The 55th TF-CSIRT meeting took place from 27th – 28th September 2018 in Vilnius, Lithuania.  The meeting was kindly hosted by NKSC/CERT-LT, LITNET CERT, NRD Cyber Security and Swedbank SIRT.


Registration is now closed as the meeting has reached capacity.


Further Logistics for the meeting, including social events and accommodation, is available.


Wednesday 26th September 2018

(NRD CIRT offices at Gyneju str. 14, LT-01109 Vilnius, Lithuania)

13:00 – 17:00 TF-CSIRT Steering Committee – Invitation only
15:00 – 17:00 Taxonomy Meeting – registration is now full
18:00 Social activities – please register in advance:

Excursion: Vilnius – a city of secrets

Excursion: Business Hive Vilnius (BHV)

20:00 Informal drinks at Piano Man pub

Thursday 27th September 2018

(Swedbank, Konstitucijos pr. 20A, LT-03502 Vilnius, Lithuania)

09:00 – 12:30 Various TF-CSIRT Closed Meeting – Invitation only for accredited and certified teams and TI Associates
12:30 – 13:30 LUNCH LUNCH
13:30 – 13:50 Baiba Kaskina, TF-CSIRT SC
Welcome, Trusted Introducer and SC Update
13:50 – 14:15 Jan Kopriva, ALEF
Open directories: what we found by (not) looking hard

As a part of long-term research into the security of Czech and Slovak Internet (.CZ and .SK domains and/or on IP addresses geolocated within CZ or SK, to be more precise), ALEF CSIRT conducted an analysis of data from several thousand freely accessible open directories. Many files from these directories turned out to be quite interesting as Jan will discuss during his talk.


14:15 – 14:30 Vilius Benetis, CEO NRD Cyber Security Experiences of CSIRTs Missions to Build Local Cybersecurity Ecosystems
14:30 – 15:00 Paweł Pawliński, CERT.pl n6: New Tool on the Block for Data Sharing

A quick introduction to the recently open-sourced data sharing platform created by CERT Polska.

n6 automates collection, normalization, enrichment and exchange of security data feeds, and was designed to handle large amounts of abuse reports and indicators. After several years in production at CERT Polska, it was open-sourced in June 2018. This presentation will introduce the tool, cover recent developments and lay out plans for upcoming development.

Source code: https://github.com/CERT-Polska/n6

TLP: White

15:00 – 15:30 BREAK BREAK
15:30 – 16:00 Elections Members are invited to help us elect 2 new members to the TF-CSIRT Steering Committee
16:00 – 16:15 Tomas Beinaravičius, Swedbank Learnings from awareness campaigns
16:15 – 16:30 Yorgos Liassas, Nets Maturity success for a corporate CSIRT team
Maturity activities of a corporate CSIRT bring changes to the way the team operates and deliver its services. To make the change succeed, it needs to be understood and embraced. The presentation touches upon topics that challenge the execution and long-standing success of the maturity change and suggests responses for dealing with them.TLP:AMBER
16:30 – 17:30 Lightning Talks! 10, 5 minute presentations from the community

19:00 SOCIAL EVENT Dinner at Green Hall 2

Friday 28th September 2018

(Swedbank, Konstitucijos pr. 20A, LT-03502 Vilnius, Lithuania)

09:00 – 09:10 Baiba Kaskina, TF-CSIRT SC Welcome
09:10 – 09:25 Rytis RAINYS, Director of NKSC/CERT-LT
09:25 – 09:55 Tomas RUDIS,
MAPPI Map of Public Internet

“Map of Public Internet” for national public internet network topology visualization, analysis, operational monitoring and threat detection that could be used by national CERTs in all EU countries. This platform would be developed, based on expertise of Lithuania’s CERT, which has developed a national solution dedicated to Lithuania’s public internet network. The platform would function as the information system based on data collected from public sources (based on BGP and related network protocols). System’s functionality would include data collection and its integration into the system, administration, history preservation and information sharing functions. The system would be able to gather information (in common formats) from additional sources (honeypots, abuse feed systems, incident management systems and other information systems), as well as from countries that agree to share its security events (feeds).


09:55 – 10:30 Franz Lantenhammer, NATO Cooperative Cyber Defence Centre
NATO Cooperative Cyber Defence Centre of Excellence – Mission and Task

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is a NATO-accredited cyber defence hub focusing on research, training and exercises. The international military organisation based in Estonia is a community of currently 21 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.

