77th TF-CSIRT Meeting, May 2026: Riga: Agenda

Trainer:

• Michael Hamm, CIRCL

How to hide and find data in file systems defect sectors.
Many file systems provide the possibility to mark cluster with defect sectors as defect. So that they are not used to store valid data any further.

Attackers can abuse this feature to hide data persistently on the disk, as this sectors/clusters are circumvent and not used any more.

We will explore how file systems do some of their most important activity. We will explore how this is implemented by the FAT32 file system. We will use this techniques on hands-on exercises to hide data in bad clusters And we will learn how to forensically detect such kind of data.

This is a hands-on training and attendees should bring a Linux laptop to be able to perform the exercise. All standard Linux distributions should be sufficient. Just the package "The Sleuth Kit" should be installed.

Trainers:

• Bernhards Blumbergs, CERT.LV
• Gabrielle Verreault, TalTech

Maximum: 40 participants

This interactive workshop provides a practical, first-steps introduction to Operational Security (OPSEC) as a mindset and decision-making framework for everyday professional activities in a everyday cyber/physical environment. Using an immersive, scenario-driven narrative following a a conference participant’s journey from their departure and transit, through hotel stay and conference participation to return, the workshop teaches how to be aware of how nation-state and cybercrime adversaries observe, correlate, and exploit information across digital and physical domains, the effects they seek to achieve, and the OPSEC measures that can prevent, mitigate, or contain impact. Delivered in an informal, discussion-driven format and requiring no prior OPSEC or technical background, the session emphasizes situational awareness over tool dependency and equips participants with immediately applicable practices relevant to their international travel, participation in events, and daily work. Workshop enforces proactive, human-centric security decisions to strengthen individual security, thus enhancing collective resilience against evolving cyber and operational threats.

Trainers:
Kristīne Kaula, CERT.LV
Uldis Košķins, CERT.LV
Katrīna Strupule, CERT.LV

Crack open a drink, and join a room full of battle-tested SOC operators, CSIRT engineers, and detection nerds who’ve seen “the stuff”. This isn’t a typical workshop, but a candid and very real exchange of short war stories, uncomfortable questions, and open-floor discussions of what works (and what absolutely doesn’t) when building and running a Security Operations Center at scale. Expect practical insights and geeky humor as we collectively unpack the messy reality of SOC operations:
- Regulation vs reality: How do you reach the long tail of “invisible”
constituents?
- What even is Your SOC?: From endpoint detection and response and log management to CTI, threat hunting, and vulnerability management. Where do you draw the boundary?
- Incident Response: notify or act?: How far do you go without breaking trust (or contracts)?
- SLA gymnastics: Delivering meaningful services across wildly different expectations, while pretending 24×7 coverage is easy.
- Build vs Buy vs Pray
- Staffing and resource constraints: Can your SOC actually support
everything it promises, from client onboarding to backend analytics?
- Data hoarding Olympics: Retention, backups and the “impossible” data volumes.
- AI in the SOC (hype vs reality) - where AI helps, where it hallucinates, and how you measure success without fooling yourself.
- Metrics that truly matter: Beyond buzzwords like MTTD/MTTR (Mean Time to Detect and Respod), how do you prove value to a CISO who speaks only fluent ROI (Return on Investments)?

Your mission (should you choose to accept it): Come prepared to share
things that worked surprisingly well and things that failed spectacularly. Bonus points for scars, dashboards, or lessons learned
the hard way.

No slides required. No marketing allowed. Just practitioners talking and swapping tactics, and maybe discovering that everyone else is
“duct-taping’ their SOC together too.

Preliminary Agenda for PR Working Group Meeting:
08:00 - 09:00/30 - Registration
09:00/30 - 10:30 - Introduction and Round Table
10:30 - 11:00 Coffee break
11:00 - 11:30 - An experience story from a national-level cybersecurity
awareness campaign in Latvia (Līga Besere, CERT.LV)
11:30 - 12:00 - Introduction to the kibertests.lv (Cybertest) platform
(Madara Krutova, CERT.LV) 12:15 - 12:30 – Our Findings and Lessons
Learned from Leading a Business Continuity Challenge for Constituents
(Dana Ludviga, CERT.LV)
12:30 - 13:30 - Lunch
13:30 - 14:00 - Insights and real-life experience on communication
during a national level crisis (Vineta Sprugaine, LVRTC)
14:00 - 14:30 - Insight on crisis management exercises (Daina Ozoliņa,
CERT.LV)
14:30 - 15:00 - .LV registry crises (real and exercises) experience
(Kristiāna Mūze-Feldberga, NIC.LV)
15:00 - 15:30 Coffee break
15:30 - 16:30 - Crises exercise for PRs (Dana Ludviga, Kristiāna
Mūze-Feldberga, CERT.LV)
16:30 - 17:00 - Other topics