2025/34 Weekly Update from the EU ISAC for Cities & Regions: No call next week / Emerging Barista 101 Story for AI supported investigation / New Working Groups – Maybe of Interest? / Tuscany & Brittany Region invite to webinar on “AI & Cybersecurity in regional and Local Authorities” 26 November.

2025/34 Weekly Update from the EU ISAC for Cities & Regions: No call next week / Emerging Barista 101 Story for AI supported investigation / New Working Groups – Maybe of Interest? / Tuscany & Brittany Region invite to webinar on “AI & Cybersecurity in regional and Local Authorities” 26 November.

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

** No call next week **

Discussion Summary

Hi everyone, friends from Belgium, Croatia, Ireland and Italy joined and a lot of focus on the pilot for the DEP proposal which is a little delayed due to everyone being extremely busy this week, however we hope to accelerate a little in December. What we have started though is exploring the basic process for operating our aspired workflow. We used the session to walk through an example CTI evaluation as follows:

1. We went to our ENISA MISP account at https://misp.isacs.eu/, opened and screen-copied a recent entry (in future this would be CTI from the MISP of a local administration).
2. We then went to the free version of our resident Barista AI agent at https://chat.mistral.ai/chat and went through the below process:
   1. We asked “Barista – correlate the below text starting and ending with ## with entries in the EU Vulnerability Database.”
   1. Barista supplied a relatively robust response based on identifying EUVD-2025-23454 and EUVD-2025-22141 as relevant entries.
   1. We then enhanced the query with “Add a correlation with the CISA CVEs” and received back a robust list of CVEs with details (i.e. “CVE-2025-58034 (Fortinet FortiWeb OS Command Injection)”)
   1. Discussing the results one colleague suggested we would need to align the results with our XDR solution, so we added a query “How can I use this information to correlate with my XDR solution?” to receive a series of suggestions like
      1. “3. Leverage XDR for Hunting and Response / A. Proactive Hunting Query for FamousSparrow TTPs:Use XDR’s query language to hunt for “Registry modifications for persistence (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run\K7Soft).”
   1. Being pragmatic, we then asked Barista to “Generate a list of tasks for me to complete with the XDR” and received seven (7) recommendations and suggestions on how to prioritise activities with some really good feedback (i.e. “Start with critical assets (e.g., edge devices, financial systems) and high-severity KEV CVEs.”).
   1. This then got us into a discussion that all of these activities are only helpful IF we know what assets are in our network and the continuous challenge of figuring this out. We all use a variety of network monitoring / sweeping tools and security solutions, however in the end this does not discover everything and struggles to correlate entries retrieved with other solution and vulnerability descriptions. As we all know this is a nightmare and we agreed that in the end it is a largely manual task to make this final correlation and identify remediation activities.
   1. Finally, we discussed whether considering the challenges of dealing with the results of our Barista discussion, there was any value in setting it up in the first place? There is definitely a manual intervention at the end of the process since automating actions in our network is not really the right thing to do – data is too ambiguous AND we would probably need on-premise AI solutions running to access our actual network monitoring data. We also agreed that, probably, after running this little user story 50 times, the solutions would actually become rather generic (i.e. “Identify internal assets running KEV-listed software”). Thinking about this I asked Barista this morning “What CIS18 controls are relevant for the above tasks?” and Barista suggested the below controls (enhanced by specific activities):
      1. Inventory and Control of Enterprise Assets (CIS Control 1)
      1. Inventory and Control of Software Assets (CIS Control 2)
      1. Data Protection (CIS Control 3)
      1. Secure Configuration of Enterprise Assets and Software (CIS Control 4 & 5)
      1. Continuous Vulnerability Management (CIS Control 7)
      1. Audit Log Management (CIS Control 8)
      1. Email and Web Browser Protections (CIS Control 9 & 10)
      1. Malware Defenses (CIS Control 8 & 13)
      1. Network Monitoring and Defense (CIS Control 12)
      1. Incident Response and Management (CIS Control 19)
      1. Penetration Testing (CIS Control 20)
   1. In summary therefore, we came to the conclusion that while this little user story may not help us directly identify what specific actions to perform on a technical level, it provides a robust and repeatable structure for improving compliance. Important as well is that the queries to Barista were extremely simply -> in professional approaches these queries become a whole page of instructions each, data is attached AND through use of a persistent AI account, generative learning can begin to happen. We will continue our journey in two weeks!
   1. The consolidated query after this session was listed below (maybe the Emerging Barista 101 Story?) We will expand in the next session (a) using CTI from a participant, and (b) identifying further sources to correlate with, i.e. relevant network inventory details?. We will also run Barista in anonymous mode.
      1. Barista – iteratively assess the below CTI text starting and ending with ## against the questions:
         1. What are relevant entries in the EU Vulnerability Database? https://euvd.enisa.europa.eu/
         1. What are relevant CISA CVEs? https://www.cisa.gov/known-exploited-vulnerabilities-catalog  
         1. What CIS18 controls are relevant for the above tasks? https://www.cisecurity.org/controls
         1. What tasks should I execute on my XDR solution to reduce the possibility of exploitation?

