GÉANT Security Days

(Timezone - Europe/Prague)
Grandior Hotel (Prague, Czechia)

Grandior Hotel

Prague, Czechia

April 2024 brings the first edition of GÉANT Security Days.  This gives an opportunity to bring together security practioners from across research and education, including NRENs, unversities, colleges, research infrastructures and other areas with an interest in security.  We invite you to join us in Prague, and to submit your contributions, ideas, questions and challenges to the research and education community.  The theme for this meeting will be: Securing Tomorrow's Knowledge, addressing the following main areas:

  • Cybersecurity in Academia: Explore specific challenges and solutions related to cybersecurity for universities and research centres.
  • Emerging Threats: Address new and emerging threats to research and education, such as ransomware, phishing, and IoT vulnerabilities.
  • Incident Response and Recovery: Highlight strategies and practices for responding to security incidents and recovering from them effectively.
  • Collaborative Initiatives: Encourage collaboration between research and educational institutions to enhance security efforts, share threat intelligence, and collaborate on awareness and training initiatives.
  • Ethics and Security: Ensure the services and approaches we use are ethical, designed to support users, and meet societal goals such as green security initiatives.
Security Days Organisational Committee
    • 9:00 AM 12:30 PM
      Cyber Threat Intelligence Workshop 3h 30m Gracie


      This workshop will unpack initiatives and ideas emerging from the CTI subtask of WP8 T3. NREN participants will present their use cases for threat intelligence and journeys towards realising them; from collecting, validating, correlating with flow data and acting on indicators. We will also present aspects of our planned R&E Security Intelligence Hub - an ISAC-like virtual organisation facilitating the exchange of threat intel within and beyond the GÉANT community. Come join us and share your thoughts!

      The following use cases will be presented:

      • SURF: Modern flow analysis: nfdump2clickhouse experiences
      • HEAnet: Threat Intel Visualised
      • CYNET: Secure Collaboration & Intelligence Information Sharing Platform (SCIISP)
      • DeiC: pDNSSOC: Leveraging MISP indicators via a pDNS-based infrastructure as a poor man’s SOC
      • SUNET: C2-scanner
      • PSNC: Malware analysis services for CTI
      • GÉANT: CTI and the R&E Security Intelligence Hub: Plans for GN5 projects and beyond
      Speaker: Roderick Mooi (GÉANT)
    • 9:00 AM 5:00 PM
      Joint SIG-ISM/ WISE Meeting Euforie


      Our upcoming SIG ISM meeting will address 4 (four) critical subjects of security and the ISMS.
      - Legislation and Impact
      - Implementation of requirements
      - Monitoring of the Information Security System
      - Training and awareness

      Legislation forms the bedrock of our operations, guiding our actions within legal parameters and shaping our policies to ensure compliance and adaptability to evolving legal landscapes is not an option anymore. We'll explore recent updates, interpretations, and strategies to proactively navigate legal complexities, fortifying our foundation while aligning with the highest standards of legal integrity.

      Following this, discussions will turn to implementation strategies, bridging the gap between policy/ legislation and real action. Collaboratively, we'll have some sessions with different perspectives having also time for brainstorm different approaches to streamline processes, enhance efficiency, and to improve execution.

      Alongside, our focus will shift to monitoring mechanisms, evaluating performance, and maintaining accountability through monitoring processes, and performance metrics. By fostering a culture of continuous monitoring, evaluation, training, and awareness, we aim to drive excellence and achieve sustained organisational growth.

      Lastly, training and awareness will be emphasised as integral pillars, ensuring that organisations are equipped with the necessary knowledge and skills to effectively implement and adhere to organisational mandates.

      Convener: Ana Alves
      • 9:00 AM
        Legislation and the impact of new requirements in the Information Security Management System 1h 30m
        Speakers: Alf Moens, Floor Jas (SURF), Mrs Ivana Jelacic (CARNET)
      • 11:00 AM
        Implementation: How organizations are preparing to respond to these requirements and new challenges 1h 30m
        Speakers: Ana Alves, Andrea Kropacova (CESNET), David Groep (Nikhef and Maastricht University), Helma de Boer (SURF), Dr John Chapman (Jisc), Rolf Sture Normann
      • 1:30 PM
        Monitoring: What kind of controls are in place to protect our systems, network, and the services provided. It's a slightly more technical approach, mixing perspectives from both information and systems managers 1h 30m
        Speakers: Ana Alves, Carlos Friaças, David Heed, Rolf Sture Normann, Ryan Richford (GÉANT), Simona Venuti
      • 3:30 PM
        Training and Awareness: How NRENs are preparing their staff for all security challenges. 1h 30m
        Speakers: Cornelia Puhze (SWITCH), Davina Luyten, Rolf Sture Normann, Zoe Fischer
    • 10:30 AM 11:00 AM
      Coffee Break 30m
    • 12:30 PM 1:30 PM
      LUNCH 1h
    • 1:30 PM 5:00 PM
      Security Products and Services 3h 30m Gracie


      This interactive session will be a chance to gain insight into which (kinds of) security products and services we as NRENs are running and creating for our members. Attendees will be invited to exchange ideas and experiences to see if there are things we can learn from each other, see if a more consistent experience exchange would be valuable and discuss the services GÉANT is running centrally.

      More information about this side meeting is available on the GÉANT wiki.

