As esCert we are part of FIRST (Forum of Incident Response and Security Teams) and we try to go to some of the events that FIRST organizes. Therefore, we (Marc Catrisse and Albert Renom) attended the TF-CSIRT meeting and the FIRST Regional Symposium Europe 2023 that was held from January 31 to February 2, 2023 at the Euskalduna Conference Centre in Bilbao. This event is held three times a year and brings together IT security professionals from all over Europe to share experiences, knowledge and the latest trends in the field.
The format is formal and includes management, technical and practical components. The symposia usually offer one or two full days of filling sessions along with a full day of hands-on training. The agenda of the event can be found at the following link:https://www.first.org/events/symposium/bilbao2023/program
If you look at the agenda, the first thing that catches our attention are the “TLP” tags in different colors. So, what is TLP? It stands for “TRAFFIC LIGHT PROTOCOL” (https://www.first.org/tlp/ ). The TLP was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. The exchange of information passes from one source of information to one or more recipients. TLP is a set of four labels used to indicate the sharing limits to be applied to recipients. The four labels used by FIRST are: TLP:CLEAR, TLP:GREEN, TLP:AMBER and TLP:RED. To summarize, TLP:CLEAR has no limitations, TLP:GREEN has limited diffusion to within the community, TLP:AMBER has limited diffusion to those who are not members of the community and TLP:RED is not able to make any diffusion whatsoever. I can therefore only tell you what I thought about the TLPs:CLEAR, the rest are confidential.
As not to bore you too much, the session that I found very interesting is the session: Tracking Attackers in Open Source Supply Chain Attacks: The New Frontier. The presentation was about how developers can be vulnerable to Malware. All of us use npm commands to install some package or some library that can help us in the development of our project, so this presentation explained how hackers can modify code repositories to enter malicious code lines and when we install this code via npm, either it downloads malicious code, it creates a security hole or something else that isn’t alright. This presentation ended by explaining the system it uses to detect and report these malware packages (https://red-lili.info/ )
But this symposium is not all work, it is also necessary to network, and the event that was organised at these conferences took place Tuesday evening at the Guggenheim Museum in Bilbao. The first thing that surprised us was that there was “dress code,” we had to go “Smart Casual,” so there were more clothes we had to add to our suitcase. And I have to admit that the act surprised me, because it took place at the museum and we could have dinner (there was a catering station), listen to music from a live group or visit the entire museum (which was open only to us).
In summary, these days we have learned things, we have made our network of contacts grow and why not, we have also enjoyed the cuisine of Bilbao.