TF-CSIRT Meeting Reports

The 64th TF-CSIRT meeting took place on the 14th September 2021 – now our 5th online meeting, which was more time managing the online approach to meetings than any of us would have predicted.

Updates from the Steering Committee

The meeting started as usual with an update from the TF-CSIRT Steering Committee. There was lots of positive news from the group.  Firstly we were happy to announce the newly appointed Steering Committee members – David Byers of LiU IRT was returned for a second term and we welcomed Sigita Jurkynaitė to her first term on the Steering Comittee.  Silvio Oertli, chair of the TF-CSIRT Steering Commitee, also took the time to thank Shehzad Ahmad for his time supporting the committee.  The formal results can be found in the TF-CSIRT Voting Record.  If any teams have ongoing feedback about the new online voting process we would be happy to hear from you!

The TF-CSIRT Steering Committee also formally closed the TF-CSIRT Futures Working Group, which has completed its work with the May 2021 vote on the future of TF-CSIRT.  The Steering Committee will now work with the current service providers, the current TF-CSIRT sponsors and relevant experts to implement the outcome of the futures vote.

New Certifications

We were also happy to announce two newly certified teams and two re-certifed teams since we last met.  Many congratulations go to:

  • GAZ-SYSTEM CERT (Poland)
  • CERTCreditAgricole (France)
  • CERT BWI (Germany)
  • CERT.at (Austria)

Standards: New and Old

As we moved into the main programme for the meeting, we had the opportunity to hear about how our community is being impacted by changes to standards and regulations both new and old.  Andrew Cormack gave an overview of the upcoming NIS2 Directive and how it supports the use of data for incident response.  Although NIS2 is yet to be finalised, the framework offers promising directions that will enable CSIRT teams to effectively do their work and share their work with other teams.  More information can be found in Andrew’s slides and blogpost on the topic.

Jan Kopriva also reminded us how long it can take to effect change even after standards change.  His look at the adoption of TLS 1.3 and analysis of the continued use of SSL on public IPs showed clearly that despite SSL being deprecated in 2015, we still have a long way to go in terms of TLS adoption. Jan’s slides identify some useful tools should you want to examine use in your own constituency.

All in a Day’s Work

Our final four presentations on the agenda highlighted some very practical examples of how CSIRT teams work every day to improve the security of our working environments.  Albert Priego Bravo, a Malware Analyst at CERT-GIB gave an indepth analysis of the Ryuk Gang and their use of GrimAgent. Ransomware attacks from this group were widespread and targeted a wide range of different sectors – showing once again why it is so important that organisations like TF-CSIRT enable cross-sector information sharing. Albert’s slides are available and he encourages all teams to read up on this issue on the CERT-GIB blog.

O365 is ubiquitous in the workplace making it an obvious target for attack.  Guenaelle De Julis from CERT-XLM presented a detailed use case of how a complex spoofing email approach had been identified despite precautions – such as MFA – being put in place by the organsiation in question.  Guenaelle’s slides will be of interest to any teams or organisations using O365.

Our next presentation was from Margrete Raum of KraftCERT and was a very clear walk-through of how Volue were impacted by an attack from Ryuk – the very group discussed by Albert earlier in the meeting.  Volue have a series of very detailed updates about the attack, including the financial impact on the organisation, that makes for sober reading.  Margrete’s slides are TLP:Amber so not publicly shared.

For the final presentation of the day we reached across the globe and were happy to be joined by Cristine Hoepers from CERT.br. Cristine gave an update on the evolution of threat sharing using MISP in Brazil and the progress that has been made in centering this approach to information sharing within their constituency.  Cristines’s slides are TLP:Green so not publicly shared.

And Next Time?

The TF-CSIRT Steering Committee and FIRST are still considering options for our next meeting, which would typically be a joint session.  We will update the community as soon as we have more information and in the meantime we appreciate your patience!