TF-CSIRT
Karel Vietsch
TERENA Secretary General
TF-CSIRT mission
• To promote the collaboration between
CSIRTs in Europe
• Aims:
– Provide a forum for exchange of experience and
knowledge
– Establish pilot services for the European CSIRT
community
– Promote common standards and procedures for
responding to security incidents
– Assist in the establishment of new CSIRTs and the
training of CSIRTs staff
– Co-ordinate other joint activities
– Provide a vehicle for CSIRTs in Europe to liaise with the
EC and other policy-making bodies
Creation of TF-CSIRT
• TERENA Task Force:
– Operation defined by Terms of Reference
– Two years recurring lifecycle (originally
created May 2000, mandate renewed May
2002)
– Members and non-members of TERENA
– Active participation by TF members
– Success depends on TF members’
commitment
– TERENA plays role of professional facilitator
TF-CSIRT way of working
• Meeting every four months
• Venue rotates among members who
volunteer to host
• Two days:
– 1st day for seminars and presentations
– 2nd day for Task Force business meeting
• Evening in-between: dinner organised by
the hosting member
• Contacts between meetings provided by
mailing list and project groups
Who is involved?
• Academic, Government,
Commercial CSIRTs
Participation in meetings
70
60
50
40
30
20
10
0
'00-1 '01-1 '01-2 '01-3 '02-1 '02-2 '02-3 '03-1 '03-2 '03-3
people
CSIRTs
Wider Co-operation
• European Commission
– Projects (eCSIRT.net, EISPP, TRANSITS)
– Legal handbook for CSIRTs
– Network & Information Security Agency
• National governments
– Government CSIRTs
– Consultation on new legislation
• Law enforcement
– Operations and invited speakers at meetings
• Other regional initiatives
Deliverables and Projects
•
•
•
•
•
•
•
•
Trusted Introducer Service
Incident Object Description & Exchange Format
RIPE IRT object
Clearing House for Incident Handling Tools
CSIRT training course (TRANSITS)
Incident Information Exchange (eCSIRT.net)
Assistance to new CSIRTs (Best Current Practice)
Incident Handling Procedures
Deliverables – Trusted
Introducer (http://www.ti.terena.nl/)
• Notion of ‘trust’ – is a contact
trustworthy?
• Currently, no scheme generically
applicable
• TF-CSIRT to work out a model of which it
believes it fulfills criteria needed at
operational level
• Feasibility and sanity checks
• Now, outsourced to a 3rd party
• TF-CSIRT retains control by TI Review
Board
Deliverables – IODEF
(http://www.terena.nl/tech/task-forces/tfcsirt/iodef.html)
• Incident Object Description & Exchange
Format
• Cross-platform, cross-language, cross
common understanding
• Need for a well-understood definition of
an incident
• Bottom-up working group
• Lots of output, among which RFC 3067
• Now transferred to IETF (INCH)
Deliverables – IRT
database object
• Commonly perceived problem: correct
points of contact in (RIPE) database
• Practical approach:
– what do we miss now?
– how can we design it
– how can we implement it?
• Wishlist followed by discussion in RIPE
database group
• Lots of iterations, but eventually
implemented and populated
Deliverables – CHIHT
(http://chiht.dfn-cert.de/)
• Clearing House for Incident Handling
Tools
• Share information on tools CSIRTs use
– Help new and existing teams
• Website listing tools by category
– Evidence gathering & investigation, system
recovery, CSIRT operations, remote access,
proactive tools
– Plan to add procedures and best practice
• Contents suggested by active CSIRTs
Deliverables – TRANSITS
(http://www.ist-transits.org/)
• CSIRTs were seeking relevant training
• Idea: best transfer of knowledge is from
operational people to operational people
• Conclusion: best people to write it are
TF-CSIRT members
• Two day course developed in modules:
– Operational, legal, technical, organisational,
vulnerabilities
• EC funding for delivery and updating
– Six presentations over three years
– Materials available to CSIRTs for own use