The 52nd TF-CSIRT meeting was held on 21st & 22nd September 2017 in Stockholm Sweden, hosted by the Swedish CERT-forum. A training event on “Open Source Intelligence (OSINT)” was led by Kazimieras Sadauskas (NRD CS) on 20th September 2017.


The meeting was held at the TeliaCompany building in Stockholm.  For further logistical and travel information, please visit the logistics page.


A list of attendees is available.


Wednesday 20th September 2017
11:00 – 18:00 Open Source Intelligence (OSINT)  – training event is full
14:00 – 18:00 TF-CSIRT Steering Committee Meeting- Invitation only
Evening A range of social activities, prepared by the Swedish CERT forum.
Thursday 21st September 2017
09:00 – 13:00 CLOSED TF-CSIRT Meeting – TI accredited and certified teams only and TI Associates. Information for those with access can be found on the Trusted Introducer website.

Note: please be at the venue as early as possible as there are two registration steps to go through.  Please see the logistics page for more information.

13:00 – 14:00 LUNCH
14:00 – 14:05 Welcome – Baiba Kaskina, TF-CSIRT Chair
14:05 – 14:15
Welcome from the Swedish CERT Forum – Robert Jonsson, MSB 
14:15 – 14:25 Welcome  from Telia – Daniel Aldstam, TeliaCompany CSO
14:25 – 15:10 Threat Hunting through Network Anomaly Detection – Erik Hjelmvik, Netresec
15:10 – 15:30 BREAK
15:30 – 15:50 Introduction to European Air Traffic Management CERT  – Patrick Mana, European Air Traffic Management CERT

Patrick Mana gave a short introduction the European Air Traffic Management Team, a newly listed team within Trusted Introducer.

TLP: White

15:50 – 16:10 Introduction of CERT-Conix, BTG and Machoke – Robin Marsollier, CERT-Conix

CERT-Conix introduced themselves and presented various tools it make to improve its workflow, namely BTG and machoke.BTG: fast and efficient search on observable.Machoke: CFG-hash for malware classification. The basic operation is to convert the CFG tree of a function to a string, by naming nodes and recording jumps and calls, to concatenate the strings of all functions and generate a murmurhash3 of the whole. This construction produces a hash resisting minor modifications of source code for the hashed sample. Moreover, comparison à-la ssdeep is possible.

TLP: White

16:10 – 16:30 Updates from the TF-CSIRT SC and TI Team
16:30 – 16:50 IT Security at Cygate AB – Johan Åhrman, Cygate
16:50 – 17:15 TF-CSIRT SC Elections
18:30 – 23:00 The social event held on 21st September will be held at the Nobel Museum (http://www.nobelmuseum.se/en) on Stockholm’s Old Town. There will be a short guided tour of the museum (18:30 – 19:00) followed by a buffet of dishes from past Nobel gala dinners.
Friday 22nd September 2017
09:00 – 09:10 Welcome – Baiba Kaskina, TF-CSIRT Chair
09:10 – 09:25 Scaning CMS – Zuzana Duracinska, CZ.NIC

The problem of running outdated CMS is that these CMS’ are like a bait for various attacks. As the National CSIRT operated by ccTLD we have decided to check the HTML headers (or CMS specific files) of all registered .cz domains and check which of them runs outdated version of most popular CMS (WordPress, Joomla). Decision to kick-out this action was followed by legal expertise from number of lawyers. In the presentation I will try to cover this action along with the results and feedback we got from the domain owners.

TLP: White

09:25 – 09:45 DKCERT services for Danish Research and Education Institutions – Henrik Larsen, DKCERT

The presentation will give an overview of the Danish NREN CERT services and a more detailed view on vulnerability scannings, both external and internal, and how the findings are reported to the institutions.TLP: White
09:45 – 10:00 Common Taxonomy – Andrea Dufkova, ENISA

Andrea gave a short introduction to a task force for CSIRT taxonomy that is being established by ENISA. The task force will aim to find solutions or a way forward to cover issues and concerns that were raised with regards to the current taxonomies and their use within the CSIRT community. A meeting to further discuss the task force and work areas took place on Friday afternoon.

TLP: White

10:00 – 10:30
10:30 – 11:00 DNS Firewall use cases and lessons learned – Matthias Seitz, SWITCH CERT

SWITCH-CERT is operating a DNS Firewall (DNS RPZ) for the Swiss NREN and also other customers for more than two years and is currently protecting more than 200’000 users from malware and phishing.

The main points covered are:
– A short introduction to DNS RPZ/DNS Firewall.
– A closer look to some incidents in which a DNS Firewall is a great help.
– An overview of the current RPZ provider / DNS Firewall market.
– Lessons learned and best practices for RPZ implementation.

TLP: White

11:00 – 11:30 GDPR Presentation – Andrew Cormack, Jisc
11:30 – 12:00 GDPR Discussion and Panel

Andrew Cormack, Roeland Reijers and Sara Marcolla led a panel and discussion session on the impact of GDPR, lessons learned from data breaches and experience of teams to date with GDPR issues for CSIRTs.  Chaired by Nicole Harris

TLP: White

12:00 – 13:00 Lightning Talks – chaired by Sigita Jurkynaite

Silvio Oertli: Gain an Outside View
Mikko Karikyto: Ericsson Update
L.Aaron Kaplan: A global volumetric DDoS capacity estimate
Sara Marcolla: 1st Europol-Enisa IoT Conference
Silvio Oertli: Be a TRANSITS Petty Officer (Co-Captain)
[advertisement break] Jan Kopriva: Team experiences with BEC scams
Michael Hamm: “CEO fraud” – An attack vector
Thomas Schrek: Next meeting
Nicole Harris: How did we do this time?
13:00 – 14:00 LUNCH
14:00 – 16:00 Common Taxonomy Meeting