May 2019 brought us the 57th TF-CSIRT meeting in Luxembourg and the chance to practice a real life crisis management exercise due to technical booking error. Thanks to the quick work of the University of Luxembourg staff, the helping hands of TF-CSIRT members and some robust security procedures, we were able to move 100 CSIRT team members across campus from one room to another whilst maintaining the integrity of a closed meeting.

Setting up a meeting in real time with TF-CSIRT. Photo credits: Baiba Kaskina.

Following on from the closed meeting, we started the open meeting with the traditional update from the TF-CSIRT Steering Committee. Members were asked to vote on a change to procedures to allow TI Associates to support Listed Teams. This vote was successful and is recorded in the TF-CSIRT Voting Record; appropriate procedural changes will be made by the Trusted Introducer team. We were also happy to announce the successful re-certification of both KPN-CERT and CERT-SE. Both teams were present to receive their certificates from Baiba Kaskina, TF-CSIRT chair.

The floor was then handed to the TF-CSIRT participants and a range of diverse topics and projects of interest to the community. Alexandre Dulaunoy from CIRCL talked about the D4 Project – a large-scale distributed sensor network to monitor DDoS and other malicious activities. The project is run as an open and collaborative endeavour and works closely with MISP. Sigita Jurkynaite presented on a project with a slightly different approach – the GÉANT “GN4-3” project has recently introduced a dedicated Security Workpackage to explicit support an upskill NRENs in a range of areas such as security awareness and training, baseline requirements, DDoS mitigation, SOC implementation and more. Our final project update was from Sebastian Wagner from cert.at, who presented the IntelMQ project. Day one ended with a typically lively round of lightning talks, covering everything from team updates to phishing attacks and collaborative approaches to incident response. Highlights from all the lightning talks can be found on the TF-CSIRT twitter account.

Day two started with a call to arms from Carlos Friacas. Carlos invited all CSIRT teams to ensure they take the opportunity to influence policy decisions being made at RIPE and other RIRs regarding address space hijacking. Full details on how to get involved are available in Carlo’s presentation. Two presentations from the Trusted Introducer team took us through two very different issues of relevance to our community: how can we best meet the needs for encrypted communication for Trusted Introducer in a changing environment? Teams present at the meeting agreed that is was essential to support both S/MIME and PGP as a minimum within Trusted Introducer, and a small working group was formed to look at moving this issue forward. If you would like to be involved please contact the TI Team. Klaus-Peter Kossakowski also gave an update on the CSIRT Services Framework, SIM3, and changes that could be introduced to Trusted Introducer processes to ensure that we are compatible with both approaches.

A different focus to the meeting was introduced by Fabien Mathey from cases.lu, who gave an overview of the approach to Risk Assessment Optimisation taken by MONARC. The project identified a systematic and reusable approach to risk optimisation and full details of the work can be found freely available on github.

The final session of the day was panel coordinated by Baiba Kaskina, looking at CSIRT Maturity and whether the TF-CSIRT / Trusted Introducer approach to maturity is fit for purpose. The panel involved CSIRT teams that have reach Certified status with Trusted Introducer across a range of difference sectors. The teams described their approach to certification, why it was important to them, and what was challenging. Members of the audience were asked to contribute to the discussion via menti and it was encouraging to see that many teams were considering the certification approach.

The certification journey of teams at the 57th TF-CSIRT Meeting

Teams also suggested various areas where they needed more support to achieve certification. Ideas included: more time!, a supporting checklist, mentors, contacts to ask precise topic questions, management support materials and more templates. A full report was automatically generated from the great audience inputs and will be used to feed into the maturity programme for TF-CSIRT.

The end of the panel brought us to the end of the 57th TF-CSIRT meeting. We look forward to seeing many teams at the 58th TF-CSIRT meeting in September in Cyprus!