10 years to the day from the 39th TF-CSIRT meeting in Romania, the TF-CSIRT crowd were back in Bucharest for several days of networking, presentations and reflections on our roles as incident responders. For me in particular, the event was poignant, as the 2013 meeting in Bucharest was my very first TF-CSIRT. A look at our conversations in 2013 compared to 2023 reveals some similarities, but more noticeably a growth in the depth and range of topics with which CSIRT teams are involved. We were again kindly hosted by RoEduNet, who may or may not have been serious about inviting us back for 2033.
After the traditional closed meeting for Accredited and Certified teams, we kicked off the 69th TF-CSIRT meeting with an update from the Steering Committee and congratulations to ALEF-CERT and CIPHER-CERT on achieving recertification within Trusted Introducer and a reminder of the elections to the TF-CSIRT Steering Committee that will happen in September. Our next two presenters gave some practical experiences of CSIRT work. Firstly Igor Nikolic of CSA Global CSIRT talked about the concept of “FOW” (Fog of war) during an active Incident response, showcasing how an incident that initially was tagged as potential threat was in the end an IT issue. Krzysztof Zając from CERT-POLSKA then talked about how the Artemis tool is being used to improve the security of the Polish internet from the perspective of the registrar of .pl. Roderick Mooi of GÉANT led us into the break with an announcement of a new working group on Cyber Threat Intelligence – anyone with an interest in participating can find contact details in Roderick’s presentation.
Our final presentation from day one was an update from Henrik Larsen from DKCERT. Deep dives into the daily work of CSIRT teams are always excellent ways for us to think about how we are running our own teams, and Henrik gave a great example of just this. DKCERT has a role in ensuring the robust protection of vital societal functions meaning that wide range of rights have to be considered by the team – such as the principle of academic freedom.
After a memorable night of great food, good music and a surprise saxaphone player, we kicked off day two with a series of team updates from CSIRT.CZ, SI-CERT, PIONIER-CERT and CERT.LV. Věra Mikušová continued the theme of the societal value of CSIRTs with a focus on the not-for-profit status of CZ.NIC and how the team invests its money back into the internet community. Matej Breznik highlighted the upcoming impact of NIS2, that will mean more work for CSIRT teams and more focus on the strategic role they have within organisations and Baiba Kaskina gave a follow up chapter to her talk in May 2022 on the importance of coordinated vulnerablity disclosure, again with a view to meeting the requirements of NIS2.
All too quickly, we reached the last presentation of the meeting and a final team update from Wim Biemolt on the work of the SURF-CERT team. With that, the only thing left to do was invite all the participants to the next meeting, with a warm welcome from David Byers to Stockholm. The main meeting will take place from 26th – 27th September 2023, but the Swedish teams are preparing a range of extra trainings and tutorials for us (25th September) so we strongly recommend arriving early and participating in those.
With warm thanks to RoEduNet for looking after us, we look forward to seeing you all in September.