-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CSIRT Description for AndalucíaCERT - ------------------------------------ 1 About this document This document contains a description of AndalucíaCERT in according to RFC 2350. It provides basic information about the AndalucíaCERT team, its channels of communication, and its roles and responsibilities. 1.1 Date of Last Update This is version 8, published in November 2022. Internal ID: CERT-CFG-001-07 1.2 Distribution List for Notifications Notifications of updates are sent to our constituency through our mailing list: consultas.cert [at] juntadeandalucia.es and via our AndalucíaCERT website: https://andaluciacert.juntadeandalucia.es Subscription request for these bulletins must be made sending an email to: consultas.cert [at] juntadeandalucia.es This mailing list is moderated. 1.3 Locations where this Document May Be Found The current version of this CSIRT (Computer Security Incident Response Team) description document is available on the AndalucíaCERT website: https://andaluciacert.juntadeandalucia.es or asking for it by email at: consultas.cert [at] juntadeandalucia.es Please, make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with the AndalucíaCERT's PGP key included in section 2.7. 2 Contact Information 2.1 Name of the Team "AndalucíaCERT" (Centro de Seguridad TIC de Andalucía): ICT Security Center for Andalusia (Spain) 2.2 Address AndalucíaCERT - Centro de Seguridad TIC de Andalucía Sociedad Andaluza para el Desarrollo de la Sociedad de la Información, S.A.U. Agencia Digital de Andalucía - Junta de Andalucía Avda. De la Arboleda s/n 41940 - Tomares (Sevilla) Spain 2.3 Time Zone Central European Time - CET (GMT+01:00, and GMT+02:00 from April to October). 2.4 Telephone Number +34 955 060 974 It is available in 24x7x365. 2.5 Facsimile Number None 2.6 Other Telecommunication None 2.7 Electronic Mail Address Please report security incidents to: atencion.cert [at] juntadeandalucia.es For any other issue - e.g. general purposes, other services, contacting CERT representatives, suscribe to CERT services, etc. - please use: consultas.cert [at] juntadeandalucia.es 2.8 Public Keys and Other Encryption Information AndalucíaCERT uses PGP for encryption and signing. The PGP keys and its signatures can be found at the usual large public keyservers. 2.9 Team Members No information is provided in public. 2.10 Other Information General information about AndalucíaCERT, as well as links to various security resources and services, can be found at our website: https://andaluciacert.juntadeandalucia.es Please, note that our website has a private zone that is only accessible from the intranet of Junta de Andalucia, so external users can also ask for information by sending an email to: consultas.cert [at] juntadeandalucia.es 2.11 Points of Customer Contact The preferred method for contacting AndalucíaCERT is via e-mail at all times, and using email adresses included in section 2.7. E-mails sent to these addresses will be acted upon by the officer on duty on business hours, and normally responded before the next business day. If it is not possible (or not advisable for security reasons) to use e-mail, or if you require urgent assistance, AndalucíaCERT can be reached by telephone (please, refer to Sections 2.4, 2.5 and 2.6 for contact details). If possible, when submitting your report, please use the template menctioned in Section 6. 2.12 Operating hours For urgent assistance on security incidents AndalucíaCERT provides a 24x7x365 service. Otherwise, the AndalucíaCERT hours of operation are 12x7x365 (7.00-19.00 Monday to Sunday, including holidays). Consultations about services will be attended in office hours (7.00h-19.00h Monday to Friday). 3 Charter 3.1 Mission Statement AndalucíaCERT is aimed to the early detection of security incidents affecting the Regional Government of Andalusia organizations, as well as the coordination of incident handling with them. Proactive measures are in constant development, involving timely warning of potential problems, technical advice, security education and related services. 3.2 Constituency AndalucíaCERT supports incident response and security services to Regional Government of Andalusia organizations. Please, note that some of these services require prior subscription from the organization. Besides, some pro-active and educational material will also be provided to other third-parties, IT specialists and the general public as well. 3.3 Sponsorship and/or Affiliation AndalucíaCERT is sponsored by Junta de Andalucía, the Regional Government of Andalusia. 3.4 Authority AndalucíaCERT operates under the auspices of Junta de Andalucía, the Regional Government of Andalusia. AndalucíaCERT is not an authoritative body. AndalucíaCERT expects to work cooperatively with the organizations within the Regional Government of Andalusia. Each constituent is responsible for its own assets and information. However and according to the AndalucíaCERT general policies, should circumstances warrant it, AndalucíaCERT has the authority to take the measures it deems appropriate to properly handle a computer security related incident. Organizations enrolled who wish to appeal the actions of AndalucíaCERT should contact the Technical Manager in first instance. If this recourse is not satisfactory, the matter may be referred to the AndalucíaCERT Chair. 