First Virtual TF-CSIRT Meeting

The 25th May 2020 should have seen the TF-CSIRT community gathering once together in Romania for our 60th TF-CSIRT but like so many other groups we found ourselves meeting online instead. The TF-CSIRT Steering Committee, Taxonomy Working Group and TF-CSIRT Futures Working Group were able to translate relatively easily to the online setting, but for the main TF-CSIRT meeting we elected to only have a one hour update to the community from the TF-CSIRT Steering Committee.

Silvio Oertli began with an update on the Trusted Introducer reaction tests. These tests were introduced to the community for a number of reasons. They allow us to see how quickly teams can be contacted and be ready to react in the event of an incident or crisis, but also provide other benefits. The tests show places where information held is inaccurate (out-of-date team contacts) or where teams do not have the correct access (team members without TI certificates). The tests allow the TI team to correct these problems meaning there is less chance of error during an actual incident. Teams have embraced the testing process, as shown by the results below. The recent test showed that we can reach 80% of accredited teams and 60% of listed teams within 24 hours.

Response rates of Trusted Introducer teams to Reaction Tests

The update on TRANSITS courses was less good news. Unsurprisingly, we had to cancel the planned TRANSITSI course in April 2020. All participants were refunded and are being kept up-to-date with information about replacement courses and for details of the planned TRANSITSI and TRANSITSII courses later this year. At the moment we do not think the TRANSITS material is suitable for online teaching but the TRANSITS team is discussing what an appropriate online offering might look like for the future.

In order to further support communication in the community, the Trusted Introducer team has introduced a secure chat service using Rocket Chat. Any member of a TI team can participate – login is via your TI certificate. Anyone is then able to set up chat groups that can be private or open to anyone using the chat service. Members have quickly taken advantage of the service with new groups on threat intelligence and vulnerabilities quickly established…alongside reminiscences of meals at TRANSITS trainings in France 15 years ago! If you would like to find out more about the tool or how you can participate in or moderate groups please reach out to the TI team: ti@trusted-introducer.org. At the time of writing, 121 users are now signed up for the service.

Silvio then gave an update on the TF-CSIRT Futures working group. The team has met with RIPE NCC, the OpenCSIRT Foundation and GÉANT to discuss future possible models for TF-CSIRT and has also drafted some potential by-laws for an independent TF-CSIRT. A small group of people from the Futures Working Group will now look at narrowing these down to a potential smaller group of options to present for community vote.

We then drew our attention to the upcoming TF-CSIRT meetings. In a simple poll, 48% of attendees said they would still be willing to attend a face-to-face meeting in September, taking into account that people may not still be able to travel for a variety of reasons. Managing online TF-CSIRT meetings presents challenges in terms of retaining the integrity of the meeting. Possible solutions may include recording any presentations and sharing with the community, or moving the entire format for September to an online meeting – which would need to be well moderated. Participants in the meeting identified a number of potential topics for the meeting including:

  • Coronavirus related attacks / impact on network / incidents.
  • Community updates: what has your team been up to?
  • HPC incidents.
  • Communication techniques with non-technical management.
  • Malware analysis (Cuckoo toolbox).
  • General focus on tools.
  • Incident response in controlled / restricted environments.
  • Learning from (the) crisis.
  • Incident response from home.

The TF-CSIRT Steering Committee intends to make a decision about whether we should continue with the September meeting in July 2020.

Our final update was the happy news that TF-CSIRT turns 20 in September 2020. In order to celebrate, we are putting in place a virtual memory book for the community. We are inviting past and current members of TF-CSIRT to send in a memory or a photo from TF-CSIRT meetings to show what TF-CSIRT means to you. Photos will be included in a competition to win a very rare TF-CSIRT polo shirt so please do send them through. Information can be sent to the TF-CSIRT mailing list or to nicole.harris@geant.org.

Skip to content