photo credit: Marc-Frédéric Gomez.
“Long time no see!” was the most popular phrase at the TF-CSIRT – FIRST Regional Symposium in Bilbao, Spain. And it has been a long time indeed – last time we met all together was in Malaga in 2020. We had some virtual events in the meantime, but it was certainly nice to see old faces and meet new colleagues in real life. The first joint post-pandemic event took place from 30th of January to 2nd of February, kindly hosted by the Basque Cybersecurity Centre.
TF-CSIRT Steering Committee and FIRST Board of Directors started the Bilbao marathon on Monday with various meetings, including a joint one to plan future collaborations. On Tuesday morning, the programme began with a closed TF-CSIRT meeting for Accredited and Certified teams and then starting from lunch, it was a full house – an unprecedented 350 attendees. After a short welcome by the TF-CSIRT Steering Committee chair Silvio Oertli, the main meeting was opened by Albert Calvo and Nil Ortiz (Fundació i2 CAT), who talked about behavioral modeling and how that can be applied by security teams to assess their users’ readiness to fight against threats. The framework that they are developing can also be useful to calculate the return on investment in cybersecurity, which can be very helpful when talking to the executives.
We often talk about collaboration at these meetings, and this time was no exception. We had not one but two presentations by the French teams on what they do to encourage sharing – Matthieu Bontrond (ANSSI) and Thomas Fontvielle (CERT-FR – ANSSI) presented on how they overcome the challenges related to different protocols – TLP and PAP, to make sure that the information is shared correctly. Then, Etienne Baudin and Frédéric Le Bastard (InterCERT France) shared an update on the InterCERT France association that unites 78 French CERTs – a community that grew over the years from an informal meeting to an official organisation.
Mikolaj Dobski (PSNC) introduced the audience to MALWINA – a system enabling the automation of a multidimensional malware analysis process. And then the time came for the Lightning Talks session that featured 8 talks of 5 minutes or less. The topics varied from vulnerability management to NIS2 directive, from team introductions to a quick demo on how to solve a CTF challenge. One of the Lightning Talks was given by a former TF-CSIRT chair Lionel Ferette, who used this time to announce that he is stepping down from the CERT.be team representative role.
The local host invited all participants to a social event at the most spectacular venue – the Guggenheim museum, where we could not only enjoy the local delicacies and live music, but also visit all of the expositions.
Dr. Sherif Hashem, Chair of the FIRST Board of Directors, welcomed the attendees on Wednesday, followed by Jossef Harush Kadouri (IL) telling the audience about https://red-lili.info/ – an open source research project for automating the process of keeping track of threat actors publishing malicious packages. Carlos Sanchez Santos (Ørsted) presented on the cyber security challenges that the teams working on secure Critical Infrastructures in the energy sector are facing.
Ransomware remains one of the most prevalent and talked about threats in cyberspace – three slots in the programme of the second day of the meeting were dedicated to topics related to this type of attack. However, it would be equally impossible to not talk about the war in Ukraine – Artsiom Holub (Cisco Talos) gave an overview of the lessons learned since the war began in 2014.
Eddy Willems (G DATA) and Righard Zwienenberg (ESET) entertained the public with their presentation on real-life examples of cyber-incidents and how they could have been prevented – theirs was a talk with a dedicated soundtrack Bachman Turner Overdrive’s “You ain’t seen nothing yet”. They promised that this is not the last time we see this duo on stage!
Daniel Lunghi and Jaromir Horejsi (Trend Micro) provided an analysis of Iron Tiger (also known as APT27, also known as Emissary Panda). The main programme was closed by John Kristoff (Liaison) with a talk about how a distributed Internet activity sensor network that spans six continents, more than sixty countries, utilizes approximately 100 different commercial hosting providers, has IPv4 address assignments in over 100 /8’s, has no volunteers, and has no donated systems was created at Dataplane.org.
Thursday was spent training and learning – 5 training tracks were hugely popular and fully booked. Thanks to the volunteer trainers from the community, the training sessions covered a wide range of topics, such as CSIRT management, SIM3 framework, malware analysis, simulation-strategic games, and DNS.
Hopefully it won’t be long before TF-CSIRT and FIRST will gather together again and we can continue our annual tradition in 2024. And the regular TF-CSIRT meetings are back on track – next time we will meet in Bucharest on 24-25 May 2023 and in Stockholm on 26-27 September 2023.