The Internet Society was recently approved as a Liaison Member of TF-CSIRT, the European Forum for Computer Security Incident Response Teams, and therefore took the opportunity to participate in the FIRST/TF-CSIRT Symposium that was held 5-7 February 2018 in Hamburg, Germany.
The Internet Society continues to support organisations and activities concerned with maintaining the safety, stability and security of the Internet, and our colleague Kevin Meynell is already known within the TF-CSIRT community having run the forum between 2008 and 2012 and overseen its transition from a grouping of primarily academic CSIRTs to a wider industry body encompassing more than 160 National, Government, Military and Commercial CSIRTs, as well as those in academia.
TF-CSIRT meets three times per year, but starting in 2008 the first meeting of the year has always been held jointly with FIRST, the global Forum of Incident Response and Security Teams. This provides an opportunity for the European CSIRTs to meet with their counterparts around the world to exchange information, and develop the networks of trust that are critical to effective cooperation in handling cyber incidents when they occur, but also in development of early warning and prevention techniques.
And a number of the presentations had particular resonance with the Internet Society’s campaigns to improve the security of the BGP routing system and the Internet-of-Things.
The ShadowServer Foundation is an organisation of volunteers that gathers and analyses data on botnets and malware propagation. The collected data is sent to National CSIRTs and network owners via a daily free remediation feed, and has been used to support law enforcement investigations. The talk by Piotr Kijewski focused on how ShadowServer operates, what data it collects, and its achievements in taking down botnets.
Gaus Rajnovic (Panasonic PSIRT) provided further insight into how the evolution of devices into smart devices connected to services has potentially increased the number of vulnerabilities and potential attack vectors on the Internet, and this has greatly increased the challenges for CSIRTs, especially in those industries that are traditionally less focused around the Internet.
One such response is CERT@VDE that has been established on behalf of the German Association for Electrical, Electronic & Information Technologies. This focuses on offering CSIRT services to small and medium-sized enterprises to address the gap in trust and capabilities in security as industrial automation increasingly moves onto the Internet.
Jose Vila and Javier García Hernández (CSIRT-CV/S2 Grupo CERT) highlighted the challenges of using open source software for running an Intrusion Detection System (incidentally based on PF_RING which came out of another project I was involved with back in 2005!) as more devices connect to the network and more bandwidth is consumed. This necessitated a new build on a Cluster of Suricata machines which has allowed the 10 Gb/s barrier to be reached with commodity hardware, as well as improving detection capacities.
On a similar theme, Peter Kleinert (Binconf CDC) discussed how open source source vulnerability scanners can be combined into multiple hardened clusters designed to scan for vulnerabilities in networks consisting of many subnets in multiple locations. This included collection and analysis of logs, monitoring of hardware and software, and also secure offline updating.
ENISA, the EU Agency for Network and Information Security, also announced that it has established a task force with the view to developing a common reference taxonomy of incidents.
Finally, another important announcement from the International Cybersecurity Initiatives team at CERT/CC (the original CSIRT) was the extension of their capacity building activities from East Asia and Sub-Saharan Africa to Eastern Europe. This focuses on their National CSIRT Development Mentoring Framework that describes a standard set of activities to be performed by a National CSIRT whilst identifying the specific circumstances in each country.
Further Information