WG: Incident Response & Threat Intelligence Working Group (IRTI-WG)

Chair: Romain Wartel – CERN

Vice Chair: David Crooks – UKRI STFC

The sharing of security information, both proactive threat intelligence and reactive incident response communication, is a recognised challenge in distributed infrastructures. The challenges are exacerbated when multiple infrastructures are affected. Threat Intelligence serves to protect organisations from online attacks by providing them knowledge of potential threats in advance in order that mitigating measures be taken. An organisation must invest significant effort in fostering trusted sources of threat intelligence, as well as in deploying the technical measures able to process incoming data. Incident Response comes into play once an incident has been detected; assurance that actors will act responsibly (for example by maintaining evidence and respecting confidentiality) and shared information is critical for an incident to be satisfactorily resolved. Through this working group, WISE aims to develop shared policies, procedures and tools that enable these processes.

The IRTI-WG will address the following aspects of Incident Response and Threat Intelligence within the WISE community:

  • Security Operations Centres (SOCs) that enable alerts on suspicious activity and support threat intelligence sharing are critical for a robust operational security team. Deploying SOCs in a distributed infrastructure requires effort from participants since network and system logs are similarly distributed and form a key data source for such monitoring systems. Within WLCG, the SOC working group has proven effective in simplifying deployment of SOC components and providing training events necessary for infrastructure participants to successfully integrate their logging information. Extending this model to WISE infrastructures would bring significant benefits to the cumulative security baseline.
  • Incident Response procedures could be deployed on a cross infrastructure basis.
  • Collating security contacts would bring immediate benefit. Currently it is not always possible to identify the correct person to be contacted in an incident, or correlate that to a Virtual Organisation or Infrastructure.