      Speakers: Charlie van Genuchten (SURF), Jennifer Ross (GÉANT)
    • 3:00 PM 3:30 PM
      Coffee Break 30m
    • 9:00 AM 10:30 AM
      Opening: Plenary Euforie


      • 9:00 AM
        Welcome to GÉANT Security Days 10m
        Speaker: Klaas Wierenga
      • 9:10 AM
        Welcome from CESNET 10m
        Speaker: Andrea Kropacova
      • 9:20 AM
        Changing Landscape of Security for NRENs 20m
      • 9:40 AM
        Moving the Goal to Post Quantum 40m

        Public key cryptography is the security foundation that trust and confidentiality online are built on. Many will have heard by now that current public key cryptography is under threat from being broken by powerful quantum computers. Fortunately, the academic research community has been working hard on quantum-safe cryptographic algorithms that remain secure even if practical quantum computers become a reality. This so-called post-quantum cryptography is a hot topic: the US is standardising the first set of algorithms for use and many large Internet companies are experimenting with PQC and rolling it out. Transitioning the whole Internet to these new cryptographic algorithms, however, is a major undertaking that comes with many challenges. In this talk, Roland will explain the basic need for post-quantum cryptography and will then highlight, using examples from R&E networking, what challenges we will face in the coming years.

        Speaker: Prof. Roland van Rijswijk-Deij (University of Twente)
    • 10:30 AM 11:00 AM
      Coffee Break 30m
    • 11:00 AM 12:30 PM
      Human Factors: Session 1 Euforie


      Managing human risk is an important challenge in today’s interconnected world. A human-centric approach where employees are at the heart of an organization's security strategy is a key success factor to empower our community in the face of evolving cyber challenges. Join us for this session were we take a deep dive into common pitfalls, but also bring concrete examples on how NRENs can be at the forefront of cultivating a positive cybersecurity culture.

      Convener: Charlie van Genuchten (SURF)
      • 11:00 AM
        Human Factors in Security – Research vs. Current Practices 20m

        Let’s rethink how we deal with human factors in information security. This session advocates for a human-centred approach, designing security with people and processes at its heart.

        This talk will provide examples of the most common pitfalls in managing human risk and look at current practices through the latest research lens. Hopefully this session will leave you with plenty of thoughts and new ideas of how to address the human factors more successfully.

        Speaker: Cornelia Puhze (SWITCH)
      • 11:30 AM
        Delivering cyber security training and education campaigns to the education and research sector 20m

        Phishing and other forms of social engineering regularly top the list of information security threats that organisations are most concerned about. These attacks target people, not technology.

        People are the largest, most accessible attack surface for criminals. But blaming end users as

        the 'weakest link' or single point of failure in organisational security doesn’t achieve anything. People are our best asset and first line of defence.

        With millions of connected organisations and end users, NREN communities have an important role to play in delivering cyber security training and education, a key component of a positive cyber security culture.

        This presentation will explore how Jisc and its members have approached this challenge, the lessons we have learnt and continue to learn, our successes and failures and our ongoing strategy to deliver the right solutions, empower communities and be a force for good.

        Speaker: Mark Tysom
      • 12:00 PM
        Beyond awareness: Challenges and triumphs in Cybersecurity Awareness 20m

        Awareness was marked as the top threat for R&E institutes in the Netherlands, according to CISO’s of these institutions. This lead to an increased demand and interest in awareness support from SURF.

        In this presentation you’ll learn how SURF started out and continues to improve awareness services. We reveal our secret to creating momentum, keep the community involved and to expand the range of awareness products.

        We present the most popular awareness product and our biggest failure 2023, give you a preview into the changes to our services in the near future and finish with three tips you can implement to improve awareness product management.

        Speaker: Rosanne Pouw (SURF)
    • 11:00 AM 12:30 PM
      Technical Deep Dive: Session 2 Gracie


      Convener: Jochen Schoenfelder
      • 11:00 AM
        Using an analytical database to augment nfdump/nfsen 20m

        nfdump/nfsen are a great set of tools for analysing netflow based network data, both for network management and for cybersecurity purposes. The biggest drawback for security applications is that finding IoC occurrences for any sensible timeframe (e.g. up to two weeks back) will take hours, if not days. Rather than trying to replace nfdump/nfsen, a better approach is to address only this specific deficiency with other tooling, such as an analytical database, which are designed to run queries over large volumes of data quickly. The results of these queries then help with using nfsen for further detailed analysis. In this presentation I will address how we implemented this at SURF and have been running it successfully for over a year. I will also show how the analytical database can be used for other purposes, such as continuously monitoring incoming network data for occurrences of IoCs based on a curated MISP feed.

        I hope the audience take away the idea that different tools can augment each other and there is no need to look for a perfect solution that does everything. (Also that analytical databases are awesome and better in most cases than Big Data approaches)

        Speaker: Remco Poortinga (SURF)
      • 11:30 AM
        Harnessing AI and Open-Source Tools for Enhanced IT Security Vulnerability Assessment 20m

        This presentation will be a comprehensive exploration of the research conducted on harnessing AI and open-source tools for enhanced IT security vulnerability assessment. The target audience for this presentation includes IT security professionals, vulnerability assessment specialists, and decision-makers in organizations seeking to optimize their IT security protocols and strategies.

        Speaker: Mr Joost Grunwald
      • 12:00 PM
        Extending UEBA for emerging threat, detection, characterisation and intelligence generation 20m


        This presentation aims to overcome some of the challenges regarding emerging and mutable threats, which may go unnoticed for some time due to a constrained data foundation that does not extract enough knowledge from the network status. We bring an AI, knowledge-based technology and one of its applied use cases to detect and categorise threats based on user’s, device’s and tool’s behaviour across the network. The presented technology can also be used to foster collaboration across academic and research centres regarding threat intelligence sharing, since both the extracted knowledge and some particularities of the models can be exported for others to learn, adapt and act on it.


