TF-CSIRT and FIRST held their joint TF-CSIRT and FIRST Regional Symposium together in Malaga from 28th to 31st January 2020, kindly hosted by the University of Malaga. As well as the usual conference content, the meeting supported a range of side-meetings and training events – including the regular TF-CSIRT Taxonomy and TF-CSIRT Futures Working Group.
After the traditional morning “closed” meeting for TF-CSIRT Accredited and Certified Teams, the main meeting kicked-off with a look and the impact of incident response when dealing with cloud infrastructure, with a presentation from Jeroen Vandeleur (NVISO, BE). The technical focus continued with an update on the Trusted Introducer infrastructure. Jochen Schönfelder (DFN-CERT, DE) informed participants of new developments at Trusted Introducer included plans for a new secure chat service for teams.
A different topic was then brought to the floor by Stéphane Duguin (CEO, CyberPeace Institute) who talked to the audience about the “accountability gap”. The Cyber Peace Institute is an independent, non-governmental organization focused on peace in cyberspace. They aim to decrease the frequency, impact, and scale of cyber-attacks by sophisticated actors that have significant, direct harm on people. The CyberPeace Institute believes that civilians need to be brought back to the forefront in cybersecurity discussions and be empowered in understanding how their infrastructures are attacked. Through collective analysis of cyberattacks and capacity-building measures grounded in internationally accepted norms, the CyberPeace Institute is confident that positive changes will be made towards the protection of civilians and the overall stability in cyberspace.
Day one was completed with two more technically focused presentations – Xavier Mertens (Xavier Mertens Consulting, BE) took us on a “walk through logs hell” with tips and ideas for how to find the information you need in a haystack, without needing to spend a fortune on tooling. Michael Hamm gave a follow up talk from a previous TF-CSIRT meeting with Forensics Lessons II, including lessons learned from real cases in forensics labs.
Launching in to day two, we started with an update on the Shadowserver Foundation from Piotr Kijewski (Shadowserver, NL). The non-profit Shadowserver Foundation collects many types of large scale security data sets and provides free daily infection data to network owners for remediation purposes. It regularly works with national CSIRTs, ISPs/hosting companies and law enforcement agencies combating malware, botnets and cybercrime activities. This talk will give an overview of activities undertaken in 2019 and upcoming CSIRT relevant projects. Michael Fortune (British Telecom, GB) talked about the Human Firewall and the impact of human behaviour on incident response, including lessons learned from social engineering experiments. Jan Kopriva gave an update on Industrial Control Systems (ICS) and issues discovered by ALEF CSIRT in monitoring connected devices.
The afternoon brought a timely talk from Fabian Elias Vroom on Disinformation 2.0. In 2018, Gartner predicted that by 2022 half of the information we consumed would be false. What actions can we take to help detect false news early? Jüri Shamov-Liiver (Spectx, EE) gave an Inside View to Domain Typosquatting Operation and Jānis Džeriņš (CERT.LV, LV) gave an update on Pastelyzer — the Paste Analyzer. Two more talks brought us to our final session of the day: John Kristoff (DePaul University, US) gave an update on Routing Security: RPKI Usage and Consistency and Hielke Bontius (NCSC-NL, NL) gave a team update.
We finished off the programme with a panel focused on Global Trends and Regional Cooperation. The panel was lead by ENISA and CERT/CC and gave an fascinating overview of the challenges and opportunities for CSIRT teams and other agencies to collaborate globally. Whilst many of our participants still had a full day of training to go, it was time for us to formally say adiós to Malaga, thank our hosts and sponsors and look forward to seeing many of you all again soon.