SURFsoc gives you a single point of contact for all your infrastructure security issues. SURFsoc monitors cyber threats and possible attacks on the institutional infrastructure, for example via a SIEM system. We share the knowledge that we acquire within SURFsoc with the institutions.
Increase information position by scanning and anticipating
We are investigating different ways of responding to incidents. By collecting information, linking in a targeted way, actively scanning and anticipating, we increase our information position.
PANGA
Increase information position by scanning and anticipating
With Proactive Analysis Towards Advanced Attacks (PANGA), we investigate possible wider implications of an incident to better understand the scope of threats to the education and research sector. SURFcert actively and proactively collects and analyses large quantities of cyber threat information and places it in conext. In this way, we can quickly intercept irregularities and warn of threats at an early stage.
Investigate incidents more thoroughly
SURFcert started with PANGA in 2019. One day a month, the SURFcert team investigates an incident or threat. The team then investigates whether there are implications for the entire target group, rather than just one related institution.
OSINT
Using public sources of information
Open Source Intelligence (OSINT) uses public sources of information to detect vulnerabilities within the SURF network and that of affiliated institutions. Examples include Shodan and Censys, both search engines for vulnerabilities on the Internet. We are developing an even better user interface, because displaying, organising, and searching information is still fairly technical at the moment, and our initial focus will be on use by SURFcert itself. In addition to developing the interface, we are also keeping a close eye on the market.
In the future, we may extend interface users to CSIRT teams of institutions.
Linking vulnerabilities in a more targeted way
We link the information from these public sources to the information on e.g. IP-ranges of the connected institutions. In this way we can link vulnerabilities to specific settings in a more targeted way. In 2018 and 2019, we expanded this with active scanning based on grid flow information from the SURF network. Netflow makes it possible to collect IP network traffic entering or leaving an interface.