        This can provide benefits to security professionals like SOC analysts, infrastructure operators, CISOs and security internal or training teams thanks to a more comprehensive extraction and generation of threat intelligence to be used in mitigation, sharing and training or awareness campaigns.

        Speakers: Sonu Preetam (i2CAT), Xavier Marrugat (i2cat)
    • 12:30 PM 1:30 PM
      Lunch 1h
    • 1:30 PM 3:00 PM
      Real World Security: Session 3 Euforie


      This session takes a very practical look at how we manage security challenges in NRENs on a daily basis. From network security, DDoS attacks and hijacks, how do our security teams manage the reality of incident response and are we working in the right direction?

      Convener: Nicole Harris (GÉANT)
      • 1:30 PM
        Hijacks -- why should we care? 20m

        Carlos Friaças is the Head of RCTS CERT, the CSIRT for the portuguese NREN (FCCN).
        This presentation is about network security.

        Our previous experience with BGP hijacks comes from handling the case with the notorious Bitcanal hijacker, which was a local internet exchange (Gigapix) member since the previous 4 years, before everything reached the public eye.

        This incident led us to deploy local means to observe future cases of hijacking, and we also started a due diligence process regarding joining requests at the internet exchange.

        Recently we had another encounter with a newbie hijacker, which seems to have a different motivation.

        I plan to also cover some of the latest hijacking cases, based on public data collected from Cloudflare’s Radar.

        This presentation also intends to work as a callout to everyone not only to publish their route certificates (ROA) but also to start doing route origin validation (ROV), which in most cases will stop the impact of intentional BGP hijacks on your infrastructure.

        The information should be useful for the full audience, to raise awareness about this type of tactic.

        Speaker: Mr Carlos Friaças (RCTS CERT (FCCN))
      • 2:00 PM
        Modular transport layer solution for semi/automated protection of infrastructure, communities and users in CESNET3 network 20m


        Long term CESNET NREN evolution that split overall network management into rather separate activities distributed among highly specialized teams (e.g. network administrators, service desk operators, CSIRT team) led us to an idea to develop a tool that would represent single source of knowledge and single unified interface (understandable to all involved teams) to apply directives for traffic regulations in dynamic manner. That tool - we call it ExaFS - represents abstract layer above network with appropriate traffic regulation services configured behind (RTBH based, BGP FlowSpec based, external traffic cleaning redirection, internal cleaning devices redirection and control, etc..). Configured IP address space is internally structured, so it can be used in AS wide scope as well as for single end user network and serve its administrators. System also started to offer API (in early development steps) to be potentially controlled by other systems.

        Hand in hand with ExaFS development we started to extend our large scale flow-based monitoring system FTAS with functionality that enables to configure various technologically based detectors. Then we incorporated this new functionality into incident handling process where detectors sent notifications and security handlers and system administrators did verification (traffic analysis) and applied traffic regulations by hand when needed. Further detection optimization led to such number of notified traffic anomalies that could not be processed by hand in any case. That situation accelerated development of FTAS system to be able to cooperate with ExaFS API directly. Putting this into practice allowed us to react on many times higher number of detected traffic anomalies automatically and without delay. Dedicated FTAS detectors and large variety of ExaFS rule sets allows us (within major NREN installation) to serve and protect NREN itself as well as individual clients. Cloning this solution into dedicated networks within NREN (e.g. dedicated VRF) or into end user networks supports specific communities or end user networks independently. It can be also set up from end user perspective (in any architecture) as a service that helps to dynamically lower load of specific resources in their networks (firewalls, virtualization platforms, standalone servers).

        Operational transport level security is not an isolated standalone process. It's a natural part of NREN fundamental service - reliable data transport. And it has to be kept in mind when thinking about network architecture aspects, incorporating services components (e.g. computing facilities, storage infrastructures), connecting end user networks or serving specific communities. We did it evolutionary in many steps over several network generations. It's not a "do-it-all" solution it's just another piece of chain on the way to stable data delivery service. We are convinced that systematic evolutionary development of suitable tools, their harmonization and detailed optimizations of the whole organism may bring at least the same value as a single "big-bang" bought tool. And brings beside others another positive aspect - motivates involved people to learn and increase their knowledge and expertise in a complex way.

        Speaker: Tomáš Košňar (CESNET, association of legal entities)
      • 2:30 PM
        Real world DDOS attack examples and tips how to survive 20m

        In this talk we will present examples the Macedonian NREN saw in the DDOS domain in the timeline from the end of the pandemic up to end of 2023.
        We will show how we implemented visibility tools and mitigation products as well as what we see as the landscape for 2024.
        All types of DDOS attacks, Flow analysis tools and of course mitigation (scrub, firewall, develop your own or use what is there from the community)
        Attached is the base presentation from the biggest attacks which will include latest developments from 2023 and even some super fresh attack types we saw in the holyday season.
        The talk is quite technical and a 10 minute discussion at the end with the audience will be held to hear other similar experiences.

        Speaker: Vladislav Bidikov (MARNET / UKIM)
    • 1:30 PM 3:00 PM
      Security Products: Session 4 Gracie


      In cybersecurity there are a lot of ideas and concepts for products and services but how does that work in the real world? What makes an product successful and when do you need to scale up or down? How do you implement, migrate and operate eduVPN across three universities, how can you train users for phishing and awareness regularly in an automated fashion and what new technologies can be used to improve cyber resilience.