New questions for next week: How to enrich the results with content with manually generated / downloaded content from https://openssam.enisa.europa.eu/ (includes results from Web, Dark Web, News, Forums, ENISA Reports, ENISA Recommendations, Cybersecurity agencies, Cybersecurity publications, Telegram, Reddit, Sina Weibo, ENISA OSINT, Vendor newsletters, and Mastadon).

The above will then need to be reflected upon regarding where an automation could best support the standard process for managing a cyber threat notification which follows a structured incident response lifecycle, which is widely adopted by organizations to ensure timely and effective handling of cybersecurity incidents. Here’s a summary of the key steps, based on best practices and frameworks like NIST, ISO/IEC 27035, and ENISA guidelines:

1. Preparation: Establish Policies and Procedures: Define roles, responsibilities, and communication channels for incident response. Train Staff: Ensure all relevant personnel are trained in incident response and threat detection. Deploy Tools: Implement monitoring, detection, and response tools (e.g., SIEM, EDR, firewalls). Threat Intelligence: Subscribe to threat feeds and share information with trusted partners (e.g., ISACs, CERTs).

2. Detection and Reporting: Identify Threats: Use monitoring tools to detect anomalies or indicators of compromise (IoCs). Initial Triage: Assess the credibility and severity of the threat notification. Reporting: Notify the incident response team (IRT) or relevant stakeholders using predefined channels.

3. Analysis: Validate the Threat: Confirm whether the notification is a false positive or a genuine threat. Scope the Incident: Determine the affected systems, data, and potential impact. Forensic Analysis: Collect and analyze logs, network traffic, and other evidence to understand the attack vector and scope.

4. Containment: Short-term Containment: Isolate affected systems to prevent further damage (e.g., disconnect from the network, disable accounts). Long-term Containment: Implement patches, updates, or configuration changes to mitigate the threat.

5. Eradication: Remove Threats: Eliminate malware, backdoors, or other malicious artifacts from systems. Address Vulnerabilities: Patch or remediate the vulnerabilities that allowed the incident to occur.

6. Recovery: Restore Systems: Bring affected systems back online in a secure manner, ensuring data integrity and availability. Monitor: Closer monitoring of recovered systems to detect any signs of reinfection or residual threats.

7. Post-Incident Review: Lessons Learned: Conduct a post-mortem to analyze what happened, why it happened, and how to prevent recurrence. Documentation: Update incident response plans, policies, and procedures based on findings. Communication: Share lessons learned with stakeholders and, if appropriate, with the broader cybersecurity community.

8. Compliance and Reporting: Regulatory Reporting: If required, report the incident to regulatory bodies or affected parties (e.g., GDPR, NIS2, sector-specific regulations). Stakeholder Communication: Inform internal and external stakeholders as needed, following communication plans.

