Image shows the TF-CSIRT Steering Committee hard at work on Sunday before the TF-CSIRT meeting.

“Only cooperation can solve such complex scenarios” said one of the speakers at the recent TF-CSIRT, getting to the heart and purpose of the TF-CSIRT community with one simple observation.

Last week, the TF-CSIRT community met for the 51st time, kindly hosted by NCSC.NL and co-located with the well-known NCSC One Conference in The Hague.  For this meeting, our agenda was packed into one day, but our presenters made good use of the time we had.

During the meeting, the TF-CSIRT Steering Committee and Trusted Introducer team took the time to update the community on various initiatives to help improve our collaboration and cooperation.  Baiba Kaskina explained the proposed TF-CSIRT Strategy, developed by the TF-CSIRT Steering Committee at an away day early in the year.  A draft of this strategy is attached and comments on the strategy welcomed.  Baiba also summarised the current position on Listed Teams within the TF-CSIRT community and proposals that have been put forward to improve the listing process.  These are described in an earlier post on this site.  Finally Don Stikvoort updated the room on the changes to the CSIRT Code of Practice – an important document used in the Trusted Introducer accreditation process to set out a baseline on professional standards for CSIRT Teams.

Members of accredited teams were also asked to vote on a proposed change within the TI processes for accreditation.  The proposal was to move to requiring the consolidated FIRST TLP v1.0 in the TI documentation.  Of the 47 teams in attendance, 45 votes were received. 43 teams voted in favour of the move, with two abstaining and no teams voting against the proposal.  The TF-CSIRT voting record has been updated to reflect this outcome.

The morning session focused on developments within the NREN community.  Surfnet gave a presentation on their recent Cybercrisis exercise – OZON – and the impact this had on the organisations participating.   A second presentation from Surfnet gave an overview of an open source intelligence aggregation system being developed by Surfnet in collaboration with the GDI Foundation.   This session also brought two updates from GÉANT: Evangelos Spatharas gave a demonstration of the DDoS mitigation tools being developed and used by GÉANT and its partner NRENS, whilst Charlie van Genuchten asked the audience for feedback on an Crisis Management exercise being planned by GÉANT later this year.

During the afternoon the sessions returned to the theme of DDoS mitigation, with a presentation from Michael Hamm on backscatter analysis for DDoS detection. The work being carried by CIRCL within MISP is openly available on github.  Michael also took the opportunity to note that CIRCL have openings for internships.  The community then had the chance to welcome a new team, CERT PKO BP, who were introduced by Paweł Jacewicz.  The team is newly listed and represents the biggest bank in Poland and wants to become fully immersed in the CSIRT community, so please reach out to the team at upcoming meetings.  The final session before the break was presented by Yurie Ito, who gave the room an insight into how we can all work to improve the health of the cyber ecosystem.  Cybergreen works to assess “threats to others” rather than threats to itself, and makes a series of metrics available that focus on the symptoms of cybersecurity rather than the cause. 

To finish the afternoon, we had two presentations focusing on CVE – Common Vulnerabilities and Exposures.  The first presentation looked at a vulnerability that has been identified and catalogued by CVE: DLL hijacking vulnerability CVE-2016-4116.  Ladislav Bačo from CSIRT.SK gave an update on CSIRT.K’s work on analysis of this vulnerability, responsible disclosure, additional research and identification of other similar flaws.  Finally Daniel Adinolfi from the MITRE Corporation gave a presentation on the CVE system itself and how organisations can participate to build up high quality content in the CVE list.

We finished by wecloming participants to the 52nd TF-CSIRT, which will be held in Stockholm on 21st and 22nd September 2017.  Registration for this event is already open and spaces are limited, so grab your place now.

The 51st TF-CSIRT meeting also saw us launch on twitter.  So don’t forget to follow us and keep the conversation going online.  We look forward to seeing either virtually or in reality sometime soon!