The 58th TF-CSIRT Meeting took place from 16th – 17th September 2019 at the Annabelle Hotel, Cyprus, kindly hosted by CSIRT-CY.


Sunday 15th September 2019

Time Event
09:00 – 13:00TF-CSIRT Steering Committee Meeting
‘Artemis’ meeting room located at the mezzanine, above Reception.
14:00 – 16:00Taxonomy Working Group Meeting.
‘Artemis’ meeting room.
20:30 – 23:30Social Event: Welcome Drinks, Annabelle Hotel

Monday 16th September 2019

Venue: Athenaeum Ballroom

09:00 – 12:00 VariousTF-CSIRT Closed Meeting: Trusted Introducer Accredited and Certified Teams an TI Associate only
12:00 – 13:00 LUNCH
13:00 – 13:30Baiba Kaskina, TF-CSIRT ChairTF-CSIRT Open Meeting: Welcome and TF-CSIRT SC Update
13:30 – 14:00Sebastian Showell-Westrip, BTCERT CCPhishing the Phishers
Sebastian will discuss the creation of a phishing detection and analysis tool, its capabilities and how it was used to potentially uncover one of the actors putting up BT targeted phishing sites.
14:00 – 14:30Patrick Mana, EATM-CERTMoving towards cyber-resilience in aviation – findings, issues, challenges, solutions
This presentation will use the findings of EATM-CERT (European Air Traffic Management Computer Emergency Response Team) services to introduce the main cyber challenges faced by aviation. The main outcome of penetration tests on aviation systems and services will be presented as well as lessons learned from the early provision of services such as : sharing cyber threat intelligence within a specific sector (including automation using MISP), detection of information leaks, fighting scams.

The presentation will also address the relationships between a Pan-European sectorial such as EATM-CERT and national CERTs (especially in the framework of the NIS Directive) but also with other sectors CERTs (e.g. energy, other modes of transport).
TLP: White
14:30 – 14:45Klaas Wierenga, GÉANTGÉANT’s position regarding TF-CSIRT
Klaas will give a brief overview of the current funding model for TF-CSIRT and its associated services and GÉANTs view on future models for TF-CSIRT.
14:45 – 15:00Rossella Mattioli, ENISAReference taxonomy WG update
An update on the work of the taxonomy working group, including discussions on progress made at the meeting on Sunday.
TLP: Green
15:00 – 15:30Sigitas Rokas, NRD CIRTLessons learned from the establishment and modernizing of CSIRT teams
Sigitas will present summarized lessons learned and insights from the establishing and modernization of various national, governmental and private CSIRT/SOC teams. The expected impact is to inspire all CSIRTs managers and team members to grow and mature their operations by showing easy-to apply tips and tricks. Participants hopefully will project those lessons on their own CSIRT organizations and will find opportunities for calibration of activities and/or improvements.
TLP: Green
15:30 – 16:00BREAK
16:00 – 17:00ELECTIONS
18:00 – 23:00Social Event at “Ktima Gerolemos” winery at Omodos Vilage.
All TF-CSIRT attendees are welcome. Transportation will be provided. The busses will be leaving from Annabelle hotel starting at 17:30.

