Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems.

My answer was negative on both questions, and I think it might be useful if I explain my rationale here. The first was rather obvious and easy to explain, the second one needed a bit of thinking to be sure why my initial reaction to the document was so negative.

When I wrap up at CERT.at, where I mostly work on our notification system (if you’re a network operator in Austria and got a misassigned notification about some security issues – I might have been involved in that), I sometimes change my hat and explore other “cyber”-security areas, especially looking for malicious packages in PyPI, a standard Python package repository. The short summary is: there are a lot of them – but also, don’t panic.

The EU has been pushing the concept of the "European Cyber Shield" within  the Digital Europe Programme as well as with the proposed "Cyber Solidarity Act".

I've written a paper on how I see this idea and how the Act could be improved.

We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed.

This blog post describes my view on this topic.

IntelMQ, an open-source security feeds processing tools, has just got a new release to fix two recently discovered bugs.

We are continuing to support IntelMQ, an open-source solution for collecting and processing security feeds. Recently, the IntelMQ Community announced the release of new version 3.2.0.

Some thoughts from 2021 on the ideas of how to get SOCs to collaborate.

This is a TLP:WHITE summary of my presentation at the 15th CSIRTs Network meeting in Ljubljana on November 11th 2021. This is not a complete review of the current state of the NIS2 discussions.

The latest maintenance release for the incident-management toolbox IntelMQ brings few changes, but notable performance increases for high-load data collection processes.

The IntelMQ 3.0.1 release batch fixes some issues in IntelMQ, the API and the Manager.