FIRST/TF-CSIRT: The Changing Face of Cybersecurity Thumbnail
Improving Technical Security 21 February 2018

FIRST/TF-CSIRT: The Changing Face of Cybersecurity

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

The Internet Society was recently approved as a Liaison Member of TF-CSIRT, the European Forum for Computer Security Incident Response Teams, and therefore took the opportunity to participate in the FIRST/TF-CSIRT Symposium that was held 5-7 February 2018 in Hamburg, Germany.

The Internet Society continues to support organisations and activities concerned with maintaining the safety, stability and security of the Internet, and our colleague Kevin Meynell is already known within the TF-CSIRT community having run the forum between 2008 and 2012 and overseen its transition from a grouping of primarily academic CSIRTs to a wider industry body encompassing more than 160 National, Government, Military and Commercial CSIRTs, as well as those in academia.

TF-CSIRT meets three times per year, but starting in 2008 the first meeting of the year has always been held jointly with FIRST, the global Forum of Incident Response and Security Teams. This provides an opportunity for the European CSIRTs to meet with their counterparts around the world to exchange information, and develop the networks of trust that are critical to effective cooperation in handling cyber incidents when they occur, but also in development of early warning and prevention techniques.

And a number of the presentations had particular resonance with the Internet Society’s campaigns to improve the security of the BGP routing system and the Internet-of-Things.

The ShadowServer Foundation is an organisation of volunteers that gathers and analyses data on botnets and malware propagation. The collected data is sent to National CSIRTs and network owners via a daily free remediation feed, and has been used to support law enforcement investigations. The talk by Piotr Kijewski focused on how ShadowServer operates, what data it collects, and its achievements in taking down botnets.

Gaus Rajnovic (Panasonic PSIRT) provided further insight into how the evolution of devices into smart devices connected to services has potentially increased the number of vulnerabilities and potential attack vectors on the Internet, and this has greatly increased the challenges for CSIRTs, especially in those industries that are traditionally less focused around the Internet.

One such response is CERT@VDE that has been established on behalf of the German Association for Electrical, Electronic & Information Technologies. This focuses on offering CSIRT services to small and medium-sized enterprises to address the gap in trust and capabilities in security as industrial automation increasingly moves onto the Internet.

Jose Vila and Javier García Hernández (CSIRT-CV/S2 Grupo CERT) highlighted the challenges of using open source software for running an Intrusion Detection System (incidentally based on PF_RING which came out of another project I was involved with back in 2005!) as more devices connect to the network and more bandwidth is consumed. This necessitated a new build on a Cluster of Suricata machines which has allowed the 10 Gb/s barrier to be reached with commodity hardware, as well as improving detection capacities.

On a similar theme, Peter Kleinert (Binconf CDC) discussed how open source source vulnerability scanners can be combined into multiple hardened clusters designed to scan for vulnerabilities in networks consisting of many subnets in multiple locations. This included collection and analysis of logs, monitoring of hardware and software, and also secure offline updating.

ENISA, the EU Agency for Network and Information Security, also announced that it has established a task force with the view to developing a common reference taxonomy of incidents.

Finally, another important announcement from the International Cybersecurity Initiatives team at CERT/CC (the original CSIRT) was the extension of their capacity building activities from East Asia and Sub-Saharan Africa to Eastern Europe. This focuses on their National CSIRT Development Mentoring Framework that describes a standard set of activities to be performed by a National CSIRT whilst identifying the specific circumstances in each country.

Further Information

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...