      Convener: Alf Moens
      • 1:30 PM
        Resilience in Action: Lessons from SURF's Red Team Testing Initiatives 20m

        In the realm of cybersecurity, the true test of any protective measure lies in its real-world performance. While institutions have to cover a broad range of possible attack vectors, an attacker only needs a few holes to attain their goals. At SURF, we are exploring how we can help the sector with red teaming and other types of resilience tests to asses their IT landscape from a hacker's perspective. This presentation will explore SURF's initiatives around cyber resilience testing, sharing our approach to the broader theme of assessment, testing an practicing. It will cover three areas: what role testing can take in a broader cyber resilience strategy, SURF's specific initiatives in this field in developing (knowledge) products and services, and real-life technical findings from our red teaming tests.

        Within SURF, we have an innovation zone for cybersecurity. The different areas of this program emphasize the multifaceted needs to get security maturity in the sector to a higher level. Besides the technical services we deliver, we work on (frameworks for) audit and compliance, risk management, awareness, knowledge sharing, crisis management and connections to other types of security. It shows how complex cybersecurity is: at the core you have to take measures to protect the CIA (confidentiality, integrity, availability) of information, but in order to do that effectively you have to make risk trade-offs, figure out workable procedures, audit your procedures and policy and make sure your students and staff actually adhere to the policy. To us, testing your defense, detection and response to an actual cyber threat is the icing on the cake of a holistic approach towards cybersecurity, and may be the only way to know if what you did was any good.
        In the past year, we explored the theme of cyber resilience testing broadly. Talking to organizations with a similar position in the Netherlands (the healthcare CSIRT, association of municipalities, national government, etc.) we discovered that many of them are taking initiatives in this area, and that we can already help our members by simply sharing their insights within SURF. This led to the development of documents that guide the different steps of resilience tests: choosing the type of test most suitable to your goals, procuring the test, make arrangements with a provider, the many things you can do to get the most out of your test, and how to share outcomes. Besides advice, SURF got involved by taking part in the white team (observation/steering) of several test. We discovered that this is incredibly valuable, both to the organization who can benefit from extra experience and knowledge, as well as to us. We can extract many, many learnings from these experiences and help the next organization to be better prepared for their exercise. Oh, and it’s a lot of fun to be one of only six people who know how deep hackers currently are in the network of a large university.
        In this presentation, attendees will gain insights into the essential role of assessment, testing, and practicing as part of an approach to cyber resilience. The target audience is both those who are involved with cyber resilience at the strategic level, as those who just want to know what mistakes other institutions made so they don’t have to make the same ones. We will share SURF's initiatives in this domain, offering practical examples that can inspire and guide others in supporting their cybersecurity efforts. Furthermore, we'll discuss specific learnings from our red teaming tests, shedding light on how these insights impact the rest of the sector’s cybersecurity and network operations. Other NREN’s can learn from our experiences and adapt these to their contexts.

        Speaker: Joost Gadellaa
      • 2:00 PM
        eduVPN Operation at the Leibniz-Supercomputing Centre 20m

        The Leibniz-Supercomputing Centre (Leibniz Rechenzentrum, LRZ) is the computing center of both Munich Universities of Excellence: Ludwig-Maximilians University and Technical University Munich and is a National Supercomputing Centre. The LRZ operates the Munich Scientific Network (MWN) for all universities and other research institutions in the greater area of Munich. MWN connects more than 130,000 users and more than 300,000 devices.

        The structure of LRZ is different compared to many universities as we do provide services for several universities in the Munich area instead of only one university. The big ones, counted in VPN users, are:
        Technical University of Munich tum.de TUM

        • Ludwig Maximilian University of Munich lmu.de LMU
        • HM Hochschule München University Of Applied Sciences Munich hm.edu
        • Weihenstephan-Triesdorf University of Applied hswt.de
          and smaller ones.

        In this presentation we would like to point out several aspects of eduVPN:

        • Migration from another VPN service to eduVPN
        • Operating eduVPN
        • Upgrading eduVPN to a new major release

        Migration from old VPN service to eduVPN

        During the migration process we had to decide how to migrate from an existing VPN service with years of operational experience to a new service with hardly any operational experience. The old VPN service had features and requirements, some of them mandatory, some of them optional and a few not convertible to the new service. From end users' view the transition should be as smooth as possible and they should migrate as voluntarily as possible.

        Operating eduVPN service

        eduVPN has a flexible design to accommodate different use cases. We show what setup we chose for our servers, which operating system and which platform was the most appropriate. There were different authentication methods to choose from, each one with pros and cons.
        Deploying, monitoring the VPN services and user management will be explained.

        Upgrading eduVPN from version 2 to version 3

        EOL announcements of eduVPN version 2 and interesting new features in version 3 of eduVPN, like WireGuard as additional VPN protocol, lead us to migrate the servers as soon as possible. We were facing the choice of the ideal date to switch, what could be done in advance and what had to be made during the migration. The goal was to keep downtime as short as possible. Several measurements had to be taken to mitigate the wave of support requests.


        Switching to eduVPN proved to be the right decision. This VPN service covers the requirements for secure access to internal university resources. End user support did not show any unsolvable problems. The architecture of eduVPN makes it easy to add additional resources. The support of the eduVPN developer team lead to quick and satisfying problem solutions.

