SURF’s TAO approach to Cybersecurity

SURF’s TAO approach to Cybersecurity

Good things come in threes

SURF is the “collaborative organisation for ICT in Dutch education and research”, we also operate the Dutch NREN (National Research and Education Network). With ICT so prominent in our one-liner description you might think that we love technology (and you would be right!), but we don’t see technology as the solution to each and every problem; far from it. In most cases ICT is just a tool that you can use to address a problem, but always as just a (sometimes minor) part of the whole solution.

Over the years the use of ICT in research and education has increased steadily, up to a point where it has now become an integral part of education and research. The benefits of this are manifold, and the quick and successful way in which all of our institutions have switched to online teaching at the start of COVID-19 (most within a week, or even a weekend!) is a good example.

The major drawback is of course that education and research has also become dependent on the ICT functioning properly and reliably. If our network goes down it doesn’t just mean that bits won’t go from A to B, it means that students can’t attend their classes or researchers can’t do their research or attend virtual conferences.

This increased dependency on ICT also means an increased importance of cybersecurity. And just as with ICT itself, technology in and of itself won’t be *the* solution. It isn’t just an ICT responsibility either, but a responsibility for everybody. For everybody to be able to work. research and learn safely, everybody must be aware of the risks and their own role in defending against disturbances (of any kind).

Cybersecurity is more than just technology

To be as safe and resilient as possible against (cybersecurity) risks and attacks, everybody should practice the TAO of cybersecurity. So pay attention to Technology, Awareness and Organisation.


Technology is like having locks on your front and back door. If you don’t use them when leaving your house or when you go to sleep, you might as well not have them in the first place. You need technology to improve security: Things like filtering mail against spam, phishing and viruses. Well thought-out identity, access and rights management (properly applied and adhered to). Firewalls and segregated networks. Whenever technology *can* help improve your security: use it! Just don’t rely on it exclusively, because it won’t be enough.


Users need to be aware that they are an interesting target for cyber criminals and have their own responsibility in using resources and services safely. No matter how good your mail filtering is, some malicious mails will make it past and end up in someone’s inbox. What happens next entirely depends on the user of that inbox. You need to give your users the right knowledge and tools to recognise these malicious e-mails as much as possible. And make no mistake: no amount of training will get the number of users that click on the wrong link go down to zero. Everybody is susceptible and will – given the perfect conditions – click on that link. Even cybersecurity specialists. But that is no reason to keep your users in the dark entirely. Of course Awareness is more than teaching people not to click on links in e-mails. It also has to do with not sticking your credentials on a post-it note to their monitor (yes, this still happens), putting privacy sensitive data on an unencrypted USB stick (though putting it on a stick is questionable in the first place) or discussing sensitive topics with a colleague in public transport. The important thing is that you shouldn’t let your users have to figure out safe practices for themselves when you can give them that information (and the reasons why). Empower them to be able to do the right thing most of the time and you add another layer of defense.


Everybody in the organisation – from top to bottom – needs to acknowledge the importance of cybersecurity. An integral approach to security and risk management – including cybersecurity – needs to be on the governance agenda regularly in order to weigh risks and opportunities, learn from incidents from the past and invest in the future. Admins need to get the time, resources and education to make and keep their systems safe. Awareness programs need to be carried out in collaboration with communication departments and regular (cyber)security exercises need to be the norm; comparable to fire and evacuation drills. And of course everybody needs to feel safe to report (possible) security issues, especially if they themselves might be the cause of it (for example if they did click on that link). Nothing will decrease your security as much as creating an environment where people are afraid to tell you they might have caused some problems; because obviously then the first time you will find out about it probably it will be too late to do anything about it anyway. And yes: your managers and bosses higher-up are also users. Whatever goes for the worker drone goes for the queen bee. Managers and bosses lead by example, always. The only question is whether they set a good or a bad example.

Continuous attention

Putting continuous effort in all three parts is necessary to be able to keep working safely. From sysadmin to director and from researcher to student: everybody plays a role in achieving this. By working together we’re able to meet threats head-on and mitigate the effects of incidents that do occur.


Since a lot of the (cybersecurity) threats are the same for all the institutions that we serve, we collaborate with them on all levels. We facilitate communities dealing with (information) security and privacy on an operational, tactical and policy level as well as working on an integrated approach to security and safety at the board level.

We pay attention to the technical part of cybersecurity with our services and service development, ranging from mail filtering to VPN services.

Every two years we organise a large cybersecurity crisis exercise called OZON. The exercise crosses all layers within an organisation (from operational to board level) and includes communication departments as well. Participating in OZON will give you a good idea how your organisation will fare in a real crisis, and lessons you learn from the exercise can be applied to your crisis plans and scenarios. We offer smaller table-top exercises for the intermediate years which we also help organise at the European level together with GÉANT (the association for NRENs) and other NRENs. To give you an idea what we mean by a large scale cyber security exercise: the latest OZON exercise in 2018 saw more than 1200 people from our institutions taking part.

