The 51st TF-CSIRT meeting was held on 15th May 2017 in the Hague, the Netherlands.
The meeting was co-located with the NCSC International One Conference (16th – 17th May 2017) at the World Forum. Further details are available on the NCSC website.
Amazon Room, World Forum
2517 JW The Hague
You can find the list of attendees here.
Logistical information for the event is available.
Please note that the TF-CSIRT meeting is slightly shorter than normal and will take place on Monday 15th May ONLY. The CLOSED session is also shorter, Listed Teams are invited to join the meeting directly after the morning break.
There is an extra TF-CSIRT meeting from 15:00 – 16:00 on Tuesday 16th May during the One Conference. This will focus on API and data requirements for the TI database to enable wider sharing and usage of TI data. This meeting will take place in room “Africa” on the ground floor of the World Forum, on the left-hand side of the World Forum Theatre.
|09:00 – 10:30||TF-CSIRT Closed Meeting – by invitation only, for accredited, certified and TI Associates
|10:30 – 11:00||BREAK|
|11:00 – 11:10||Welcome to the Open Meeting and AOB: Baiba Kaskina
|11:10 – 11:30||TF-CSIRT Strategy: Baiba Kaskina
At a recent strategy planning meeting, the TF-CSIRT Steering Committee wrote a strategy fro TF-CSIRT covering the period 2017 – 2020. Baiba Kaskina will introduce this document and the ideas that are being developed as part of this process.TLP: White
|11:30 – 11:50||DDoS Mitigation Tools at GÉANT: Evangelos Spatharas, GÉANT
During last decade the number of DDoS attacks has been significantly on the rise in terms not only of volume, but target industries as well. In the past, DDoS attacks might target gambling or government sites as an expression of resentment or anger. Moreover, DDoS attacks were not that easy to launch, and skills, tools and right equipment needed.
Nowadays though, with 200Gbps optical transceivers available, and prices for 10Gbps decreasing and all over the place, RAM and CPU/GPU more than ever and at approachable prices, D(D)oS attacks are on ones’ fingertips. Adding on top of the latter the availability of open source tools, tutorials on how to use them and the new legal web DDoS tools known as stress testers such attacks are easier than ever.
During this short presentation, the need for DDoS mitigation infrastructure will be stated by means of the recent “DDoS Survey” pointed at GÉANT APMs and relevant audience. In particular, it has been found that 30% of the respondents deal with attacks that can’t mitigate themselves. That is an early indicator for GÉANT that a mitigation infrastructure should be in place for future and more demanding situations.
The tools tested will be discussed, amongst the network design that used to facilitate these following a short demo.
|11:50 – 12:20||Cybercrisis OZON : Sandy Janssen and Remon Klein Tank, Surfnet
In October 2016 SURFcert & SURFnet organised a two-day cybersecurity exercise under the name OZON. 28 constituents participated in this exercise which had a challenging and realistic scenario for both technicians and board members. More than 200 individuals played two days with a near real life exercise, linking IT specialists, lawyers, communication experts, security and privacy officers, and the board of directors together. The exercise simulated a complicated, multi stage attack form a hacker group with strategic dilemmas for ICT management and board members, and tactical and technical dilemmas for the ICT departments.
In this presentation, we will discuss how we designed and prepared this exercise and do a brief walkthrough of the scenario, with both strategic and operational elements. We also will present the outcome of the exercise in terms of recommendations for both the way you can organise crisis exercises and for improving your crisis organisation, processes and tooling. As a conclusion we will discuss different kind of exercises and the benefit of each for organisations.
|12:20 – 12:30||The GÉANT CLAW Exercise – An Introduction: Charlie van Genuchten
A short introduction to the CLAW Crisis Management Exercise with a short interactive session to gain input from TF-CSIRT to make sure the event will also speak to their needs.