        Speaker: Mr Markus Meschederu
      • 2:30 PM
        Phishingator – The way how to automated training 20m

        At CESNET, we develop Phishingator software, which we use to train users in phishing and social engineering. Phishingator allows to prepare and automatically send phishing training emails to selected recipients on a defined date and time and then monitor users activities. Sent phishing emails contain a link to fraudulent training websites created in Phishingator. Users are automatically monitored on how they react and what they fill in a form on a fraudulent website. Phishingator then checks whether the credentials entered are valid or not. Collected data about user activities is used to generate statistics and detailed tables for administrator of organization. The goal of Phishingator is to educate users, so if a user fills in valid login credentials to a fraudulent site, an educational page will be displayed. Educational page contains sent phishing training email and phishing website together with a list of indicators of phishing. Users can educate themselves based on these indicators of phishing emails on educational page so that they can recognize phishing in the future. Phishingator has already been deployed at CESNET and at several Czech universities and other organizations.

        Speaker: Martin Šebela (CESNET)
    • 3:00 PM 3:30 PM
      Coffee Break 30m
    • 3:30 PM 5:00 PM
      Lightning Talks Euforie


      Conveners: Charlie van Genuchten (SURF), Nicole Harris (GÉANT)
      • 3:35 PM
        Exploring machine learning for DDoS mitigation 5m

        The frequency and diversity of DDoS attacks continue to increase annually. With the rise in computational capabilities, motivated attackers orchestrate large-scale attacks of higher complexity. Contemporary attacks exhibit adaptive behaviour, rendering effective mitigation challenging for conventional DDoS protection systems. The analysis of attacks must be precise - to avoid blocking legitimate traffic by mistake, fast - to react to the changing vector of the attack and minimalistic - to avoid overwhelming the mitigation components with a multitude of blocking rules. To meet these demands, we at CESNET have integrated a state-of-the-art machine learning algorithm based on autoencoders into our DDoS mitigation solution - the DDoS Protector. This innovative method enables swift identification and instant blocking of DDoS attacks while minimising the impact on legitimate traffic compared to traditional mitigation methods.

        Our presentation aligns seamlessly with the theme of the GÉANT Security Days 2024 event as it addresses the pressing issue of DDoS attacks, which pose a significant threat to the availability of online services. Our autoencoder-based machine learning method is a powerful tool for detecting DDoS attacks that traditional methods cannot or that require significant effort from a trained analyst to block. This talk offers security management professionals, CSIRT members, and security strategists a preview of the potential behaviour of future DDoS mitigation systems, encouraging valuable discussions on management of these systems and the unique challenges posed by machine learning. Additionally, developers of security services can find inspiration for enhancing their systems based on the insights shared in our presentation. We believe our talk will contribute meaningfully to the discourse at GÉANT Security Days 2024, offering valuable perspectives on addressing and mitigating DDoS threats in the evolving landscape of cybersecurity.

        Our aim is for the audience to recognize the significance of employing machine learning methods for DDoS attack detection while also understanding the associated risks. It's crucial to acknowledge that traditional DDoS protection methods are no longer fully effective against modern attacks, highlighting the potential necessity of incorporating machine learning in the future. Additionally, we will delve into key configuration principles and effective ways of presenting machine learning methods to users. We appreciate your consideration of our lightning talk for the GÉANT Security Days 2024 conference and look forward to further discussions on advancing DDoS protection strategies.

        Speaker: Jakub Man
      • 3:40 PM
        Why cybercrime is an evolution rather than a revolution 5m

        In the realm of cybersecurity, there is a pervasive belief that the threat landscape is in a perpetual state of flux, marked by constant innovation and evolution. This presentation challenges this prevailing narrative, offering a nuanced perspective that highlights the consistent characteristics inherent in cybercrime. Despite the emergence of new tactics and technologies, certain fundamental aspects of malicious activities remain remarkably stable.

        By delving into the historical evolution of cyber threats, the presentation uncovers persistent motives and techniques that endure over time. It examines the foundational elements that transcend the surface-level changes. The aim is to shift the focus from the ephemeral nature of specific attack vectors to a deeper understanding of the unchanging core aspects of cybercrime and cyber-related threats more generally.

        Recognizing these persistent aspects becomes paramount when considering emerging developments like Artificial Intelligence (AI). While anticipation of ‘new’ threats arises, a closer inspection reveals that the novelty often lies in the application rather than the underlying approach. By observing the historically evolved threat landscape, one can better anticipate its evolution, aiding in more effective preparation and response.

        Within the higher education sector, the stakes are particularly high as institutions grapple with the delicate balance between open academic environments and the imperative to safeguard sensitive data. The unique challenges faced by universities and colleges stem from a confluence of factors, including the diverse and distributed nature of academic networks, the vast array of personal and research data, and the complex web of users ranging from students and faculty to administrative staff.

        In addition to these challenges, the presentation recognizes the increasing prevalence of nation-state threats, especially in an increasingly complex geo-political climate. Unlike cybercriminals primarily motivated by financial gain, nation-state actors engage in cyber espionage, influence campaigns, and intellectual property theft. This dimension further complicates the cybersecurity landscape for higher education institutions, necessitating a multifaceted approach to defend against targeted attacks, without losing sight of the untargeted pervasive attacks conducted by cybercriminals.

        In conclusion, the presentation encourages a balanced perspective on the cyber threat landscape—one that acknowledges the persistence of certain elements while recognizing the necessity of adapting to emerging risks, including the tactics employed by nation-state (sponsored) adversaries. For the higher education sector, where the implications of technological advancements are significant, understanding these consistent aspects becomes crucial, guiding informed decision-making and proactive defense strategies.

