The 51st TF-CSIRT meeting was held on 15th May 2017 in the Hague, the Netherlands.

The meeting was co-located with the NCSC International One Conference (16th – 17th May 2017) at the World Forum. Further details are available on the NCSC website.

Amazon Room, World Forum
Churchillplein 10
2517 JW The Hague
The Netherlands


You can find the list of attendees here.


Logistical information for the event is available.


Please note that the TF-CSIRT meeting is slightly shorter than normal and will take place on Monday 15th May ONLY.  The CLOSED session is also shorter, Listed Teams are invited to join the meeting directly after the morning break.

There is an extra TF-CSIRT meeting from 15:00 – 16:00 on Tuesday 16th May during the One Conference.  This will focus on API and data requirements for the TI database to enable wider sharing and usage of TI data.  This meeting will take place in room “Africa” on the ground floor of the World Forum, on the left-hand side of the World Forum Theatre.

Monday,15th May 2017
09:00 – 10:30 TF-CSIRT Closed Meeting – by invitation only, for accredited, certified and TI Associates
10:30 – 11:00 BREAK
11:00 – 11:10 Welcome to the Open Meeting and AOB: Baiba Kaskina
11:10 – 11:30 TF-CSIRT Strategy: Baiba Kaskina
At a recent strategy planning meeting, the TF-CSIRT Steering Committee wrote a strategy fro TF-CSIRT covering the period 2017 – 2020.  Baiba Kaskina will introduce this document and the ideas that are being developed as part of this process.TLP: White
11:30 – 11:50 DDoS Mitigation Tools at GÉANT: Evangelos Spatharas, GÉANT

During last decade the number of DDoS attacks has been significantly on the rise in terms not only of volume, but target industries as well. In the past, DDoS attacks might target gambling or government sites as an expression of resentment or anger. Moreover, DDoS attacks were not that easy to launch, and skills, tools and right equipment needed.

Nowadays though, with 200Gbps optical transceivers available, and prices for 10Gbps decreasing and all over the place, RAM and CPU/GPU more than ever and at approachable prices, D(D)oS attacks are on ones’ fingertips. Adding on top of the latter the availability of open source tools, tutorials on how to use them and the new legal web DDoS tools known as stress testers such attacks are easier than ever.

During this short presentation, the need for DDoS mitigation infrastructure will be stated by means of the recent “DDoS Survey” pointed at GÉANT APMs and relevant audience. In particular, it has been found that 30% of the respondents deal with attacks that can’t mitigate themselves. That is an early indicator for GÉANT that a mitigation infrastructure should be in place for future and more demanding situations.

The tools tested will be discussed, amongst the network design that used to facilitate these following a short demo.

TLP: Green

11:50 – 12:20 Cybercrisis OZON : Sandy Janssen and Remon Klein Tank, Surfnet

In October 2016 SURFcert & SURFnet organised a two-day cybersecurity exercise under the name OZON. 28 constituents participated in this exercise which had a challenging and realistic scenario for both technicians and board members. More than 200 individuals played two days with a near real life exercise, linking IT specialists, lawyers, communication experts, security and privacy officers, and the board of directors together. The exercise simulated a complicated, multi stage attack form a hacker group with strategic dilemmas for ICT management and board members, and tactical and technical dilemmas for the ICT departments.

In this presentation, we will discuss how we designed and prepared this exercise and do a brief walkthrough of the scenario, with both strategic and operational elements. We also will present the outcome of the exercise in terms of recommendations for both the way you can organise crisis exercises and for improving your crisis organisation, processes and tooling. As a conclusion we will discuss different kind of exercises and the benefit of each for organisations.

TLP: White

12:20 – 12:30 The GÉANT CLAW Exercise – An Introduction: Charlie van Genuchten

A short introduction to the CLAW Crisis Management Exercise with a short interactive session to gain input from TF-CSIRT to make sure the event will also speak to their needs.

TLP: White

12:30 – 12:50 Open Source Intelligence Aggregation: Rogier Spoor and Sjors Haanen, Surfnet

There are several public sources (OSINT) on the Internet that can
provide information about vulnerabilities in computer systems. Commonly
used OSINT sources are Censys and Shodan.The reliability and accuracy of such sources go often beyond the information organizations have themselves. In addition, these sources are often designed to detect specific vulnerabilities and therefore are quite accurate. SURFnet in collaboration with GDI is collecting OSINT sources and visualizing them in an Elastic Stack environment. Constituent CERT/CSIRT teams will get access to a Kibana dashboard and therefore will be able to see relevant OSINT reports and be able to create their own queries on the data.

