In recent years it has become clear that in order to better protect both enterprises, governments and academia, there is a need for the fast, machine-to-machine exchange of threat related information. Using such mechanisms, there only needs to be a first victim, and all others can immediately protect themselves against the new known malicious activity.
While FIRST has for some time not had a operational incident response component, the organization maintains mailing lists and IRC channels which are still frequently used for the exchange of threat related information. We believe the organization would benefit from allowing such exchange to take place using an automated channel. This way, threat information could be exchanged in the most effective way possible, while security responders can use the mailing lists and other non-structured information for the exchange of higher level analysis. "The computers can do the hard work, while the engineers can do the smart work."
We are proposing the development of a SIG within FIRST which focuses on the development and management of standards for information sharing and threat intelligence amongst the membership. This will include the development of a small information exchange platform for the FIRST membership to validate these concepts and enable our members to use them. However, the group will focus less on tooling and more on how to make the information usable to the membership. It will produce sample code, guidelines on how to encode information, and where necessary identify methods to connect various information exchanges together.
While the platform will be open to all FIRST members, and not just members of the SIG, the SIG will coordinate the direction and development of the platform as a formal FIRST service.
Read the full SIG charter at https://www.first.org/global/sigs/information-sharing/