Karel Vietsch
TERENA Secretary General
TF-CSIRT mission
• To promote the collaboration between
CSIRTs in Europe
• Aims:
– Provide a forum for exchange of experience and
– Establish pilot services for the European CSIRT
– Promote common standards and procedures for
responding to security incidents
– Assist in the establishment of new CSIRTs and the
training of CSIRTs staff
– Co-ordinate other joint activities
– Provide a vehicle for CSIRTs in Europe to liaise with the
EC and other policy-making bodies
Creation of TF-CSIRT
• TERENA Task Force:
– Operation defined by Terms of Reference
– Two years recurring lifecycle (originally
created May 2000, mandate renewed May
– Members and non-members of TERENA
– Active participation by TF members
– Success depends on TF members’
– TERENA plays role of professional facilitator
TF-CSIRT way of working
• Meeting every four months
• Venue rotates among members who
volunteer to host
• Two days:
– 1st day for seminars and presentations
– 2nd day for Task Force business meeting
• Evening in-between: dinner organised by
the hosting member
• Contacts between meetings provided by
mailing list and project groups
Who is involved?
• Academic, Government,
Commercial CSIRTs
Participation in meetings
'00-1 '01-1 '01-2 '01-3 '02-1 '02-2 '02-3 '03-1 '03-2 '03-3
Wider Co-operation
• European Commission
– Projects (, EISPP, TRANSITS)
– Legal handbook for CSIRTs
– Network & Information Security Agency
• National governments
– Government CSIRTs
– Consultation on new legislation
• Law enforcement
– Operations and invited speakers at meetings
• Other regional initiatives
Deliverables and Projects
Trusted Introducer Service
Incident Object Description & Exchange Format
RIPE IRT object
Clearing House for Incident Handling Tools
CSIRT training course (TRANSITS)
Incident Information Exchange (
Assistance to new CSIRTs (Best Current Practice)
Incident Handling Procedures
Deliverables – Trusted
Introducer (
• Notion of ‘trust’ – is a contact
• Currently, no scheme generically
• TF-CSIRT to work out a model of which it
believes it fulfills criteria needed at
operational level
• Feasibility and sanity checks
• Now, outsourced to a 3rd party
• TF-CSIRT retains control by TI Review
Deliverables – IODEF
• Incident Object Description & Exchange
• Cross-platform, cross-language, cross
common understanding
• Need for a well-understood definition of
an incident
• Bottom-up working group
• Lots of output, among which RFC 3067
• Now transferred to IETF (INCH)
Deliverables – IRT
database object
• Commonly perceived problem: correct
points of contact in (RIPE) database
• Practical approach:
– what do we miss now?
– how can we design it
– how can we implement it?
• Wishlist followed by discussion in RIPE
database group
• Lots of iterations, but eventually
implemented and populated
Deliverables – CHIHT
• Clearing House for Incident Handling
• Share information on tools CSIRTs use
– Help new and existing teams
• Website listing tools by category
– Evidence gathering & investigation, system
recovery, CSIRT operations, remote access,
proactive tools
– Plan to add procedures and best practice
• Contents suggested by active CSIRTs
Deliverables – TRANSITS
• CSIRTs were seeking relevant training
• Idea: best transfer of knowledge is from
operational people to operational people
• Conclusion: best people to write it are
TF-CSIRT members
• Two day course developed in modules:
– Operational, legal, technical, organisational,
• EC funding for delivery and updating
– Six presentations over three years
– Materials available to CSIRTs for own use