Overview
The 58th TF-CSIRT Meeting took place from 16th – 17th September 2019 at the Annabelle Hotel, Cyprus, kindly hosted by CSIRT-CY.
Programme
Sunday 15th September 2019
| Time | Event |
| 09:00 – 13:00 | TF-CSIRT Steering Committee Meeting ‘Artemis’ meeting room located at the mezzanine, above Reception. |
| 14:00 – 16:00 | Taxonomy Working Group Meeting. ‘Artemis’ meeting room. |
| 20:30 – 23:30 | Social Event: Welcome Drinks, Annabelle Hotel |
Monday 16th September 2019
Venue: Athenaeum Ballroom
| Time | Speaker | Subject |
| 09:00 – 12:00 | Various | TF-CSIRT Closed Meeting: Trusted Introducer Accredited and Certified Teams an TI Associate only |
| 12:00 – 13:00 | LUNCH | |
| 13:00 – 13:30 | Baiba Kaskina, TF-CSIRT Chair | TF-CSIRT Open Meeting: Welcome and TF-CSIRT SC Update TLP:White |
| 13:30 – 14:00 | Sebastian Showell-Westrip, BTCERT CC | Phishing the Phishers Sebastian will discuss the creation of a phishing detection and analysis tool, its capabilities and how it was used to potentially uncover one of the actors putting up BT targeted phishing sites. TLP:Green |
| 14:00 – 14:30 | Patrick Mana, EATM-CERT | Moving towards cyber-resilience in aviation – findings, issues, challenges, solutions This presentation will use the findings of EATM-CERT (European Air Traffic Management Computer Emergency Response Team) services to introduce the main cyber challenges faced by aviation. The main outcome of penetration tests on aviation systems and services will be presented as well as lessons learned from the early provision of services such as : sharing cyber threat intelligence within a specific sector (including automation using MISP), detection of information leaks, fighting scams. The presentation will also address the relationships between a Pan-European sectorial such as EATM-CERT and national CERTs (especially in the framework of the NIS Directive) but also with other sectors CERTs (e.g. energy, other modes of transport). TLP: White |
| 14:30 – 14:45 | Klaas Wierenga, GÉANT | GÉANT’s position regarding TF-CSIRT Klaas will give a brief overview of the current funding model for TF-CSIRT and its associated services and GÉANTs view on future models for TF-CSIRT. TLP:White |
| 14:45 – 15:00 | Rossella Mattioli, ENISA | Reference taxonomy WG update An update on the work of the taxonomy working group, including discussions on progress made at the meeting on Sunday. TLP: Green |
| 15:00 – 15:30 | Sigitas Rokas, NRD CIRT | Lessons learned from the establishment and modernizing of CSIRT teams Sigitas will present summarized lessons learned and insights from the establishing and modernization of various national, governmental and private CSIRT/SOC teams. The expected impact is to inspire all CSIRTs managers and team members to grow and mature their operations by showing easy-to apply tips and tricks. Participants hopefully will project those lessons on their own CSIRT organizations and will find opportunities for calibration of activities and/or improvements. TLP: Green |
| 15:30 – 16:00 | BREAK | |
| 16:00 – 17:00 | ELECTIONS | |
| 18:00 – 23:00 | Social Event at “Ktima Gerolemos” winery at Omodos Vilage. All TF-CSIRT attendees are welcome. Transportation will be provided. The busses will be leaving from Annabelle hotel starting at 17:30. |
Tuesday 17th September 2019
Venue: Athenaeum Ballroom
| Time | Speaker | Subject |
| 09:00 – 09:15 | Baiba Kaskina, TF-CSIRT Chair | Welcome to Day Two |
| 09:15 – 09:30 | Kamil Gapiński, ComCERT.pl | CSIRT Services Design Methodology – a case study With the use of current FIRST CSIRT Services Framework we have developed a simple, yet effective questionnaire that supports implementing the services. We identify the severity of providing each service and what is the priority for the implementation. The talk will also cover tips on how to plan the implementation and what are the common challenges. We have been using our approach for several years now in our consultancy projects. Presentation in the form of case study (CIIP type CSIRT). TLP: Green |