        Speaker: Nicole van der Meulen
      • 3:45 PM
        SOCCER project: Supporting establishment of university SOCs and collaboration in academic sector 5m

        The SOCCER project (Security Operation Centre in Central-Eastern Europe Region) aims to support the establishment and advancement of Security Operations Centres (SOCs) within the participating universities, as well as to share knowledge about SOC development and deplyoment and to foster information sharing among the broad academic cybersecurity commnuity.
        The lightning talk will be focused mainly on introducing two of the expected outcomes of the project: (i) SOC4Academia toolbox - a set of documents to share the knowledge about the SOC development, deployment and functioning as well as models of possible SOC services deployment and integration; and (ii) establishment of information & CTI sharing ecosystem for academic sector.

        Speaker: Václav Bartoš (CESNET)
      • 3:50 PM
        Crisis communication in the event of a cyber attack: why “no comment” is not an option 5m

        A cyber attack not only threatens the continuity of your services, but also forces your organisation to engage with your various stakeholders. How do you ensure that you are prepared to communicate clearly, transparently and professionally when you find yourself in the eye of the storm? This talk is a warm call to work closely with your communications department to develop a plan of action that will save you precious time in case of a cyber crisis.

        Speaker: Davina Luyten
      • 3:55 PM
        CLAWHAMMER – One Tool To Rule Them All 5m

        CLAW is the crisis management workshop held annually in person and online (so two events, each every year). Since lockdown drove us into the online world, we had to adapt and develop a tool that supports a crisis exercise done online. While the idea back then was “We just need this for the one online edition, we’ll do during COVID and then NEVER AGAIN”, we couldn’t be much more wrong...

        Speaker: Renato Furter
      • 4:00 PM
        Granny Smith, an unusual cyber criminal 5m

        In 2023 GÉANT supported the Cybersecurity Month initiative with its security awareness campaign for the international R&E community: ‘Become a Cyber Hero’. In a month-long journey into the world of cybersecurity, the campaign inspired and educated end-users on topics such as online privacy, phishing, social engineering, ransomware and the importance of reporting cyber incidents.

        Full proposal
        This lightning talk focusses on an innovative element of the 2023 GÉANT Cybersecurity Month campaign: the four-part animation series ‘Cybercrime for Newbies’. Available in seven languages, the animations feature an unusual cyber-criminal, Granny Smith, a retired elderly lady who explains in vlog format how she finds her cyber victims and the tricks she uses to steal their data and even their money. The objective of the series is to illustrate with humour the common pitfalls and mistakes that end-users tend to make when faced with cyber threats, and ultimately how to avoid falling victim of cybercrime.
        This talk highlights how, through a fresh and innovative story-telling approach, the series gives an insight into the mindset of cybercriminals showing how they think and operate, how they use online information and data easily accessible in the digital footprint that internet users leave behind. The talks also highlights how the Granny Smith animations, unlike other awareness campaigns, do not focus on user blaming or use scaremongering tactics.
        Recent research in cybersecurity demonstrates that in a blame-centred cybersecurity culture, people are often reluctant to report errors, increasing the likelihood that organisations will suffer the consequences of cybercrime. Conversely a climate that embraces and promotes an open cybersecurity culture encourages employee engagement and heightened vigilance. Creating a culture that fosters and supports a cyber-vigilant workforce organisations can achieve significantly better outcomes in terms of reducing cyber risk.

        Key take-aways
        • Use story-telling to inspire, engage and connect with the audience, influence their feelings, ideas and behaviour.
        • Don’t be afraid to be creative and use humour in cybersecurity awareness campaigns.
        • Stop adopting user-blaming tactics.

        Speaker: Rosanna Norman
      • 4:05 PM
        Crossing the Baseline - Elevating Security Maturity through the Security Bootcamps 5m

        Introduction: This lightning talk for the upcoming edition of the Security Conference, will shed light on an innovative and practical approach to enhancing cybersecurity in research and education institutions and the urgent need of improvement.

        In a rapidly evolving digital landscape, research and education institutions face unique cybersecurity challenges. This 5-minute lightning talk will delve into the transformative power of Security Bootcamps – hands-on workshops designed to enhance the security maturity level of these institutions. The talk will highlight the practicality and efficacy of these bootcamps, utilising a dedicated framework developed for targeted improvement – Security Baseline.

        Objective: The primary objective of this talk is to provide a clear understanding of the concept of Bootcamp, engage with the NRENs in need, to show them the benefits and how it can help them improving their Security maturity level.

        Key Topics of the presentation:
        • Emphasize the collaborative nature of Security Bootcamps, fostering a sense of community among participants and creating a network for ongoing knowledge sharing.
        • Understanding the unique framework developed for targeted security improvement.
        • Insight into a practical and effective solution for elevating cybersecurity in research and education.
        • Explore how Security Bootcamps prioritize practical, hands-on exercises to equip participants with actionable skills for real-world scenarios.

        Conclusion: Attendees will gain a clear understanding of how Security Bootcamps offer a transformative, hands-on approach to bolstering the security posture of research and education institutions. They will leave with insights into the dedicated framework and inspired to consider implementing similar initiatives in their respective organizations. I believe this lightning talk

        aligns well with the conference theme of Security days and would contribute valuable perspectives to the audience.

        Speaker: Ana Alves
      • 4:10 PM
        NETSEC-SIG @FIRST 5m

        Carlos Friaças is the Head of RCTS CERT, the CSIRT for the portuguese NREN.

        NETSEC-SIG at FIRST was created in 2022, and it is a group with the mission to foster the deployment of inter-AS network security BCPs, coordinated mitigation, and information sharing.

