The 54th TF-CSIRT meeting was not intentionally timed to sync with “GDPR day” but we found ourselves in Warsaw for the 24th and 25th of May and managed NOT to fill the programme with only GDPR material. Instead the meeting covered an impressive array of issues being met and tackled by incident response teams – from blockchain to jump bags, and from botnets to learning our MANRS. The meeting was kindly hosted by CERT-OPL and and CERT.PL in the beautiful Orange-Polska offices. We started off with some impressive news from our team response testing:
The fastest response to our last reaction test was 24 seconds! Good metrics showing how alert and responsive CSIRT teams in the community are.
— tfcsirt (@tfcsirt) 24 May 2018
Following the traditional closed meeting and the TF-CSIRT Steering Committee and Trusted Introducer updates, we began the meeting with an update from FORTH-CERT. Panos gave an overview of several EC funded projects that team is involved with including VirtuWind, CyberSure, Semiotics, CIPSEC, CERTCOOP, CEIOT and Ideal-Cities.
Next up, Antoine from SWITCH discussed how webcryptominers affect the .CH zone and how SWITCH deals with such cases. Cryptomining is the new kid on the malware block and has the potential to cause as much trouble as ransomware attacks we saw so much of in 2017. Cryptomining takes an awful lot of power to do effectively and if miners can hijack your computer for “free” to do this, the currency they are rewarded with for creating blocks is all the more of a return for them. SWITCH saw significant use of WordPress sites for such stealth-mining and carried out work to clean up. SWITCH also saw sneaky use of cookie consent dialogues to add cryptomining scripts.
Our next two talks focused on tools available to incident response teams. Bilgehan Turan from EATM-CERT gave an overview of how they were using Splunk in a variety of different ways to support their team needs, including integration with Maltego and to support Wordlist analysis. Edvard Rejthar from CSIRT.cz presented the use of Convey: an open-source ticket request system to handle reported incidents. The approach improved the time it took for relevant information to be distributed and helped managed the variety of CSV formats received.
After the break, Torsten Juul-Jensen from TDC SOC CERT gave a rather different presentation by walking us through his CERT’s jumpbag . This was a hardware focused presentation, showing what the team took with them when they had to attend and deal with incidents on site. Whilst much incident response can be done virtually, it is a good reminder of the practical approach needed when on-site response is required.
The day completed with presentations from Wojciech Świeboda from CERT OPL who walked us through the Sality botnet and its use of peer-to-peer traffic, and Kevin Meynell from ISOC who presented the MANRS project: an attempts to address some of the trust-based issues of BGP by encouraging network operators to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation.
After a wonderful evening spent high above Warsaw at Level 27, we returned to a busy second day. The morning started with a look at two different threats being seen by our CSIRT teams. Varis Teivans, from CERT.LV gave an overview of efficient approaches to backdoor distribution systems with a complex layering of backdoors to backdoors as cyber-criminals took advantage of each other. Javier Berciano from INCIBE reported on work to examine fraudulent use of domains within the ccTLD for Spain. This included a review of the work to detect the domains and the impact this had to customers within Spain.
After morning break we welcomed a mini takeover of TF-CSIRT from the SISSDEN Consortium. SISSDEN (Secure Information Sharing Sensor Delivery Event Network) aims to improve the cybersecurity posture of EU organisations and citizens through the development of increased situational awareness and the effective sharing of actionable information. The SISSDEN team were on hand to give us 5 separate updates, covering a vast range of topics including honeypots, DDoS attacks, malicious activities in darknet, approaches to tracking botnets, and finally our first real mention of GDPR and its impact on teams tackling cyber threats. It was a wealth of information from the team and we thank SISSDEN in particular for their contributions.
We rounded off a wonderful time in Warsaw with our now traditional lightning talks.
— Zuzana Duracinska (@ZDuracinska) 25 May 2018
The lightning talks at TF-CSIRT are always popular and this meeting was no exception. The rapid fire talks took in TRANSITS training in Asia, welcoming new teams, failed attempts to get a laptop stolen in public and an update from the Taxonomy Working Group.
With that was time to say Dziękuję Ci to our hosts and attendees in Warsaw and Labas! as we look forward to the next TF-CSIRT meeting on 27th and 28th September in Vilnius, Lithuania.