Please remember if you want to join us on this path to set up the same software (https://www.misp-project.org/) to then connect it to that central instance. In the first phase pilots will be able to PULL CTI, in the second phase they will PUSH CTI (meeting whatever legal boundaries they are subject to), in a third phase we would look at using Mistral AI to automate a variety of processes. There will also be a library of relevant information for Mistral AI to draw upon to enrich data. Let me know if you are interested in joining – looks like there is some momentum building. Note the many interesting community already hosted there https://www.misp-project.org/communities/.

New Working Groups? A colleague shared some further details on themes we could/should be looking at moving forward which you might find interesting:

“1. Total Cost of Ownership (TCO) for Cybersecurity in Public Procurement: As highlighted during the ISAC meeting in Athens and in ENISA’s “Threat Landscape for Public Administrations 2024” report, fragmented budget structures often lead to short-term savings but long-term vulnerabilities. A mandatory TCO model for cybersecurity could be introduced in EU public procurement, ensuring that the lifecycle costs of incidents, patches, and reputational damage are considered. The Danish case of unsafe electric buses illustrates how “cheap” procurement can generate disproportionate remediation costs. Regulatory reference: the NIS2 Directive (EU 2022/2555) requires risk-based approaches; incorporating TCO would operationalize this requirement.

2. European Salary Benchmarking System for Cybersecurity Professionals: As highlighted in your update, low salaries and “weekend certificates” undermine the ability of public administrations to attract and retain qualified personnel. An EU-wide salary benchmarking framework for cybersecurity roles in public administrations could be established, in line with the Digital Europe Programme (DEP) and the Cyber ​​Skills Academy. The ISC2 initiative, which has trained over 24,000 professionals in Europe, demonstrates the scale of demand; without competitive salaries, retention remains impossible. Legislative reference: the NIS2 Directive explicitly requires adequate staffing and skills. Salary benchmarking would ensure transparency and help prevent talent drain to the private sector.

3. Mandatory “Cyber ​​Safe EU” certification for digital assets in public administrations: Many “EU products” are assembled with non-EU components, creating hidden risks. A binding “Cyber ​​Safe EU” certification could be introduced for all digital assets acquired by public administrations, building on the Cybersecurity Act (EU 2019/881) and the Cyber ​​Resilience Act (EU 2024/2847). A public evaluation system for certified suppliers could incentivize security-by-design practices and reduce systemic vulnerabilities. Regulatory framework: ENISA already develops certification systems for ICT; extending them to public procurement would ensure supply chain transparency.

4. Cross-sectoral manual for public administrations: Your reflections on the Financial Services ISAC and the Phalanx simulation highlight the value of structured manuals. A cross-sectoral manual for cyber incident management, tailored for public administrations, could be developed, drawing lessons from the most mature ISACs (finance, aviation, healthcare). A manual could be piloted during Cyber ​​Europe 2026 and refined in a dedicated Cyber ​​Europe 2028 exercise focused on public administrations. Normative reference: ENISA’s Cyber ​​Europe 2024 post-action report already highlights the importance of coordinated response frameworks.”

As mentioned last week, please let me know if any of the above topics strike your interest?

On Thursday the eIDAS webinar took place with 17 participants – very interesting and will share the slides as soon as they are available.

Cheers, 

Oliver

In the News

• Tuscany & Brittany Region invite to webinar on AI on 26 November – the webinar on “AI & Cybersecurity in regional and Local Authorities“, taking place on the 26^th of November from 09:30 to 11:00. This session is a part of the Cyber Resilient Regions Community (CRR) initiative co-organized by ECSO with the Tuscany Region, Major Cities of Europe, and EU City ISAC I4C+. To register, please find the event page here. The session aims to provide clear, non-technical insights into the risks and opportunities of AI in cybersecurity, highlighting practical experiences and best practices to help Regional and Local authorities strengthen their cyber resilience. This webinar is open to all – regional authorities, companies, start-ups (technical teams/decision makers / topic-based – cyber enthusiasts).

ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/