4 Policies 4.1 Types of Incidents and Level of Support AndalucíaCERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at its constituency. AndalucíaCERT may act upon request of one of its constituents, or may act if a constituent is, or threatens to be, involved in a computer security incident. The level of support given by AndalucíaCERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the availability of AndalucíaCERT resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to recommendations for priority criteria based on CCN-CERT guide CCN-STIC-817 (Common criteria for Security Incident Management within the Spanish Public Admnistration and eGovernment entities) available in https://www.ccn-cert.cni.es/guias/guias-series-ccn-stic.html. Special attention will be given to issues affecting critical infrastructure. Types of incidents other than those included in guide CCN-STIC-817 will be prioritized according to their apparent severity and extent. These incidents will be assessed as to their relative severity at AndalucíaCERT's discretion. Each organization within the Regional Government of Andalusia that subscribes to the AndalucíaCERT services will nominate, at least, one Liaison Officer (and a substitute), who will act as representatives between the organization and AndalucíaCERT. AndalucíaCERT generally will only support the Liaison Officer, who is expected to coordinate and work cooperatively with the IT administrators, security personnel and end-users within his/her organization. End-users can report security incidents directly to AndalucíaCERT, but no direct support will be given to them, as they are expected to contact their liaisons, system administrators, security personnel, or department head for assistance. While AndalucíaCERT understands that there is a wide range in the expertise level of liaisons at its constituency, and while AndalucíaCERT will endeavour to present information and assistance at an appropriate level to each person, the AndalucíaCERT cannot train liaisons nor system administrators on the fly, and it cannot perform system maintenance on their behalf. Nevertheless, in most cases the AndalucíaCERT will provide pointers to the information needed to implement appropriate measures. AndalucíaCERT is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform these communities of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information AndalucíaCERT will cooperate with other organizations and third parties - e.g. other national/international CSIRTs, vendors and manufacturers, security experts, the computer security community, etc. - in the field of computer security. A special collaborative relationship has been established with CCN-CERT, the Spanish Governmental National Cryptology Center - CSIRT. This cooperation with third parties will always be aimed at managing and/or preventing security incidents, and/or improving AndalucíaCERT (or the security community) capabilities, training, and knowledge. Obviously, it is important to note that this cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. Nevertheless, AndalucíaCERT will protect the privacy of its constituency, and therefore will pass on information in an anonymized way only. Unless explicity authorized, the identity or vital information of victims of computer security incidents will not be divulged. AndalucíaCERT operates under the restrictions imposed by the law of the Spanish Data Protection Authority, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Therefore, it is also possible that the AndalucíaCERT may be forced to disclose information due to a Court's order. 4.3 Communication and Authentication In view of the types of information that AndalucíaCERT will likely be dealing with, telephone will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to the AndalucíaCERT, or before disclosing confidential information, the identity of the other party will be ascertained to a reasonable degree of trust. Within the constituency, and with known neighbour sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, like call-back, mail-back or even face-to-face meeting if necessary to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures using PGP. 5 Services 5.1 Incident Response AndalucíaCERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident - Determining the initial relevance and priorization of the incident. - Determining the affected Andalusian organization, 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited). - Contacting the Liaison Officers of the involved Andalusian organizations. - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate security teams, and/or other third parties which can help mitigate and/or solve the incident. - Making reports to other CSIRTs. - Composing announcements to constituents and/or its end-users, if applicable. 5.1.3 Incident Resolution - Technical assistance to resolve the incident. This may include analysis of compromised systems. - Forensic analysis of affected devices when under recommended circumstances. - Malware analysis through static and dynamic artifact exploration. - Recommendations on eradication or elimination of the cause of a security incident (the vulnerability exploited) and its effects. - Recommendations about restoring affected systems and services to their status before. - Recovery aid in returning systems back to normal operation, including onsite assistance. - Recommendations on securing the system to prevent future incidents. AndalucíaCERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks. 5.2 Proactive Services Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. AndalucíaCERT coordinates and maintains the services below to the extent possible depending on its resources. For further info regarding these services, along with instructions for subscribing and joining mailing lists, please send an email to AndalucíaCERT (see section 2.7), or visit the AndalucíaCERT website. 