To stimulate awareness campaigns we provide a toolkit called Cybersave Yourself to our institutions, offering practical guides and a lot of awareness material which our institutions can use to set up their own awareness campaigns. The materials available range from posters, movies and games to learning modules on different topics related to cyber security, such as CEO fraud, phishing, public WiFi, ransomware and much more. The materials point to an accompanying website which offers more background and explanation to the topics.

We also offer cyber security courses and training, either by providing them ourselves – such as the TRANSITS training for both new and experienced computer security incident response team (CSIRT) personnel – or by organising courses given by other companies and trainers – such as DAMTA (Defend Against Modern Targeted Attacks).

Last but certainly not least, we are in the middle of setting up a Security Operations Centre (SOC) for our connected institutions, slated to start operations in the beginning of 2021.

Cybersecurity Research

What is the link between the holistic approach we take to cybersecurity and the CONCORDIA project? Most of the CONCORDIA project is fairly technology driven, especially the small part we are active in as SURF: Task 3.2: Piloting a DDoS Clearing House for Europe. What this entails was described in three previous blogs (part 1, 2, 3). But most topics addressed in Concordia are also fine examples of collaborative research efforts, not just in the project itself but the envisioned outcome as well. The idea behind the DDoS Clearing House is of course that sharing information on DDoS attacks will help in combating and mitigating these attacks. Publishing (about) the collected information also helps raise awareness about DDoS attacks.

Our part in this is of course that we see a lot of DDoS attacks on our network, targeting connected institutions. A lot of them are relatively short, most likely from the ‘try before you buy’ category on booter sites, and are easy to mitigate using stateless filters on networking equipment. Every now and then there are also more complicated attacks, which require the use of our scrubbing center and the other options we have at our disposal to mitigate attacks.

Working together with (cyber security) researchers is something that we love to do and we do quite a lot. Usually we can apply results of cyber security research fairly directly into our operations, or incorporate them into our services that we offer to our connected institutions.
In terms of security research, SURFnet is also uniquely positioned in The Netherlands, providing resources that are unavailable at our member universities and research organisations. One example is Thunderlab, SURF’s cybersecurity research facility.

What is Thunderlab?

SURFnet’s ”Thunderlab” research facility provides a dedicated high-bandwidth experimental network set up specifically to perform security research. This network, with a 100Gbit/s uplink to the SURFnet core and direct connectivity to AMS-IX, the world’s largest Internet exchange, has been used to perform in-depth studies of DDoS attacks. This unique asset will be a key contribution to the CONCORDIA consortium.

In the past, Thunderlab has proven to be valuable for researchers from SURF’s constituency, conducting various research activities in cyber security. Apart from easy access to Virtual Machines using Thunderlab’s OpenStack cloud computing platform, researchers have access to 100 Gbit/s network connectivity to the Internet, large scale storage, and plenty of IP space from a dedicated BGP AS (Autonomous System).

Let’s look at some examples of cyber security related projects that benefit from Thunderlab infrastructure.

The massive bandwidth available is used in periodic DDos Exercises, conducted via blue teams and red teams constructed from participating organisations from industry, government, and research to test collaborative DDoS defenses in a massive simulation. Experience from these exercises is used to improve technical and procedural measures that are used to mitigate a real DDoS attack.

The dedicated AS provides dark address space, i.e. routable Internet address space that’s currently unused. These “Network Telescopes” are used to analyze darknet backscatter traffic and correlate it with malware-infected IoT devices. This analysis is used to monitor malware activity, detect new forms of malware, and to better understand their behaviour while preparing for taking measures to mitigate the havoc they are trying to wreak.

Another example of an interesting cyber security research project was to see if active DNS measurements could be combined with machine learning to effectively detect snowshoe spam domains, which yielded results that are very useful for our mail filtering service.

Any researcher can apply for resources by simply filling out a form. Proposals are evaluated on both technical (e.g. what resources are required and what for?) and non-technical criteria (e.g. what are legal or ethical implications?). A committee evaluates all the applications based on these criteria.

Using this research network, in-depth studies on DDoS attacks can be made. Thus our participation in CONCORDIA’s task 3.2, together with SIDN labs and Twente University, whose objective is to pilot a DDoS Clearing House with European industry for Europe to proactively and collaboratively protect European critical infrastructure against DDoS attacks fit neatly with all types of other cyber security related research we facilitate using Thunderlab.


SIDN, SURF and the University of Twente were partly funded by the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No 830927. Project website:

(By Remco Poortinga-van Wijnen and Joost van Dijk (SURF))