160 likes | 198 Vues
TF-CSIRT. Karel Vietsch TERENA Secretary General. TF-CSIRT mission. To promote the collaboration between CSIRTs in Europe Aims: Provide a forum for exchange of experience and knowledge Establish pilot services for the European CSIRT community
E N D
TF-CSIRT Karel Vietsch TERENA Secretary General
TF-CSIRT mission • To promote the collaboration between CSIRTs in Europe • Aims: • Provide a forum for exchange of experience and knowledge • Establish pilot services for the European CSIRT community • Promote common standards and procedures for responding to security incidents • Assist in the establishment of new CSIRTs and the training of CSIRTs staff • Co-ordinate other joint activities • Provide a vehicle for CSIRTs in Europe to liaise with the EC and other policy-making bodies
Creation of TF-CSIRT • TERENA Task Force: • Operation defined by Terms of Reference • Two years recurring lifecycle (originally created May 2000, mandate renewed May 2002) • Members and non-members of TERENA • Active participation by TF members • Success depends on TF members’ commitment • TERENA plays role of professional facilitator
TF-CSIRT way of working • Meeting every four months • Venue rotates among members who volunteer to host • Two days: • 1st day for seminars and presentations • 2nd day for Task Force business meeting • Evening in-between: dinner organised by the hosting member • Contacts between meetings provided by mailing list and project groups
Who is involved? • Academic, Government, Commercial CSIRTs
Wider Co-operation • European Commission • Projects (eCSIRT.net, EISPP, TRANSITS) • Legal handbook for CSIRTs • Network & Information Security Agency • National governments • Government CSIRTs • Consultation on new legislation • Law enforcement • Operations and invited speakers at meetings • Other regional initiatives
Deliverables and Projects • Trusted Introducer Service • Incident Object Description & Exchange Format • RIPE IRT object • Clearing House for Incident Handling Tools • CSIRT training course (TRANSITS) • Incident Information Exchange (eCSIRT.net) • Assistance to new CSIRTs (Best Current Practice) • Incident Handling Procedures
Deliverables – Trusted Introducer (http://www.ti.terena.nl/) • Notion of ‘trust’ – is a contact trustworthy? • Currently, no scheme generically applicable • TF-CSIRT to work out a model of which it believes it fulfills criteria needed at operational level • Feasibility and sanity checks • Now, outsourced to a 3rd party • TF-CSIRT retains control by TI Review Board
Deliverables – IODEF(http://www.terena.nl/tech/task-forces/tf-csirt/iodef.html) • Incident Object Description & Exchange Format • Cross-platform, cross-language, cross common understanding • Need for a well-understood definition of an incident • Bottom-up working group • Lots of output, among which RFC 3067 • Now transferred to IETF (INCH)
Deliverables – IRT database object • Commonly perceived problem: correct points of contact in (RIPE) database • Practical approach: • what do we miss now? • how can we design it • how can we implement it? • Wishlist followed by discussion in RIPE database group • Lots of iterations, but eventually implemented and populated
Deliverables – CHIHT(http://chiht.dfn-cert.de/) • Clearing House for Incident Handling Tools • Share information on tools CSIRTs use • Help new and existing teams • Website listing tools by category • Evidence gathering & investigation, system recovery, CSIRT operations, remote access, proactive tools • Plan to add procedures and best practice • Contents suggested by active CSIRTs
Deliverables – TRANSITS(http://www.ist-transits.org/) • CSIRTs were seeking relevant training • Idea: best transfer of knowledge is from operational people to operational people • Conclusion: best people to write it are TF-CSIRT members • Two day course developed in modules: • Operational, legal, technical, organisational, vulnerabilities • EC funding for delivery and updating • Six presentations over three years • Materials available to CSIRTs for own use