Tuesday 17th September 2019

Venue: Athenaeum Ballroom

Time SpeakerSubject
09:00 – 09:15Baiba Kaskina, TF-CSIRT ChairWelcome to Day Two
09:15 – 09:30Kamil Gapiński, ComCERT.plCSIRT Services Design Methodology – a case study
With the use of current FIRST CSIRT Services Framework we have developed a simple, yet effective questionnaire that supports implementing the services. We identify the severity of providing each service and what is the priority for the implementation. The talk will also cover tips on how to plan the implementation and what are the common challenges. We have been using our approach for several years now in our consultancy projects. Presentation in the form of case study (CIIP type CSIRT).
TLP: Green
09:30 – 10:30Sigita Jurkynaite, GÉANT and friendsLightning Talks
* CLAW 2019: Why You Should Go. Simon, DK-CERT.
* SA NREN CSIRT: Team Update. Roderick, SA NREN CSIRT.
* CERTS PR Group. Madara and Kristiana, CERT.LV.
* Cyprus Academic CERT: Team Update. Aristos, CyNet.
* GRIM-CERT: Team Introduction. Luigi, GRIM-CERT.
* SIGOV-CERT: Team Introduction. Damijan, SIGOV-CERT.
* Rise of Private CERTS in Slovakia. Milan, SK-CERT.
* Study of Incident Response Development within NISD Sectors. Edgars, ENISA.
* Who are you Calling? Mathias, SWITCH.
* European CyberSecurity Challenges. Milan, ALEF CSIRT.
10:30 – 11:00BREAK
11:00 – 11:15Tomas Jirsik, CSIRT-MUSAPPANSharing and Automation for Privacy Preserving Attack Neutralization
SAPPAN project aims to develop a platform for sharing and automation to enable privacy-preserving and efficient response and recovery utilizing advanced data analysis and machine learning. SAPPAN intend to provide a cyber threat intelligence system that decreases the effort required by a security analyst to find optimal responses to and ways to recover from an attack. We plan to enable this within a single organization as well as across organizations through novel models for privacy-preserving data processing and sharing, which should allow utilizing external experts for intrusion detection and sharing of knowledge on response and recovery actions while respecting the privacy and confidentiality requirements of individuals and organizations. SAPPAN will make four key contributions that go beyond existing approaches: (1) privacy-preserving aggregation and data analytics including advanced client-side abstractions; (2) federated threat detection based on sharing of anonymised data and sharing of trained machine learning models; (3) standardisation of knowledge in the context of incident response and recovery to enable reuse and sharing; (4) visual, interactive support for Security Operation Center operators. SAPPAN aims to provide solutions for public international institutions, computer security incident response teams, and multinational companies who want to enrich their Situational Awareness by sharing cyber security intelligence as well as solutions for small and midsize companies enabling them to outsource intrusion detection.
11:15 – 11:45Ivo Dijkhuis, RIPE NCC CSIRTTools & Policy update
An update on RIPE NCC Services/Tools & RIPE Policies for the CSIRT community, including IPv4 Run-out, Resource Certification (RPKI), WHOIS database, “BGP Hijacking” policy proposal.
TLP: White
11:45 – 12:00Andrejs Konstantinovs, CERT.LVCase study on botnet
12:00 – 13:00PANELIncident Response Landscape 2025 and beyond
The incident response (IR) landscape has changed a lot in the last 5 years and probably even bigger changes can be anticipated in the next 5-7 years. One of the major changes in Europe is caused by adoption of the EU NIS (Network and Information Security) Directive in 2016. At the TF-CSIRT in Cyprus we would like to bring together a panel of experts to discuss CSIRT future and IR landscape as it could be in 2025 and beyond. The discussion will cover/touch findings identified in the ENISA study on “CSIRT Landscape towards 2025” as well as more practical questions related to CSIRT future, for example, regarding trust model, types of incidents we will be dealing with, types of CSIRTs we will have. The panelists will have different background coming from industry,academia, sectoral and law enforcement organizations. This panel’s goal will be to discuss current and future IR landscape and what will be the impact on and future challenges for CSIRT teams.
TLP: White
13:00 – 14:00LUNCH
14:00 – 16:00TF-CSIRT Futures Working Group Meeting
No registration required, group members are invited to join us after lunch.
Athenaeum Ballroom.
14:00 – 17:00CSIRT PR and Communications Working Group – Initial Meeting
No registration required.
Ariadne’ meeting room located at the mezzanine, above Reception.

Wednesday 18th September – Friday 20th September 2019

Time Event
08:00 – 14:00 dailySIM3 Auditor Training: OpenCSIRT Foundation.
This course is organised by the OpenCSIRT Foundation and has a course fee of 850 EUR. Please contact the Foundation directly to register.