TF-CSIRT Meeting Reports

From the 5th – 7th February 2018, over 250 CSIRT professionals attended the TF-CSIRT meeting & FIRST Regional Symposium Europe – kindly hosted by DFN CERT.   The meeting broadly covered four themes: human capital, EU initiatives, products and platforms and vulnerability scanning.

We started the first day with the closed TF-CSIRT meetings (information available to accredited and certified teams only from the Trusted Introducer website, followed by an update from the TF-CSIRT Steering Committee.  This led to a successful vote on changing the shape of the TF-CSIRT Steering Committee, and also gave us a chance to congratulate CERT.at on their Trusted Introducer Certification.

Maarten Van Horenbeeck kicked off the open meeting with a presentation on Internet Governance and its relevance to FIRST / TF-CSIRT activities.  Maarten discussed the “internet of government” and how important it is that political leaders have a good understanding of security issues and requirements when making policy that impacts on internet governance.  There are a range of organisations and activities designed to influence this space, such as the Internet Governance Forum. There is a role for all of us in influencing and supporting these activities.

The day then moved on to look at two human capital issues: Roderick Mooi and Schalk Peach from SANReN CSIRT presented the SANReN Security Challenge. The goals of the challenge were to stimulate interest in information security within the South African student body and give these students a platform to showcase their skills. This was a highly successful activity and SANReN are interested in how we can do more globally to support such approaches.  Tracy A. Bills from CERT/CC picked up on theme of Capacity Building with her presentation on the National CSIRT Development Mentoring Framework, which has a remit for building capacity in the CSIRT community in East Asia, Africa and Eastern Europe and is designed to be used by third parties.  There is a clear global benefit to growing CSIRT capacity in all countries to better support our joint efforts in managing incident response.

Moving closer to home, the next session looked at three areas impacting work within Europe.  Rossella Mattioli and Yonas Leguesse from ENISA gave an update on Reference Incident Taxonomy for CSIRTs and the joint ENISA / TF-CSIRT Working Group progress.  The working group continues to meet at every TF-CSIRT meeting, don’t forget to sign-up for the meeting in Warsaw!  We moved on to two case studies on managing GDPR from Freddy Dezeure, and from Mirjam Kuehne from RIPE.  GDPR comes into effect on the 25th May 2018 so we will be able to celebrate the date at the Warsaw meeting.  A more in-depth write up on GDPR processes from RIPE is available on the GÉANT blog.  To end this session, Alvaro Azofra and Sara Marcolla from the European Cybercrime Centre (EC3) at Europol shared a series of operational cases, including a botnet takedown and a ransomware issue, as well as some interesting cases for potential future collaboration.

Following a fantastic social evening hosted by DFN-CERT, we kicked off day two with a series of presentations looking and product and platform issues including:pr

  • A look at the changing face of products and incident response from Gaus Rajnovic, Panasonic PSIRT.
  • Use cases from Hak5 Field Kit from Michael Hamm, CIRCL.
  • Optimising Open Source IDS from CSIRT-CV.
  • An update on CERT@VDE.

The afternoon brought us to a brief update from the FIRST Board, and  then a series of presentations looking at vulnerability scanning.  First we were given a behind the scenes look at Shadowserver, which has been collecting network threat information on a large scale for many years with a mission to make the Internet a more secure environment for all. The talk focused on the challenges of collecting data on such a large scale and success stories from the data collection.  SANReN picked up on this theme, the proliferation of tools to manage vulnerability scanning and how the SANReN CSIRT is managing this via ScanMan.   Patrick Green from the University of St. Andrews talked about managing the risk and costs of scanning and the session finished with Peter Kleinert from Binconf CDC talking about how to make open source vulnerability scanners work effectively in a multinode environment.

We finished the meeting with a fast-paced round of lightning talks – fitting 14 talks into one hour and 4 minutes.  The variety and range of topics covered in that session was so far reaching we will bring you another blog focused on those!

With thanks to DFN-CERT, FIRST and our attendees for a great meeting – we look forward to seeing many of you next time in Warsaw!