|12:30 – 12:50||Open Source Intelligence Aggregation: Rogier Spoor and Sjors Haanen, Surfnet
There are several public sources (OSINT) on the Internet that can
|12:50 – 13:00||Vote on TLP Wording for Accredited Teams: Don Stikvoort
At the 49th TF-CSIRT meeting, members agreed to support the consolidated FIRST Traffic Light Protocol definitions. This short session will invite members to vote on accepting the wording changes into the Trusted Introducer accreditation process.
|13:00 – 14:00||LUNCH|
|14:00 – 14:20||Listed Teams Discussion: Future Proposal, Baiba Kaskina
At the 50th TF-CSIRT meeting, participants were involved in break-out discussion groups to review the current status of listed teams within the Trusted Introducer process and look at future proposals for how to manage listed teams. This presentation will give an update on that discussion and proposed next steps.
|14:20 – 14:40||CIRCL Analysing backscatter during DDoS: Michael Hamm, CIRCL
Backscatter traffic is a side effect of spoofed DDoS packets. The analysis of backscatter leads to knowledge about ongoing attacks and the targeted IP addresses. The gathered information may help to mitigate the attacks and could give additional insights.
|14:40 – 14:50||CSIRT Code of Practice Updates: Don Stikvoort
The CSIRT Code of Practice is one of the documents that Accredited TI teams are asked to support as part of the accreditation process. This was last updated in 2005. At the 48th TF-CSIRT Meeting in Riga, Don presented on some of the proposed updates. This session will present on the most up-to-date changes. The latest draft is available for review
|14:50 – 15:00||CERT PKO BP Team Update: Paweł Jacewicz
Pawel will give an introduction to CERT PKO BP – a newly listed TI Team.
|15:00 – 15:30||
CyberGreen: Improving Cyber Health Through Measurement and Mitigation: Yurie Ito
|15:30 – 16:00||BREAK|
|16:00 – 16:20||DLL hijacking vulnerability CVE-2016-4116 in Adobe Flash Player: Ladislav Bačo, CSIRT.SK
DLL hijacking vulnerability CVE-2016-4116 in Adobe Flash Player has been discovered during our analysis of an older public-available malware sample. This presentation describes our analysis of this vulnerability, responsible disclosure, additional research and identification of other similar flaws. Exploitation of this vulnerabilities in signed programs for bypassing the User Access Control (UAC) and DLL hijacking. The presentation will also includes description and demonstration of two unresolved 0-day vulnerabilities in Microsoft Windows 7 and Google Chrome installer.
|16:20 – 16:40||Common Vulnerabilities and Exposures (CVE): Daniel Adinolfi,The MITRE Corporation
The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. CVE Numbering Authorities (CNAs) are an important part of the CVE program and are given the ability to identify and name CVE IDs in coordination with the MITRE CVE team. Participating as a CVE CNA allows organizations to have more control over their vulnerability management and disclosure processes while also ensuring a consistent level of service and a high quality of content within the CVE list. Becoming a CNA can be beneficial to vendors, coordination centers, and their customers, and it helps build a community of practice that continues to help improve the state of vulnerability management across many sectors. Join Daniel Adinolfi of the CVE program to learn about these benefits and how to participate.
|16:40 – 17:00||Welcome to TF-CSIRT 52: Kristian Borryd and Vladimir Bobor
Meeting Close and AOB: Baiba Kaskina
|17:15 – 20:30||Early Arrivers Reception by invitation of NCSC One Conference. This reception will take place at Restaurant Gember.|
|15:00 – 16:00||TI Team Database & Taxonomy Discussion
This meeting will look at 2 issues:
During abuse handling project, CERT-Bund came up with the problem that some of the types used by IntelMQ seem to overlap. One example for rather unclear incident types would be “botnet drone” and “ransomware”. For reporting it may be preferable to group them as “malware infection”. As this topic interferes with other taxonomies I see the need for better agreement and would like to discuss this with a broader audience. Ideally the eCSIRT.net taxonomy should form an agreed basis.
This meeting will take place in room “Africa” on the ground floor of the World Forum, on the left-hand side of the World Forum Theatre.