TLP: White

12:50 – 13:00 Vote on TLP Wording for Accredited Teams: Don Stikvoort

At the 49th TF-CSIRT meeting, members agreed to support the consolidated FIRST Traffic Light Protocol definitions.  This short session will invite members to vote on accepting the wording changes into the Trusted Introducer accreditation process.

13:00 – 14:00 LUNCH
14:00 – 14:20 Listed Teams Discussion: Future Proposal, Baiba Kaskina 

At the 50th TF-CSIRT meeting, participants were involved in break-out discussion groups to review the current status of listed teams within the Trusted Introducer process and look at future proposals for how to manage listed teams. This presentation will give an update on that discussion and proposed next steps.

TLP: White

14:20 – 14:40 CIRCL Analysing backscatter during DDoS: Michael Hamm, CIRCL

Backscatter traffic is a side effect of spoofed DDoS packets. The analysis of backscatter leads to knowledge about ongoing attacks and the targeted IP addresses. The gathered information may help to mitigate the attacks and could give additional insights.

TLP: Green

14:40 – 14:50 CSIRT Code of Practice Updates: Don Stikvoort

The CSIRT Code of Practice is one of the documents that Accredited TI teams are asked to support as part of the accreditation process.  This was last updated in 2005.  At the 48th TF-CSIRT Meeting in Riga, Don presented on some of the proposed updates.  This session will present on the most up-to-date changes. The latest draft is available for review

TLP: White

14:50 – 15:00 CERT PKO BP Team Update: Paweł Jacewicz

Pawel will give an introduction to CERT PKO BP – a newly listed TI Team.

TLP: White

15:00 – 15:30

CyberGreen: Improving Cyber Health Through Measurement and Mitigation: Yurie Ito

TLP: White

15:30 – 16:00 BREAK
16:00 – 16:20 DLL hijacking vulnerability CVE-2016-4116 in Adobe Flash Player: Ladislav Bačo, CSIRT.SK

DLL hijacking vulnerability CVE-2016-4116 in Adobe Flash Player has been discovered during our analysis of an older public-available malware sample. This presentation describes our analysis of this vulnerability, responsible disclosure, additional research and identification of other similar flaws. Exploitation of this vulnerabilities in signed programs for bypassing the User Access Control (UAC) and DLL hijacking.  The presentation will also includes description and demonstration of two unresolved 0-day vulnerabilities in Microsoft Windows 7 and Google Chrome installer.

TLP: Green

16:20 – 16:40 Common Vulnerabilities and Exposures (CVE): Daniel Adinolfi,The MITRE Corporation

The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. CVE Numbering Authorities (CNAs) are an important part of the CVE program and are given the ability to identify and name CVE IDs in coordination with the MITRE CVE team. Participating as a CVE CNA allows organizations to have more control over their vulnerability management and disclosure processes while also ensuring a consistent level of service and a high quality of content within the CVE list. Becoming a CNA can be beneficial to vendors, coordination centers, and their customers, and it helps build a community of practice that continues to help improve the state of vulnerability management across many sectors. Join Daniel Adinolfi of the CVE program to learn about these benefits and how to participate.

TLP: White

16:40 – 17:00 Welcome to TF-CSIRT 52: Kristian Borryd and Vladimir Bobor
Meeting Close and AOB: Baiba Kaskina
17:15 – 20:30 Early Arrivers Reception  by invitation of NCSC One Conference.  This reception will take place at Restaurant Gember.
Tuesday,16th May 2017
15:00 – 16:00 TI Team Database & Taxonomy Discussion 

This meeting will look at 2 issues:

  • API and data requirements for the TI database to enable wider sharing and usage of TI data;
  • Agreement on incident types used by teams.

During abuse handling project, CERT-Bund came up with the problem that some of the types used by IntelMQ seem to overlap. One example for rather unclear incident types would be “botnet drone” and “ransomware”. For reporting it may be preferable to group them as “malware infection”. As this topic interferes with other taxonomies I see the need for better agreement and would like to discuss this with a broader audience. Ideally the eCSIRT.net taxonomy should form an agreed basis.

This meeting will take place in room “Africa” on the ground floor of the World Forum, on the left-hand side of the World Forum Theatre.