        This lightning talk intends to describe the group's objectives and topics/areas of interest, and at the same time call on new members that may be interested in cooperating (being a FIRST member is a plus, but not a requirement to join).

        As a co-chair of the group, i also intend to briefly cover the work the group has made since its inception.

        The information should be useful for the full audience, and especially for those interested in the field of network security.

        Speaker: Carlos Friaças (RCTS CERT (FCCN))
      • 4:15 PM
        Why you can't trust your e-mail client 5m

        In Security, we are trying to protect against many different threats: ransomware, DDoS attacks, phishing/social engineering, data leaks, etc.
        In this lightning talk, I will explain why poor UI and UX design can lead to exploitation of some of these threats.
        UI and UX are terms commonly used for the user friendliness of applications. UI: User Interface refers to the look of an application, whereas UX is the user experience; e.g. how clear everything is to the user.
        Examples of bad UI/UX impacting security:
        - E-mail clients: not clearly indicating encryption (e.g. gpg) is used or how to use it
        - E-mail clients: not clearly indicating which E-mail you received a mail from
        - E-mail anti-phishing protection: Copy pasting safe links leading to data leaks
        - Browsers: Not clearly indicating the certificate of the website
        - Websites: Giving a password strength indicator that is flawed
        Therefore, poor UI and UX design is an important vulnerability that needs to be tackled in an organization. So important, that a research project from the Radboud University (NL) has coined a new term for security called "actual security". I will end the lightning talk with the definition of this term and give recommendations on how we can improve the current state.

        Speaker: Jeroen Wijenbergh
      • 4:20 PM
        Community for Integrating and Opening Cyber Range Infrastructures 5m

        CYBERUNITY is an EU-Funded pioneering project aimed at transforming Europe's cybersecurity landscape. Assembled with leading experts and stakeholders from across Europe, this initiative sets out to establish a network of interconnected Cyber Ranges, fostering collaboration and innovation and revolutionising the way cyber defence is conducted. CYBERUNITY’s initial phase involves bringing together the cyber ranges owned and operated by the consortium partners. Simultaneously, it aims to "open" the specifications for cyber range interoperability, fostering a robust community of cybersecurity professionals, researchers, and experts dedicated to safeguarding the digital landscape. Its ultimate goal is to propel Europe into a global leadership position. To achieve this, CYBERUNITY plans to develop open interoperability specifications, laying the foundation for the first interoperable cyber range infrastructure. This infrastructure will serve as the basis for the "Cyber-Range-as-a-Service" (CRaaS) concept. The project will also introduce an overarching Knowledge Repository dedicated to cyber ranges. By leveraging these elements, along with additional components and interfaces integrated into the project, CYBERUNITY aspires to bring the CRaaS concept to fruition. The endeavor includes deploying a secure framework that facilitates cross-organizational and cross-border integrated cyber range services, ensuring trustworthiness and privacy compliance. The capabilities of these services will be showcased through various cross-border scenarios involving critical sectors. Throughout the project's lifecycle, CYBERUNITY estimates that around 2000 cyber defenders from all corners of Europe, including regions with limited access to a unified cyber range facility, will benefit from its initiatives.

        Speaker: Panayiota Smyrli
      • 4:25 PM
        Next Generation Security Operation Centres 5m

        NG-SOC considers the paradigm of interconnecting heterogeneous digital systems where traditional security controls are becoming increasingly inefficient due to the mosaic of the involved data, the plethora of diverse business services and the strong interdependencies between software components residing at interconnected infrastructures, allowing threats and security incidents to propagate between assets of these interconnected networks. At the user level, hand-held devices and mobile applications increase the system's attack surface.

        Thus, the key-point to unlocking the enormous potential of the EU digital infrastructures serving millions of citizens, enterprises and society lies on their ability to remain cyber-secure. NG-SOC builds its concept on top of the actual cybersecurity needs of NIS Directive organisations. It has carefully identified the real-world cyber-security challenges that the consortium pilots currently face and through a systematic analysis has translated them to a set of desired attributes for the envisioned NG-SOC toolkit, including: early-stage detection and classification of attackers TTPs, identification of attacks caused by novel multi-faceted actors (both external and internal), actionable, relevant and accurate CTI sharing between organisations and devices, automated threat/incident detection, investigation and response (TDIR), automation and orchestration of incident response strategies and continuous learning (capacity building) and systematic raising and maintaining user awareness. NG-SOC aims to provide a holistic solution that exhibits the above attributes but most notably, addresses the challenges of the whole cybersecurity cycle.

        Speaker: Stephanos Andreou
      • 4:30 PM
        Responding to a cyberattack 5m

        On 28.03.2023, the ELI Beamlines Facility was hit by a sophisticated ransomware attack. This talk gives insight on the immediate incident response of such an event - and shares a few lessons we learned from that.

        Speaker: Birgit Ploetzeneder (ELI Beamlines)
      • 4:35 PM
        Fighting NeMo 5m

        GÉANT’s adoption of NeMo presented significant challenges for our security teams. From the tool’s scope to configuration, GÉANT SOC & Security had to transform NeMo — a DDoS initially optimized for the organization that conceived it — into a robust solution capable of securing network uplinks and preventing DDos across the entire GÉANT network. Join Ryan Richford as he explores the hurdles faced in achieving this ambitious goal.