NATO CCDCOE is home of the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre also organises the world’s largest and most complex international live-fire cyber defence exercise Locked Shields. Another highlight of the Centre is the annual International Conference on Cyber Conflict, CyCon, a unique event joining key experts and decision-makers of the global cyber defence community in Tallinn every spring.

Some specific topics, which we cover in our research, range from Malware Analysis to Industrial Control System Security, from doctrine development and operational planning processes to applicability of International Law and Cyber Norms for Cyber Operations. Research results from our projects will be applied into CCDCOE’s trainings, courses, and exercises.

10:30 – 11:00 BREAK BREAK
11:00 – 11:15  



Team Update from the CSIRT.SK team

11:15 – 11:30 TEAM UPDATES: Dr Rytis RAINYS, Director of NKSC/CERT-LT Team Update from the CERT-LT team
11:30 – 11:45 TEAM UPDATES: Iveri Niazashvili, GRENA Team Update from the GRENA team
TLP: White
11:45 – 12:00 Aleksander Wiśniewski, CERT PSE SANS ICS NetWars

Sylwia will present a training event that will take place on 6-7th November in Warsaw. It will be the Polish edition of combined training GridEx and SANS NetWars.

On November 6th there will be exercise SANS ICS NetWars. As described by SANS, NetWars is a suite of hands-on, interactive learning scenarios that enable cyber security professionals to develop and master the real-world, in-depth skills they need to defend real-time systems.

On November 7th will be training PolEx (Polish Grid Exercise). It will consist of a one day table top exercise followed by a separate executive out brief at the conclusion of the event. It will be modeled for Poland off the US GridEx event, which is the biennial exercise conducted by NERC that is designed to simulate a cyber/physical attack on electric and other critical infrastructures across North America.

TLP: White

12:00 – 12:15 Silvio Oertli, SWITCH-CERT Hack the Hacker

“A click on a link in an email infects the computer system of your organization with ransonmware. It’s up to you and your colleagues to rescue the data. You have to put down the attack of the criminal hacker.

The mission of your team is to discover the code that revokes the encryption executed by the malicious software. Together with up to 6 people you have to search the hacker’s den for hidden hints and clues.

In order to find them and to solve all the puzzles you have to turn into hackers yourselves. Outwit the hacker and save your organization!”

Silvio will present an approach to gamify security awareness by SWITCH.

TLP: White

12:15 – 12:30 Madara Grinvalde and Kristiāna
Mūze-Feldberga, CERT.LV
How can “know-how” exchange between CERT communication specialists improve our daily lives?
The CERT teams’ day-to-day life consists not only of incident response but also of efficient and secure communication with media and society – immediate reaction to incidents using the right communication channels, awareness of similar local and global situations; and of course our daily communication with teams’ technical staff. How can collaboration
improve CERTs/our communication efficiency?
Key topics:

  • How important is the role of communication (message content, critical timing, local and international collaboration) to us?
  • What are the difficulties and threats we come across in order to ensure trustworthy communication with the society and media? Are we able to defeat/cope with all of them?
  • Suggestions of “know-how” exchange between PRs in CERT community and its’ potential benefits, case studies.


12:30 – 13:00 Dhia Mahjoub, CISCO Threat Hunting Techniques at Scale using DNS and IP data

Threat hunting is an important process in every security operation – whether it is meant to produce intelligence for internal or external use. Threat hunting consists of proactively searching through large scale network data to detect and pinpoint threats that evade automated and signature-based security systems.

In this talk, Dhia will discuss the different steps of efficient threat hunting at scale and describe how to initially use a set of short term high signal seeds from manual analysis to uncover additional threats (domains, IPs, binaries, etc). Then, Dhia introduce a set of techniques that facilitate the automated generation of long term signals associated with the detection of malicious campaigns (botnets, malspam, ransomware).

The generation of longer term signals involves analyzing large amounts (1TB+) of hourly global DNS query traffic to identify patterns that exhibit non-random anomalous behaviour. These signals have proven to have long term predictive power because they model the network effects of a campaign as it spreads globally.

Specifically, network signals are more difficult for a malicious operator to obfuscate and thus these signals can be used for an extended period of time.

Dhia will show how the anomalies arising in DNS query patterns and client lookups can all be used to generate a set of initial domains or IPs that can be further researched and by correlating similar hosting patterns between such domains we can identify malicious campaigns at scale.

Subsequently, we show the importance of investigating overarching patterns and TTPs behind malicious campaigns in order to go beyond short-lived IOCs and develop an understanding of the operational setup of criminal actors. This can provide us a proactive and longer-lasting advantage over the adversary.


13:00 Baiba Kaskina, TF-CSIRT SC Meeting Close