A pragmatic journey through operational security

John, CERT operator

day 1

Untitled Slide

Untitled Slide

John: There are so many SPAM mails in the ticketing system, shall I simply delete them ?

Henri: No, no, no, we love SPAM, that’s a great indicator of on going criminal activities.
Sort them out by topic, identify useful indicators (like URLs, attachments, mail server IPs, etc.) and write them down in the comment section.
Paul, who works on a spamtrap, will have a useful dataset to start with. He should be ready in a few weeks time.

PHISHING-INITIATIVE.EU

Untitled Slide

day 2

H: We have identified a huge data leak via AIL, can you take this over John and contact the ‘victims’ ? Serge and myself we have to handle another incident.



J: Oh? Sure! What is AIL ?
H: Paul will explain you...

Untitled Slide

day 3

Untitled Slide

MISP - Threat Sharing Platform

day 4

H: Hey John, fancy joining me for the CERT.LU meeting this afternoon ?



J: Eh? Yes of course.
H: Great! Can you review our monthly incident statistics and prepare a small presentation for meeting ? Thanks!

CERT Landscape

5 public
5 private

LUxembourg THREAT LANDSCAPE

"Tickets" over time

Incident Categories

Targeted Sectors

day 5

Untitled Slide

Untitled Slide

CIRCL services

• Incident handling / coordination
• DFIR tools & services
• Data feeds & early warning
• Threat & intelligence sharing
• Joint R&D and innovation
• Technical training & courses
• Crisis coordination exercises
• Advocacy & dissemination

Untitled Slide

Luxembourg, the BIG picture

• Cyber Security Board (Prime Minister)
• National Strategy steering committee
• HCPN, ANSSI, GOVCERT
• SECURITYMADEIN.LU, CIRCL, CASES, C3
• CERT.LU community
• Regulators (CSSF, CNPD, ILR, HCPN, ILNAS)
• Ecosystem (Service providers, associations, Users & companies)

Thank you for your attention