Special Interest Group Updates

The Special Interest Groups have been very active again in the past few months since the annual conference, here you can find the newest updates.

1. Transportation and Mobility SIG

A new SIG has been formed, the Transportation and Mobility SIG. Currently, there isn’t a way for companies across the transportation/mobility industry to communicate regarding standards and guidelines development in the IT/OT/IOT space. Starting this group will help foster collaboration in the mobility/transportation industry and enable sharing of best practices and a more unified and standard approach to incident response. This SIG will lead initiatives to integrate more incident response plans related to mobility/transportation devices into the FIRST framework, leading to a more streamlined approach in the industry.

This SIG is open to anyone that makes equipment or software that helps to move people around the world. Planes, Trains, Cars, Scooters, Agricultural, Handicapped equipment etc. or interfaces with these systems regularly, and they are still looking for active participants. Please join them over the website, if you are interested.

2. CVSS SIG

The CVSS SIG continues to work on gathering feedback and updating CVSS v4.0. The CVSS documentation, including the User Guide, FAQ, and Examples have seen updates since the initial release in November 2023. Currently, the CVSS SIG is developing a roadmap for future updates to the standard. To that end, the CVSS SIG has created a survey to understand the usage of CVSS in general and the new CVSS v4.0 in particular. That survey is available at here

Please submit your responses to help guide the future of CVSS. If you have additional information or suggestions, please follow up with cvss@first.org. The CVSS SIG cannot respond to each request but will review all submissions.

3. Metrics SIG

The Metrics SIG is busy with several working sub-groups and holds regularly scheduled SIG meetings.

The CSIRT Framework Metrics team, led by Logan Wilkins, continues to work through the FIRST CSIRT Services Framework, defining suggested metrics for each functional area. The team has completed a draft of Section 5 and will soon complete Section 6. It anticipates sharing the completed drafts with the SIG Leads by the beginning of October 2024, and more broadly later in the fall. As the drafts are shared, the team will be seeking feedback on how to strengthen the document.

The Digital Security Maturity Score team, led by Rohit Srivastwa, has begun meeting regularly. The goals for this group were proposed at FIRSTCON24 in Fukuoka. Since then, Rohit has led a series of global, time-zone-friendly meetings to define a framework for proceeding. We expect to provide additional details on the team’s progress in the coming months.

Additionally, two smaller groups are forming. The first group, Buckets of Metrics, led by Robin Ruefle, is defining high-level categories of metric types, along with discrete metrics that fall into each category. The second group, Reference Library, led by Logan Wilkins, is still forming. Its goal is to provide a curated and annotated list of various frameworks and other reference materials. The ultimate intent of this library is to provide a relevant knowledge base for teams to use as a guide as they continue to mature their security posture.

The former sub group around Timing Metrics has concluded its work on and published the new Security Incident Timing Metrics paper available here.

If you want to know more on Metrics, the team has scheduled meetings every other month to share updates on sub-group progress and invite guest speakers to cover topics in security metrics. The outlook on the scheduled guests can be found here.

5. Threat Intelligence (CTI) SIG

The Threat Intelligence (CTI) SIG has since FIRSTCON24 held several talks, where some of those can be found on https://www.first.org/global/sigs/cti/events. The detailed list of talks already held is below, with more in the pipeline:

  • Attacks on Infrastructure During Cyber Conflicts (already published, see link above)
  • Insights of ArrayAG VPN Router Vulnerability Exploitation (in publishing process)
  • Everyday work with OSINT and Telegram (in publishing process)
  • Explanation about CISA IRF v2 (not published)

They have also implemented a new policy to expire inactive members, which in combination with the new talks has highly increased the attendance in the regular meetings. If you are interested in joining them, you can submit your join request here.

6. Malware Analysis SIG

The Malware Analysis SIG is working on the finalization of the second version of its framework and it will be published shortly. You will find the newest version on https://www.first.org/global/sigs/malware/ as soon as it is ready.

Conclusion

And that is all news of the SIGs for this quarter. As you can read, SIGs are very active. Feel free to join any of the groups that might interest you, as most of them are open to anyone. Here you can find an overview of all SIGs.

Published on FIRST POST: Jul-Sep 2024