Participants enjoying the view at TF-CSIRT in Riga. Photo by Baiba Kaskina.
TF-CSIRT Meeting Reports

(picture of TF-CSIRT participants enjoying the view at the 48th TF-CSIRT meeting in Riga – photo © Baiba Kaskina)

TF-CSIRT met for the 48th time in Riga, Latvia – hosted by CERT.LV as part of its 5th birthday celebrations.  One of the main focuses of the 48th meeting was to give members the chance to contribute detailed input in to the Trusted Introducer review and help us define the future service model for the Trusted Introducer service. Participants were split into groups to discuss both the current and future service model requirements to meet the needs of the TF-CSIRT community.  A detailed report from the groups will be made available but the overwhelming consensus from the members present was to move forward with a new procurement process and continue to offer the Trusted Introducer service via GÉANT.

Other outputs from the meeting included proposals to make the structure of meetings better, ideas to improve the “listing” teams process and appreciation for new services, such as TI reaction tests.  All of this input will be taken on-board and incorporated into both the procurement process and overall operations of TF-CSIRT.  More information about the review is available on the TF-CSIRT website.

After lunch, members attended a shortened closed meeting due to the future service discussions.  Slides and minutes from the closed meeting are available on the Trusted Introducer website for Accredited and Certified teams only.

A strong theme for the 48th meeting was CSIRT incident response in the light of regulation, policy and process.  This was drawn out in a presentation from CERT.LV about responsible disclosure, a presentation from Don Stikvoort on behalf of the TI team on necessary updates to the CSIRT Code of Practice, and introduction of the new SIRTFI process for incident response in identity federations.

Responsible disclosure as an approach is driven by a coordinated approach to disclosure with a focus on doing the least harm, whilst supporting information sharing.  This is juxtaposed with full disclosure by allowing a period of time for corrective action before information is shared.  Responsible disclosure can be driven by policy approaches or simply by joint action – such as the reaction seen to the Heartbleed bug.  CERT.LV wanted to take a role in responsible disclosure as the national CSIRT in Latvia, but also wanted to ensure that the process was driven by law. Updates to both the criminal law and IT security law in Latvia have caused CERT.LV to re-examine their approaches and processes; it will be a legal requirement in Latvia for CERT.LV to be informed of vulnerabilities in public sector organisations and for them to take on the role of coordination.  Further details about the approach taken by CERT.LV are available within the presentation and CERT.LV would be interested to share and learn about approaches adopted in other countries.

Another important standard within the community concerns more general ethical considerations around how teams behave and interact.  To support agreement and common practice around this issue, TF-CSIRT has support a CSIRT Code of Practice for some time, with the current version (2.1) approved in 2005.  As the world has changed considerably in the 11 years since this was published, a new version will now be proposed.  Don Stikvoort presented a brief overview of the proposed changes to the meeting, which can be reviewed in his slides, but a new version of the document will be circulated to teams for approval in 2016.

SIRTFI as an approach also addresses disclosure coordination, but specifically within the world of identity federations. There are now nearly 50 identity federations worldwide, and a process for more effectively managing incident response across the federations is a priority and a current risk.  SIRTFI has / is:

  • established a baseline framework for managing security and incident response within and between Identity Providers and Services Providers in federations;
  • defined a way of including security contact information in federation metadata;
  • working on a way of tagging entities that meet the SIRTFO framework with a “trustmark”.

More information on SIRTFI is available on the REFEDS website and wiki.

Klaus-Peter Kossakowski gave an update on the Trusted Introducer service, reminding participants of the changing make-up of CSIRT team types within TI, and the shift between listed and accredited teams.  Klaus-Peter also reminded teams of the importance of having a second team representative listed in the TI database, and gave an update on the roll-out of X.509 user certificates to listed teams.  If you would like to add a second team representative or find out more about the new certificates please do contact the TI team as soon as possible.

TF-CSIRT welcomed a new team as a first time attendee and presenter at the Riga meeting.  Dmitry Korzhevin  was invited as a guest to TF-CSIRT gave a team update for Crytek CSIRT – a new team that was established on 20th May 2015.  Crytek is a leading, internationally operating developer and publisher of video games with over 700 employees at 7 locations worldwide. They aim to provide an all-in-one solution for games on platforms via CRYENGINE.  The decision to support a CSIRT team is a core part of this vision and aims to protect the primary business process, Crytek reputation and all supporting processes.  The CSIRT team is developing its international relationships with organisations such as TF-CSIRT, FIRST and ENISA and through its presentation revealed an already well-matured approach to team management, engagement and process definition.

Participants were also able to focus on the practical aspects of incident response, with a presentation on a Spanish National Cyber Exercise with the financial sector from Javier Berciano and an update on a recent investigation into an attack by Dave Monnier.

Javier gave an overview of work carried out in response to a new national security strategy in Spain, which identified risks from cyberspace as the main risks for security in Spain. One of the main roles of CERTSI is to coordinate work to provide a benchmark for technical resolution of cybersecurity incidents.  Work with the Cyber Coordination Office has led to the development of cyberex_ – a series of cyber security exercises taking the form of both simulations and role play scenarios.  A recent exercise was developed specifically for the financial sector and involved everything from continued attack, to role play through to incident simulation.  Full details of the structure of the exercise are available in Javier’s presentation.

For more information on the Team Cymru approach and investigation, please contact Team Cymru directly.

The meeting was pleased to welcome guests and sponsors from Radware and Cisco, who gave an updates on the approaches being taken by the respective companies to combat external threats.

With thanks to the CERT.LV for hosting in a beautiful location, and for the close-up magic during the evening reception.  The magician received several job offers, we can only assume with the hope he could make incident logs disappear.

The next TF-CSIRT meeting will be in Zurich, Switzerland from 20th – 21st September 2016 in conjunction with a SWITCH-CERT event and other training.  All announcements about TF-CSIRT meetings are made to the TF-CSIRT mailing list, so if you are not already on the list, please do sign-up.

Elections for the TF-CSIRT Steering Committee will take place at the Zurich meeting.  Anyone interested in serving on the committee or who would like to nominate someone for the committee should read the Terms of Reference and send a signed e-mail to the TF-CSIRT Chair or Secretary.