The 55th TF-CSIRT meeting took place from 27th – 28th September 2018 in Vilnius, Lithuania. The meeting was kindly hosted by NKSC/CERT-LT, LITNET CERT, NRD Cyber Security and Swedbank SIRT.
Registration is now closed as the meeting has reached capacity.
Further Logistics for the meeting, including social events and accommodation, is available.
Wednesday 26th September 2018
(NRD CIRT offices at Gyneju str. 14, LT-01109 Vilnius, Lithuania)
|13:00 – 17:00||TF-CSIRT Steering Committee – Invitation only|
|15:00 – 17:00||Taxonomy Meeting – registration is now full|
|18:00||Social activities – please register in advance:|
|20:00||Informal drinks at Piano Man pub|
Thursday 27th September 2018
(Swedbank, Konstitucijos pr. 20A, LT-03502 Vilnius, Lithuania)
|09:00 – 12:30||Various||TF-CSIRT Closed Meeting – Invitation only for accredited and certified teams and TI Associates|
|12:30 – 13:30||LUNCH||LUNCH|
|13:30 – 13:50||Baiba Kaskina, TF-CSIRT SC
||Welcome, Trusted Introducer and SC Update
|13:50 – 14:15||Jan Kopriva, ALEF
||Open directories: what we found by (not) looking hard
As a part of long-term research into the security of Czech and Slovak Internet (.CZ and .SK domains and/or on IP addresses geolocated within CZ or SK, to be more precise), ALEF CSIRT conducted an analysis of data from several thousand freely accessible open directories. Many files from these directories turned out to be quite interesting as Jan will discuss during his talk.
|14:15 – 14:30||Vilius Benetis, CEO NRD Cyber Security||Experiences of CSIRTs Missions to Build Local Cybersecurity Ecosystems|
|14:30 – 15:00||Paweł Pawliński, CERT.pl||n6: New Tool on the Block for Data Sharing
A quick introduction to the recently open-sourced data sharing platform created by CERT Polska.
n6 automates collection, normalization, enrichment and exchange of security data feeds, and was designed to handle large amounts of abuse reports and indicators. After several years in production at CERT Polska, it was open-sourced in June 2018. This presentation will introduce the tool, cover recent developments and lay out plans for upcoming development.
Source code: https://github.com/CERT-Polska/n6
|15:00 – 15:30||BREAK||BREAK|
|15:30 – 16:00||Elections||Members are invited to help us elect 2 new members to the TF-CSIRT Steering Committee|
|16:00 – 16:15||Tomas Beinaravičius, Swedbank||Learnings from awareness campaigns|
|16:15 – 16:30||Yorgos Liassas, Nets||Maturity success for a corporate CSIRT team
Maturity activities of a corporate CSIRT bring changes to the way the team operates and deliver its services. To make the change succeed, it needs to be understood and embraced. The presentation touches upon topics that challenge the execution and long-standing success of the maturity change and suggests responses for dealing with them.TLP:AMBER
|16:30 – 17:30||Lightning Talks!||10, 5 minute presentations from the community
|19:00||SOCIAL EVENT||Dinner at Green Hall 2|
Friday 28th September 2018
(Swedbank, Konstitucijos pr. 20A, LT-03502 Vilnius, Lithuania)
|09:00 – 09:10||Baiba Kaskina, TF-CSIRT SC||Welcome|
|09:10 – 09:25||Rytis RAINYS, Director of NKSC/CERT-LT||
|09:25 – 09:55||Tomas RUDIS,
|MAPPI Map of Public Internet
“Map of Public Internet” for national public internet network topology visualization, analysis, operational monitoring and threat detection that could be used by national CERTs in all EU countries. This platform would be developed, based on expertise of Lithuania’s CERT, which has developed a national solution dedicated to Lithuania’s public internet network. The platform would function as the information system based on data collected from public sources (based on BGP and related network protocols). System’s functionality would include data collection and its integration into the system, administration, history preservation and information sharing functions. The system would be able to gather information (in common formats) from additional sources (honeypots, abuse feed systems, incident management systems and other information systems), as well as from countries that agree to share its security events (feeds).
|09:55 – 10:30||Franz Lantenhammer, NATO Cooperative Cyber Defence Centre
||NATO Cooperative Cyber Defence Centre of Excellence – Mission and Task
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is a NATO-accredited cyber defence hub focusing on research, training and exercises. The international military organisation based in Estonia is a community of currently 21 nations providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.
