Overview
The 52nd TF-CSIRT meeting was held on 21st & 22nd September 2017 in Stockholm Sweden, hosted by the Swedish CERT-forum. A training event on “Open Source Intelligence (OSINT)” was led by Kazimieras Sadauskas (NRD CS) on 20th September 2017.
Venue
The meeting was held at the TeliaCompany building in Stockholm. For further logistical and travel information, please visit the logistics page.
Registration
A list of attendees is available.
Programme
| TIME | EVENT |
|---|---|
| 11:00 – 18:00 | Open Source Intelligence (OSINT) – training event is full |
| 14:00 – 18:00 | TF-CSIRT Steering Committee Meeting- Invitation only |
| Evening | A range of social activities, prepared by the Swedish CERT forum. |
| TIME | EVENT |
|---|---|
| 09:00 – 13:00 | CLOSED TF-CSIRT Meeting – TI accredited and certified teams only and TI Associates. Information for those with access can be found on the Trusted Introducer website.
Note: please be at the venue as early as possible as there are two registration steps to go through. Please see the logistics page for more information. |
| 13:00 – 14:00 | LUNCH |
| 14:00 – 14:05 | Welcome – Baiba Kaskina, TF-CSIRT Chair |
| 14:05 – 14:15 |
Welcome from the Swedish CERT Forum – Robert Jonsson, MSB |
| 14:15 – 14:25 | Welcome from Telia – Daniel Aldstam, TeliaCompany CSO |
| 14:25 – 15:10 | Threat Hunting through Network Anomaly Detection – Erik Hjelmvik, Netresec |
| 15:10 – 15:30 | BREAK |
| 15:30 – 15:50 | Introduction to European Air Traffic Management CERT – Patrick Mana, European Air Traffic Management CERT
Patrick Mana gave a short introduction the European Air Traffic Management Team, a newly listed team within Trusted Introducer. TLP: White |
| 15:50 – 16:10 | Introduction of CERT-Conix, BTG and Machoke – Robin Marsollier, CERT-Conix
CERT-Conix introduced themselves and presented various tools it make to improve its workflow, namely BTG and machoke.BTG: fast and efficient search on observable.Machoke: CFG-hash for malware classification. The basic operation is to convert the CFG tree of a function to a string, by naming nodes and recording jumps and calls, to concatenate the strings of all functions and generate a murmurhash3 of the whole. This construction produces a hash resisting minor modifications of source code for the hashed sample. Moreover, comparison à-la ssdeep is possible. TLP: White |
| 16:10 – 16:30 | Updates from the TF-CSIRT SC and TI Team |
| 16:30 – 16:50 | IT Security at Cygate AB – Johan Åhrman, Cygate |
| 16:50 – 17:15 | TF-CSIRT SC Elections |
| 18:30 – 23:00 | The social event held on 21st September will be held at the Nobel Museum (http://www.nobelmuseum.se/en) on Stockholm’s Old Town. There will be a short guided tour of the museum (18:30 – 19:00) followed by a buffet of dishes from past Nobel gala dinners. |
| TIME | EVENT |
|---|---|
| 09:00 – 09:10 | Welcome – Baiba Kaskina, TF-CSIRT Chair |
| 09:10 – 09:25 | Scaning CMS – Zuzana Duracinska, CZ.NIC
The problem of running outdated CMS is that these CMS’ are like a bait for various attacks. As the National CSIRT operated by ccTLD we have decided to check the HTML headers (or CMS specific files) of all registered .cz domains and check which of them runs outdated version of most popular CMS (WordPress, Joomla). Decision to kick-out this action was followed by legal expertise from number of lawyers. In the presentation I will try to cover this action along with the results and feedback we got from the domain owners. TLP: White |
| 09:25 – 09:45 | DKCERT services for Danish Research and Education Institutions – Henrik Larsen, DKCERT The presentation will give an overview of the Danish NREN CERT services and a more detailed view on vulnerability scannings, both external and internal, and how the findings are reported to the institutions.TLP: White |
| 09:45 – 10:00 | Common Taxonomy – Andrea Dufkova, ENISA
Andrea gave a short introduction to a task force for CSIRT taxonomy that is being established by ENISA. The task force will aim to find solutions or a way forward to cover issues and concerns that were raised with regards to the current taxonomies and their use within the CSIRT community. A meeting to further discuss the task force and work areas took place on Friday afternoon. TLP: White |
| 10:00 – 10:30 |
BREAK |
| 10:30 – 11:00 | DNS Firewall use cases and lessons learned – Matthias Seitz, SWITCH CERT
SWITCH-CERT is operating a DNS Firewall (DNS RPZ) for the Swiss NREN and also other customers for more than two years and is currently protecting more than 200’000 users from malware and phishing. The main points covered are: TLP: White |
| 11:00 – 11:30 | GDPR Presentation – Andrew Cormack, Jisc |
| 11:30 – 12:00 | GDPR Discussion and Panel
Andrew Cormack, Roeland Reijers and Sara Marcolla led a panel and discussion session on the impact of GDPR, lessons learned from data breaches and experience of teams to date with GDPR issues for CSIRTs. Chaired by Nicole Harris TLP: White |
| 12:00 – 13:00 | Lightning Talks – chaired by Sigita Jurkynaite Silvio Oertli: Gain an Outside View Mikko Karikyto: Ericsson Update L.Aaron Kaplan: A global volumetric DDoS capacity estimate Sara Marcolla: 1st Europol-Enisa IoT Conference Silvio Oertli: Be a TRANSITS Petty Officer (Co-Captain) [advertisement break] Jan Kopriva: Team experiences with BEC scams Michael Hamm: “CEO fraud” – An attack vector Thomas Schrek: Next meeting Nicole Harris: How did we do this time? |
| 13:00 – 14:00 | LUNCH |
| 14:00 – 16:00 | Common Taxonomy Meeting |