Workshop on Computer Security Incident Response Team (CSIRT)

Dates: November 29-30, 2016
Venue: The workshop took place at Antoun Ghattas Karam e-Classroom, Jafet Library  (MAP), at the American University of Beirut (AUB), MAP
TRANSITS evolved out of a European Commission funded project (IST-2001-39118, 1 July 2002 – 30 September 2005), that aimed at establishing CSIRT teams and at addressing the shortage of CSIRT skilled staff. The demand for the training spilled above and beyond the project and was picked up by GÉANT (formerly TERENA) in creative and financial collaboration with ENISA, FIRST and other like-minded organizations.

Since the inception, TRANSITS has trained over a thousand security professionals in the European region. Many more have benefited from the third-party courses organized elsewhere around the world. Over the years, operatives have been trained for commercial, governmental, military and national CSIRTs, as well as those in the research and education sector. A number of participants have gone on to become TRANSITS trainers themselves, passing on their knowledge within their own regions and countries.

There are two levels of TRANSITS Training- basic (TRANSITS I) and advanced (TRANSITS II).

TRANSITS I course is aimed at new or potential CSIRT personnel who wish to gain a solid understanding of the main aspects of working in an incident handling and response team. It offers experience and expertise in Operational, Organizational, Legal and Technical areas which form knowledge basis for CSIRT personnel.

  • Organizational – covers how CSIRTs fit within their organizations and includes planning the team, defining its constituency, determining which services to offer, staffing, communicating with external parties, funding, and obtaining management authority.
  • Technical – covers how intruders attack systems and their motivations, how network protocols can be abused, vulnerabilities of operating systems and services, denial-of-service attacks, hiding traces, and information gathering techniques. Includes several practical exercises.
  • Operational – covers the incident handling process from initial reports, through triage, investigation, resolution, closure, to post-analysis. Includes practical exercises and a survey of useful tools.
  • Legal – covers areas of European legislation likely to affect CSIRTs in their work, and that operatives should be familiar with. This includes data protection, computer misuse, network monitoring, collection of evidence, and working with law enforcement agencies.

Other topics such as PGP keys and relevant RFCs are also covered during the course.

TRANSITS I offers participants a unique opportunity to mix with their peers and discuss security issues in a secured and trusted environment, whilst being tutored by seasoned experts of the European CSIRT community. The course is open to individuals currently working for a CSIRT or network security related organization, and those with bona-fide interest in establishing a CSIRT. Applications are also welcome from commercial, governmental, law enforcement and military organizations, as well as national research and education networks (NRENs) and research and education institutes.

Time DAY 1 DAY 2
Organizational Issues
Coffee Break
Organizational Issues
Lunch Break
Technical Issues
Coffee Break
Technical Issues
Operational Issues
Coffee Break
Operational Issues
Lunch Break
Legal issues
Coffee Break
Legal issues
Group Exercise & PGP Key Signing
Admission Requirements 
Applicants to TRANSITS I course are subject to a vetting procedure and are usually required to provide references. This is to ensure that individuals fulfil the course requirements and have a legitimate interest in network security. Application forms should therefore be completed as fully as possible.

Typical participants are usually experienced IT professionals with the growing interest and professional need to become system or network security experts. Familiarity with Internet protocols, addresses and port numbers is assumed. The basic expectation is that all participants are aware of security issues involved in connecting computers to the Internet and are committed to using their skills to improve the security of computers and networks. Individuals from other backgrounds and with other interests are welcome to contact the organisers to discuss their suitability for the course.

Serge Droz holds a PhD in theoretical astrophysics. After several years researching black holes and gravitational waves all his servers were hacked and thus a move into the field of IT security seemed natural. Serge has more than ten years of experience running a CERT. Besides his regular work Serge is an active speaker at various conferences. He served for 2 years in the ENISA permanent stakeholder group and is a regular trainer for CSIRT courses around the world. He currently serves on the board of directors of FIRST. Serge works at at Open Systems AG, a Swiss based global Security service provider, as Vice President OS-CERT.
Jaap van Ginkel  is a researcher and lecturer at the Informatics Institute of the University of Amsterdam.  He teaches several security and forensics subjects and is the coordinator of the Masters study Systems and Network Engineering. He has been a member of the CERT-NL and SURFcert the Computer Security Incident Response Team (CSIRT) of SURFnet since 1999.  He has been the chair of the UvAcert team and has been involved in organising security teams for several organisations.