The 54th TF-CSIRT took place from 24th – 25th May 2018 in Warsaw, Poland kindly host by CERT-OPL and and CERT.PL.  Slides are included in the programme below subject to permission from the authors.


NASK Research and Academic Computer Network (Kolska 12, 01-045 Warsaw)

Thursday & Friday
Orange (CERT-OPL) Conference Centre  
(Aleje Jerozolimskie 160, Warsaw).


Please find a list of recommended hotels here.


Registration is now closed. Unfortunately the capacity for the 54th TF-CSIRT meeting has been reached.  Please contact Nicole Harris or Sigita Jurkynaite to be added to the waiting list.

Please register separately for:


Wednesday 23rd May 2018

(Venue: NASK, Kolska 12, Warsaw)

09:00 – 15:00 TF-CSIRT Steering Committee – Invitation only
10:00 – 17:00 TRANSITS Train the Trainer – registration
15:30 – 17:00 Taxonomy Meeting – registration
18.00 Social event at Pub Lolek (informal, self-paid)

Thursday 24th May 2018

(Venue: Orange CERT-OPL Conference Centre, Aleje Jerozolimskie 160, Warsaw)

09:00 – 12:00 Various  TF-CSIRT Closed Meeting – Invitation only for accredited and certified teams and TI Associates
12:00 – 13:00 LUNCH  LUNCH
13:00 – 13:10 Baiba Kaskina, TF-CSIRT SC
13:10 – 13:40 TF-CSIRT / TI Team  TF-CSIRT Steering Committee Update
A brief update from the TF-CSIRT Steering Committee, reviewing SC membership, certifications, GDPR, WHOIS and other topics.
Trusted Introducer Update
An update from the Trusted Introducer team on team stats, efforts to clean the TI Directory and technical changes.
13:40 – 14:00 Panos Chatziadam, FORTH-CERT FORTHCert Update
In this presentation, Panos will give an update on the FORTH-CERT team and some of the projects they have been involved in recently.
14:00 – 14:30 Antoine Neuenschwander, SWITCH Web Cryptominers in the .CH Zone
Blockchain is hip. Not only do crypto valley startups have high hopes in making groundbreaking innovations, cyber criminals also see high potential in crypto currencies for profit generation. Since fall 2017, ransomware has seemingly left the field to cryptominers. Instead of extorting Bitcoins from users, the malware runs silently in the background and parasites the system resources for cryptomining. With the advent of altcoins specifically designed for mining on general purpose CPUs and corresponding Javascript implementations (e.g. coinhive.com), webcryptominers are now proliferating.The SWITCH foundation as operator of the .CH registry is required by the Ordinance on Internet Domains (OID) to block domain names being used for the distribution of harmful software. In this session, Antoine will present how webcryptominers affect the .CH zone and how SWITCH deals with such cases.  Elements of this presentation were TLP:GREEN, the slides made available are TLP:WHITE.
14:30 – 14:45 Bilgehan Turan, EATM-CERT The Different Usages of Splunk
In this presentation, Bilgehan will present on the following areas:

  • splunk maltego integration use cases.
  • analysing wordlists that are used in password attacks with splunk.
  • other usages.


14:45 – 15:00 Edvard Rejthar, CSIRT.cz CSV-Parsing Tool: Convey
CSIRT.CZ uses Open-source Ticket Request System to handle reported incidents. The need to distribute relevant information took a lot of time, notably because our partners send the reports in various CSV formats.
The presentation will introduce the functionality of Convey, an open-source application that we developed to parse and handle any CSV file.It might help you to perform filtering operations if the file is too large for your spreadsheet processor, split the contents to smaller files by a column value to be sent automatically at various e-mail addresses, batch pull whois information or change CSV dialect for whatever reason.
15:00 – 15:30 BREAK BREAK
15:30 – 16:00 Torsten Juul-Jensen, TDC SOC CERT  

The Incident Responders Toolkit

Torsten will give a walkthrough of the TDC SOC CERT kit (called the “jumpbag”), which they prepared in their CSIRT and use in their incident crime zone.This will be a hardware focused presentation with small stories of how and why the different pieces were selected.

16:00 – 16:15 Wojciech Świeboda, CERT OPL Sality botnet peer-to-peer traffic
Sality is a malware family comprising of a polymorphic file infector and a P2P component, used primarily as a malware distribution platform.In this talk Wojciech will briefly discuss Sality’s P2P traffic patterns, as well as the structure and coverage of the underlying botnets.
16:15 – 16:45 Kevin Meynell, Internet Society Routing Security Initiative (MANRS)
MANRS attempts to address some of the trust-based issues of BGP by encouraging network operators to subscribe to four actions including filtering, anti-spoofing, coordination and address prefix validation. The Internet Society developed and are developing some resources to support this (including a monitoring/warning system).
16:45 – End Baiba Kaskina, TF-CSIRT SC End of Day Comments
19:00 SOCIAL EVENT  Participants are warmly invited to join us at Level 27 for evening entertainment.