NATO CCDCOE is home of the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre also organises the world’s largest and most complex international live-fire cyber defence exercise Locked Shields. Another highlight of the Centre is the annual International Conference on Cyber Conflict, CyCon, a unique event joining key experts and decision-makers of the global cyber defence community in Tallinn every spring.
Some specific topics, which we cover in our research, range from Malware Analysis to Industrial Control System Security, from doctrine development and operational planning processes to applicability of International Law and Cyber Norms for Cyber Operations. Research results from our projects will be applied into CCDCOE’s trainings, courses, and exercises.
|10:30 – 11:00||BREAK||BREAK|
|11:00 – 11:15||
TEAM UPDATES: Henrich Slezak, CSIRT.SK
Team Update from the CSIRT.SK team
|11:15 – 11:30||TEAM UPDATES: Dr Rytis RAINYS, Director of NKSC/CERT-LT||Team Update from the CERT-LT team
|11:30 – 11:45||TEAM UPDATES: Iveri Niazashvili, GRENA||Team Update from the GRENA team
|11:45 – 12:00||Aleksander Wiśniewski, CERT PSE||SANS ICS NetWars
Sylwia will present a training event that will take place on 6-7th November in Warsaw. It will be the Polish edition of combined training GridEx and SANS NetWars.
On November 6th there will be exercise SANS ICS NetWars. As described by SANS, NetWars is a suite of hands-on, interactive learning scenarios that enable cyber security professionals to develop and master the real-world, in-depth skills they need to defend real-time systems.
On November 7th will be training PolEx (Polish Grid Exercise). It will consist of a one day table top exercise followed by a separate executive out brief at the conclusion of the event. It will be modeled for Poland off the US GridEx event, which is the biennial exercise conducted by NERC that is designed to simulate a cyber/physical attack on electric and other critical infrastructures across North America.
|12:00 – 12:15||Silvio Oertli, SWITCH-CERT||Hack the Hacker
“A click on a link in an email infects the computer system of your organization with ransonmware. It’s up to you and your colleagues to rescue the data. You have to put down the attack of the criminal hacker.
The mission of your team is to discover the code that revokes the encryption executed by the malicious software. Together with up to 6 people you have to search the hacker’s den for hidden hints and clues.
In order to find them and to solve all the puzzles you have to turn into hackers yourselves. Outwit the hacker and save your organization!”
Silvio will present an approach to gamify security awareness by SWITCH.
|12:15 – 12:30||Madara Grinvalde and Kristiāna
|How can “know-how” exchange between CERT communication specialists improve our daily lives?
The CERT teams’ day-to-day life consists not only of incident response but also of efficient and secure communication with media and society – immediate reaction to incidents using the right communication channels, awareness of similar local and global situations; and of course our daily communication with teams’ technical staff. How can collaboration
improve CERTs/our communication efficiency?
|12:30 – 13:00||Dhia Mahjoub, CISCO||Threat Hunting Techniques at Scale using DNS and IP data
Threat hunting is an important process in every security operation – whether it is meant to produce intelligence for internal or external use. Threat hunting consists of proactively searching through large scale network data to detect and pinpoint threats that evade automated and signature-based security systems.
In this talk, Dhia will discuss the different steps of efficient threat hunting at scale and describe how to initially use a set of short term high signal seeds from manual analysis to uncover additional threats (domains, IPs, binaries, etc). Then, Dhia introduce a set of techniques that facilitate the automated generation of long term signals associated with the detection of malicious campaigns (botnets, malspam, ransomware).
The generation of longer term signals involves analyzing large amounts (1TB+) of hourly global DNS query traffic to identify patterns that exhibit non-random anomalous behaviour. These signals have proven to have long term predictive power because they model the network effects of a campaign as it spreads globally.
Specifically, network signals are more difficult for a malicious operator to obfuscate and thus these signals can be used for an extended period of time.
Dhia will show how the anomalies arising in DNS query patterns and client lookups can all be used to generate a set of initial domains or IPs that can be further researched and by correlating similar hosting patterns between such domains we can identify malicious campaigns at scale.
Subsequently, we show the importance of investigating overarching patterns and TTPs behind malicious campaigns in order to go beyond short-lived IOCs and develop an understanding of the operational setup of criminal actors. This can provide us a proactive and longer-lasting advantage over the adversary.
|13:00||Baiba Kaskina, TF-CSIRT SC||Meeting Close|