TF-CSIRT Meeting Reports

TF-CSIRT met for the 52nd time in Stockholm, Sweden – kindly hosted by TeliaCompany at their beautiful new offices.  When we had finished admiring the indoor waterfall, smurf-hut meeting rooms and fully open-planned offices, the meeting started with our closed session, addressing TLP:AMBER and TLP:RED matters.  Details of these sessions for Accredited and Certified teams only can be found on the Trusted Introducer website.

Improving the Listed Offering

One of the main discussion points for this meeting was a vote on how we can change and improve the TI offer for Listed Teams, as previously discussed on this blog. Listed Teams are teams that are registered on the Trusted Introducer directory for contact purposes, but have not as yet provided further information on their maturity either by self assessment (Accreditation) or third-party audit (Certification).  The voting teams present elected to introduce three new processes for Listed Teams:

  • Listed teams not yet accredited and/or certified MUST be fully relisted after three years, including renewing sponsorship requirements;
  • Listed teams SHOULD participate in TI response testing at least once per year;
  • The TI Team will make sponsoring teams visible on the restricted TI website for each listing.

All of these changes are aimed at improving the quality and freshness of data we provide to the community.  Accredited Teams can also expect changes as teams also voted to adopt a new version of the CSIRT Code of Practice – an integral part of the Accreditation framework.  A grace period for adopting the new approach will be announced to teams shortly.  All voting information can be found on our vote record.

The Quest for the Holy Grail

We were welcomed to the meeting by Daniel Aldstam, with a sobering reminder of the impact that security incidents can have on a company.

After introductions, the full meeting kicked off with a hunt for network threats with Erik Hjlemvik from NETRESSEC.  Erik invited us to look at a variety of samples and decide whether they looked healthy, or hacked. Erik stressed the importance of examining as much data as possible, and the need to spend time on false positives, discounting information before real issues can be singled out.  Defining what is good as well as what is bad is an essential part of anomaly detection as the “bad” elements are often an unknown, so undetectable, entity.

Welcoming New Members, Congratulating Old Friends

At every TF-CSIRT meeting we like to invite newly listed and accredited teams to introduce themselves to the community and this meeting was no exception. We were joined by members from European Air Traffic Management CERT and CERT-Conix, who gave us an overview of their work and their constituencies. Patrick Mana and his team gave an entertaining update to the European Air Traffic Management CERT, highlighting the pivotal role that security plays in an environment where people’s lives are literally in the hands of the air traffic systems.

Robin Marsollier from CERT-Conix focused on tooling at CERT-Conix and the work the team does to contribute to existing open source offerings and to develop their own tools, all of which are available on github.  This highlighted the collaborative nature of the CSIRT environment.

This meeting also gave us the opportunity to congratulate Funet-CERT and CERT-EE on becoming Certified Teams and also welcomed new members to the TF-CSIRT Steering Committee.  We thanked Jan Vykopal and Lionel Ferette for all their support for the committee over the last couple of years and welcomed Sven Gabriel of EGI and Shehzad Ahmad, TI Associate, to the team.

Community Focus

After an inspirational social evening at the Nobel Museum, where we had the chance to taste dishes that have been served at various Nobel banquets over the years, we started day two with a series of case studies from the community.  Zuzana started us off with a walk through the work CZ.NIC has carried out to monitor and fix the problem with outdated CMS such as WordPress and Joomla.  Outdated systems provide an easy gateway for attackers so preventive action is essential.

This meeting welcomed two updates from our NREN CSIRT teams.  Henrik Larsen from DKCERT gave an update from his team, and its work to support Danish Universities and the Danish NREN – DeiC. Henrik discussed implementation of vulnerability scanning at DKCERT but also briefly touched on work to address the upcoming General Data Protection Regulation (GDPR), where DKCERT will be offering Data Protection Officer (DPO) services to their constituency to help meet GDPR requirements.  Mathias Seitz presented work on the SWITCH-CERT DNS Firewall, with examples of where the firewall has been beneficial for SWITCH customers facing security issues.  Matthias also asked for opportunities within the community to collaborate on DNS Firewall approaches.

Andrea Dufkova of ENISA gave an update on the Common Taxonomies Working Group which is leading work to review issues and concerns that were raised with current taxonomies and their use within the CSIRT community.  The group had a meeting after the TF-CSIRT meeting in Stockholm and will meet again in at the next event in Hamburg.

Are You Ready for GDPR?

For the afternoon of the second day we turned our attention to requirements for CSIRT teams relating to GDPR.   Andrew Cormack gave a comprehensive overview of the new regulation and what it might mean for our teams, and this was followed by a panel discussion where Andrew was joined by Roeland Reijers and Sara Marcolla.  Despite the fear that GDPR might not be the most interesting topic for incident response practitioners we had a lively session covering everything from GDPR implications for WHOIS, to how we should think about GDPR in relation to the services TF-CSIRT offers.  With plenty of questions from the audience, it is clear that there is a lot of work still to be done in this space.

Lightning Talks Come to TF-CSIRT

In order to lighten the mood after a serious walk through policy concerns, we hosted our first ever set of lightning talks at TF-CSIRT.  The rules were simple – 5 minutes to talk about one topic or idea that you think is relevant and important to the TF-CSIRT community – and anyone using more than their 5 minutes was played off the stage to the strains of a series of bad music.  Within the hour slot we covered topics from how to become a TRANSITS trainer, to event announcements to experiences from the community of security incidents dealt with locally.   The sessions were such a success that attendees have asked us to bring them back to Hamburg in February 2018 – you can see more details in the Call for Proposals for that meeting.

With thanks again to TeliaCompany for hosting, to the Swedish CERT Forum for organising and to Cygate for sponsoring the evening meal, we look forward to seeing you all the joint TF-CSIRT and FIRST Regional Symposium in Hamburg from 5th – 7th February 2018.