cybersecurity notifications, where no human input is needed to ensure that organizations receive their messages even under challenging circumstances. Service resiliency is crucial when the team is suddenly busy with a significant national incident, there are several sick leaves or other absences, but the notifications still need to go out.
Future Goals for the Development Program
Looking ahead, we aim to double our program participation to thirty teams in 2024-2025 and introduce a new initiative for countries working on establishing sectoral CSIRTs.
We are also expanding the development program to cover sectoral CSIRT teams because those who specialize often have stronger relationships with the community they support. Those relationships enable them to deliver services more effectively. This expansion to the program aims to enhance the nation’s cybersecurity by developing sector-specific early warning systems that work with national CSIRTs.
The development program now lets participating national CSIRT teams with a commercial license to Arctic Hub nominate a few sectoral CSIRTs in their country to receive a free one-year license to Arctic Hub. With this, we can rapidly strengthen early warning coverage within their countries.
This expansion is available to all existing development program members, and we welcome their nominations! It will officially become part of the program at the FIRST 2024 conference in Fukuoka, Japan.
The CSIRT Development Program is more than just providing access to a tool; it is a partnership that grows stronger with each new member. As we continue expanding and enhancing our program, we are committed to making the digital world safer for everyone. Join us, and let’s strengthen our cybersecurity capabilities together.
We invite all interested CSIRT teams to meet the Arctic Security team at Fukuoka's FIRST 2024 Conference in June. It’s an excellent opportunity for face-to-face discussions about how the CSIRT Development Program can benefit your team.
You can also contact us directly or contact me personally on LinkedIn.