Friday 25th May 2018

(Venue: Orange CERT-OPL Conference Centre, Aleje Jerozolimskie 160, Warsaw)


09:00 – 09:10 Baiba Kaskina, TF-CSIRT SC Welcome
09:10 – 09:40 Varis Teivans, CERT.LV Building an Efficient Backdoor Distribution System

This talk will provide some insight on techniques used by Cyber-Criminals to build an efficient backdoor distribution system so that the dirty job is actually done by other hackers/script-kiddies who will become minions without consent (backdoored backdoors). A story of
how investigation of one compromised website led to ~400 unique victims with webshells, notifying the victims and fixing at least one small part of the Internet.
Presenter will also describe how same of these simple techniques have been observed in numerous incidents with “code reuse” or what seems to be a legitimate open source code.
09:40 – 10:00 Javier Berciano, INCIBE Fraudulent stores .es Case Study
A recent Report on Online Business Models Infringing Intellectual Property Rights from the European Union Intellectual Property Office (EUIPO) detects a pattern of a specific use of the domain name system (DNS) taking place on several country code top level domain (ccTLD). One of the identified countries was Spain and our ccTLD .es.Based on this report and increase number of reports from Spanish end customers, we decided to start an internal investigation to be able to detect those domains as soon as it was registrar, involving domain name registrars and .es ccTLD registry, relationship with end customers and information about real impact.  We would like to share our experience and information about this topic, how we are detecting those domains, management process involving ccTLD registry and domain name registrars and impact in Spanish end customers.
10:00 – 10:30 BREAK BREAK
10:30 – 10:50  SISSDEN Consortium Presentation: Piotr Kijewski, Shadowserver The SISSDEN Honeypot Sensor Network
This talk will cover the framework developed under SISSDEN to facilitate the rapid large scale deployment of honeypot sensors. It will describe the status of the currently deployed honeypot sensor network under the EU H2020 SISSDEN project, introduce the management platform, the data collection and storage methods. It will also give an overview of how data collected with honeypots is shared with the CSIRT community and how the CSIRT community can help in this process.
10:50 – 11:05 SISSDEN Consortium Presentation: Johannes Krupp, Saarland University Honeypot-based Monitoring of Amplification DDoS Attacks
In recent years, Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants, with reported attack bandwidths exceeding hundreds of Gigabit/s. However, beyond anecdotal evidence, little is known about the global amplification DDoS threat landscape. We present AmpPot, a novel honeypot that allows to monitor attacks in real-time and our findings from a globally deployed sensor network.
11:05 – 11:25 SISSDEN Consortium Presentation: Piotr Bazydło, NASK Observations of Malicious Activities in Darknet – from DoS detection to botnet Fingerprinting
Darknet (network telescope) is an unused space of IP addresses, where typically we should observe no network traffic. However, a lot of network packets can be spotted in the darknet and these can be divided into three main categories: (1) misconfiguration of network devices/applications, (2) scanning activities, (3) backscatter from DoS attacks. This presentation presents general statistics for NASK’s darknet traffic and case-studies from observations of DoS attacks, massive scanning activities and scanning activities connected with vulnerabilities disclosure or exploits publications. Moreover, the presentation describes the idea behind Packet Generation Algorithm (PGA)analyzer, which detects signatures in network packets, thus making it possible to fingerprint specific botnets and tools in network traffic.
11:25 – 11:45 SISSDEN Consortium Presentation:
Paweł Srokosz, CERT.PL / NASK
mtracker – Our Approach for Tracking botnets
In CERT.PL, we focus a lot on studying and analyzing inner workings of various botnets in order to learn more about how they operate. We found out that the best strategy for getting information from a botnet is tricking it into sending all the interesting information to us. In this talk, we will describe our latest project, which does exactly that: mtracker. We want to share our insights from a year of tracking, compare our approach with black-box solutions, discuss the main emerging challenges and consider possible solutions. Although we will not focus on specific malware protocols, we will mention them in passing.
11:45 – 12:00  SISSDEN Consortium Presentation: Arturo Campos, CyberDefcon
Striking the Right Balance Between Legal Data Protection and Remediating Cyber Threats
Projects collecting attack data using honeypots and performing analysis face the legal challenges how to store and share such information within and outside the security communities. The presentation will focus on such legal challenges and how it is possible to design a data sharing process that can technically and legally accommodate to the new legal requirements in Europe, namely the GDPR.
12:00 – 13:00 Lightning Talks 10 five minute presentations
Andrew Cormack – GDPR Quotable quotes
Andrew Cormack – GDPR DPIA for SOC/CSIRT