        Speaker: Ryan Richford (GÉANT)
      • 4:40 PM
        Let Me Hack You 10m
        Speaker: Sigita Jurkynaite (TF-CSIRT)
    • 7:00 PM 11:00 PM
      Security Days Social Arthur's Pub (Křižíkova 27, Praha 8 – Karlín)

      Arthur's Pub

      Křižíkova 27, Praha 8 – Karlín

      We invite you to join us at Arthur's Pub for an evening of excellent local food, drinks and a chance to exercise your social engineering skills....

    • 9:00 AM 10:30 AM
      Operational Security: Session 5 Euforie


      Security is not something you are doing on your own unless of course when you are the evil hacker. With the large amount of threats we are facing, the developments in technology, the quick rise of AI, cooperation in operational security is key. Individual incidents may be by nature very confidential, we however need to learn from each and every incident in our own organisation but also from our peers in our community to be able to efficiently and effectively protect our assets and users.
      In this session we learn that you can not build a SOC without intense interaction with other NRENs and your users, interactions which make miracles happen, miracles you could not have achieved when working on your own. Will the final miracle be a large virtual pan European collaboration, the R&E security intelligence hub? Or will that only be the start of even more miracles?

      Convener: Henry Hughes (Jisc)
      • 9:00 AM
        The Research and Education Security Intelligence Hub 20m

        This presentation reveals an NREN community vision for a virtual organisation that seeks to create, collect, analyse, classify and share actionable security intelligence for research and education. The Research and Education Security Intelligence Hub is intended to counter specific cyber threats and challenges with solutions centred around trusted collaboration and joint operations; transforming raw data into intelligence that can be shared and acted on by cyber defenders for the greater benefit of the R&E community and beyond.

        Speaker: Roderick Mooi (GÉANT)
      • 9:30 AM
        Why collaboration tastes like more. 20m

        This presentation clearly demonstrates the miracles that can occur when everyone collaborates closely and works toward a shared goal.

        Speakers: Floor Jas (SURF), Wim Biemolt
      • 10:00 AM
        How We Knitted Our SOC (or HEAnet's SOC & SIEM Project) 20m

        HEAnet formally started a SOC & SIEM project in 2022 with a procurement exercise which included a 17 company framework, and a single supplier chosen to provide a sectoral SOC & SIEM to our clients. Since then we have created a Security Operations Team and worked with our provider to on-board multiple clients. HEAnet are taking a very hands-on approach to both onboarding and ongoing management of the project to make sure our clients not only receive the best possible service, but also to ensure the threat intelligence data, lessons from incidents and immediate response steps can be shared with the whole HEAnet community.

        This talk (which can be a full presentation or a Lightning Talk) aims to outline early interactions with other NRENs, the inputs that led to our decisions re: outsourcing, information on the shape of our new team and lessons learned from the first year of operation. We believe that this is a vital service for NRENs to facilitate (in some way) for their clients and we want to do what we can to make it easier for the next NREN to start the process!

        Speaker: Brian Nisbet (HEAnet)
    • 10:30 AM 11:00 AM
      Coffee Break 30m
    • 11:00 AM 12:30 PM
      Closing Plenary Euforie


      Convener: Charlie van Genuchten (SURF)
      • 11:00 AM
        CISO Wanna be 20m

        "CISO Wanna Be" is an informative, inspiring and engaging talk that will benefit professionals and individuals aspiring to take on the role of Chief Information Security Officer within research and educational institutions. I believe that this presentation will be a valuable addition to the Security Conference, contributing with a solid but also pragmatic approach to cybersecurity practices and to such important role as it is CISO.

        Speaker: Ana Alves
      • 11:20 AM
        New Security Challenges for NRENS 20m
        Speaker: Jan Kolouch (CESNET)
      • 11:40 AM
        Lies are (not!) everywhere 40m

        How has AI changed our ability to recognise what is really true? What are lies and how easily have they been spreading? How can we use AI practically to help and not do harm in journalism? It's not just AI. How can we use the available data to actually help people? And most importantly, how can we better use the most complex matter in the known universe that we wear between our ears to understand the world?

        Do we have a solution? Yes we do, and it's not primarily found in technology.

        Speaker: Daniel Stach
    • 12:30 PM 1:30 PM
      LUNCH 1h
    • 1:30 PM 5:00 PM
      DDoS and Network Monitoring Workshop 3h 30m Gracie


      The session will be split in two parts, with the second part most possibly starting after a short break.
      Part 1: Threat sharing for proactive (D)DoS defence (co-host: Roderick Mooi)
      We will discuss ideas emerging from collaborative discussions between the CTI and DDoS subtask teams in WP8 Task 3.
      How can NRENs share actionable intel around (D)DoS attacks (with an emphasis on those targeting R&E) and better prepare our defences accordingly?

      Part 2: General DDoS tooling and attack discussions
      We will discuss the general DDoS situation, and current tooling & experiences from within the GÉANT project and the NREN community. While we won't be able to do a deep dive into recent events - as we won't go more retrictive than TLP:GREEN in this session, feel free to share your lessons learnd as well as tooling experiences.

      Speaker: Jochen Schoenfelder
    • 1:30 PM 5:00 PM
      Security Awareness Side Meeting

      his meeting is aimed at everyone who is involved in managing the human factor for their organisation. The objective is to exchange knowledge and experiences on managing human risk and to build a long-term community around this topic. In this session, several NRENs will present their internal security awareness programmes. Afterwards, we would like to hear from you about the challenges you are facing and how the subtask Awareness (GN5-1) can support you further. Are you working on internal or external security awareness for your NREN? Then, make sure you join us!

      Convener: Davina Luyten
    • 3:00 PM 3:30 PM
      Coffee Break 30m