| 09:30 – 10:30 | Sigita Jurkynaite, GÉANT and friends | Lightning Talks * CLAW 2019: Why You Should Go. Simon, DK-CERT. * SA NREN CSIRT: Team Update. Roderick, SA NREN CSIRT. * CERTS PR Group. Madara and Kristiana, CERT.LV. * Cyprus Academic CERT: Team Update. Aristos, CyNet. * GRIM-CERT: Team Introduction. Luigi, GRIM-CERT. * SIGOV-CERT: Team Introduction. Damijan, SIGOV-CERT. * Rise of Private CERTS in Slovakia. Milan, SK-CERT. * Study of Incident Response Development within NISD Sectors. Edgars, ENISA. * Who are you Calling? Mathias, SWITCH. * European CyberSecurity Challenges. Milan, ALEF CSIRT. |
| 10:30 – 11:00 | BREAK | |
| 11:00 – 11:15 | Tomas Jirsik, CSIRT-MU | SAPPAN – Sharing and Automation for Privacy Preserving Attack Neutralization SAPPAN project aims to develop a platform for sharing and automation to enable privacy-preserving and efficient response and recovery utilizing advanced data analysis and machine learning. SAPPAN intend to provide a cyber threat intelligence system that decreases the effort required by a security analyst to find optimal responses to and ways to recover from an attack. We plan to enable this within a single organization as well as across organizations through novel models for privacy-preserving data processing and sharing, which should allow utilizing external experts for intrusion detection and sharing of knowledge on response and recovery actions while respecting the privacy and confidentiality requirements of individuals and organizations. SAPPAN will make four key contributions that go beyond existing approaches: (1) privacy-preserving aggregation and data analytics including advanced client-side abstractions; (2) federated threat detection based on sharing of anonymised data and sharing of trained machine learning models; (3) standardisation of knowledge in the context of incident response and recovery to enable reuse and sharing; (4) visual, interactive support for Security Operation Center operators. SAPPAN aims to provide solutions for public international institutions, computer security incident response teams, and multinational companies who want to enrich their Situational Awareness by sharing cyber security intelligence as well as solutions for small and midsize companies enabling them to outsource intrusion detection. TLP:White |
| 11:15 – 11:45 | Ivo Dijkhuis, RIPE NCC CSIRT | Tools & Policy update An update on RIPE NCC Services/Tools & RIPE Policies for the CSIRT community, including IPv4 Run-out, Resource Certification (RPKI), WHOIS database, “BGP Hijacking” policy proposal. TLP: White |
| 11:45 – 12:00 | Andrejs Konstantinovs, CERT.LV | Case study on botnet |
| 12:00 – 13:00 | PANEL | Incident Response Landscape 2025 and beyond The incident response (IR) landscape has changed a lot in the last 5 years and probably even bigger changes can be anticipated in the next 5-7 years. One of the major changes in Europe is caused by adoption of the EU NIS (Network and Information Security) Directive in 2016. At the TF-CSIRT in Cyprus we would like to bring together a panel of experts to discuss CSIRT future and IR landscape as it could be in 2025 and beyond. The discussion will cover/touch findings identified in the ENISA study on “CSIRT Landscape towards 2025” as well as more practical questions related to CSIRT future, for example, regarding trust model, types of incidents we will be dealing with, types of CSIRTs we will have. The panelists will have different background coming from industry,academia, sectoral and law enforcement organizations. This panel’s goal will be to discuss current and future IR landscape and what will be the impact on and future challenges for CSIRT teams. TLP: White |
| 13:00 – 14:00 | LUNCH | |
| 14:00 – 16:00 | TF-CSIRT Futures Working Group Meeting No registration required, group members are invited to join us after lunch. Athenaeum Ballroom. | |
| 14:00 – 17:00 | CSIRT PR and Communications Working Group – Initial Meeting No registration required. Ariadne’ meeting room located at the mezzanine, above Reception. |
Wednesday 18th September – Friday 20th September 2019
| Time | Event |
| 08:00 – 14:00 daily | SIM3 Auditor Training: OpenCSIRT Foundation. This course is organised by the OpenCSIRT Foundation and has a course fee of 850 EUR. Please contact the Foundation directly to register. |