5.2.1 Monitoring of ICT infrastructures for security alerts / incidents AndalucíaCERT will use specialized tools - e.g. SIEM - or expertise to detect attacks in the ICT infrastructures of the constituents subscribed to the service, and forward the alerts / incidents to the Liaison Officer of the organization. 5.2.2 Threat hunting AndalucíaCERT searches proactively looking for traces of theats or undiscovered incidents in its constituents. The service is based on the identification of specific tactics and techniques used by threat actors. 5.2.3 Threat intelligence The intelligence gathered by AndalucíaCERT is analysed, stored, managed and shared with the constituents. The data is offered not only in form of Indicators of Compromise (IOC), but in form of Snort rules for direct deployment into detection devices. 5.2.4 Traps programme AndalucíaCERT performs advanced detection by deployment of traps in form of services to identify and gahter information of prospect attackers. To that aim a specific spamtrap programme and honeynet are distribute among its constituents. 5.2.5 Endpoint protection AndalucíaCERT tackles the protection of ransomware through the distribution of a specific tool of ransomware vaccine deployment. The raised alerts of the vaccine agent are also monitored and consequently handled. 5.2.6 Vulnerability Analysis and Management AndalucíaCERT will assist its constituency in discovery and reaction to new vulnerabilities to its ICT infrastructures. This objective is covered through different activities: - Automatic vulnerability scans - Specific application or system audit using black, grey or white box techniques - Vulnerability lifecycle follow-up 5.2.7 Security warnings, alerts and announcements AndalucíaCERT will provide its constituency, through the Liaison Officers' email and the AndalucíaCERT website, with information about ongoing attacks that might affect other constituents, security vulnerabilities, security alerts in the general sense, and short-term recommended actions to deal with the resulting problems. 5.2.8 Security awareness AndalucíaCERT will provide its constituency with periodic bulletins and news related to security best practices, tips&tricks, documentation and tools, links to security related sites, recommendations, etc. The information will be sent by email to the Liaison Officers, and will also be available in the AndalucíaCERT website. 5.2.9 Training AndalucíaCERT will offer its constituency a training programme focused on gathering key cybersecurity capabilities. The programme will be implemented by masive online courses through AndalucíaCERT's own platform, webinars and on-site courses. The courses and its respective calls will be announced on the AndalucíaCERT website. 5.2.10 Cyberexercises and cybersimulations AndalucíaCERT offer periodic cyberexercises to its constituents in order to test and improve their capabilities under a crisis situation. There are three types of cyberexercises in the scope, tackling awareness, decission making and technical analysis of an incident. 5.2.10 Archiving services and Statistics Records of handled security incidents will be kept. While this information will remain confidential, periodic statistical reports will be made available to the constituency in an anonymous way. 6 Incident Reporting Forms Use the following template and send it by email to the appropiate email of AndalucíaCERT (see section 2.7). This is the most preferable way to report a computer security incident. Please, provide as much detail as possible and attach any relevant file (log, email, image, etc.): ================================================================= INCIDENT REPORT - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): - Incident Details (Provide a short description of the incident): - When was this incident detected? (Provide datetime and timezone): - How was this incident detected? (Provide a short description, and if this incident is related to a previous one): - Have you taken any action to contain, mitigate and/or resolve this incident? If so, what ones?: - Have you reported this incident to other individuals or organizations?: Complete the following information about affected system and attacker host. --- Affected System (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Operating System: Primary purpose of the affected system (Workstation, Web/DNS/ FTP/Application/Database server, Router, Firewall...): Relevance/criticality of the affected system, if known (critical / very high / high / medium / low): Level of security of the affected system, if known (system is/is not patched, ...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Protocol: --- End Attacker Host --- ================================================================= 7 Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, AndalucíaCERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- iQJWBAEBCgBAFiEEVvMmec4oWSynjJ04VXpnrDL8pgkFAmNpA58iHGF0ZW5jaW9u LmNlcnRAanVudGFkZWFuZGFsdWNpYS5lcwAKCRBVemesMvymCcNyD/4qGO3AdmfP qIyp/Ahs3xGxaCoXJD2rHpVybb0ebDZNyKNa4Zi68iHZ48fS7D7GaOGEJUrpBlqN /wlELbuHChQvQOTpF1JLCgiBl6OzOiimMbDlXdovhvMzMjaIxEpkcOkQgwYNyDzb UUP0xNQea7hlQXdFvgogJAOQfO/usV5UoqaFRL8fr8o0l+zuhwcbfEMvKDJWJvYB CpGQ/6G/HH7c1vnu/cLd4DOucG2XxHLIKI6PjrhStFCpnkcLUIHYof+UhVfwpdVe JzN5l/T97e2Lx51Z2BZdRYuNlApOaNNwnuOH9RfdbIG2CwEaBOP6L23enPU4OjFY MITKE4G1f6atLm7tlmLC7+rHJ0von/2Rdfv/owxs7A8S7lfPteCws8mdyqirlAsV 4CtJt87LvdUE40OFRtD7g/MPAj9ccQ/B61WxR9k6yYJSDnzsZJ0CCKFeVWNWY/+j W+dPCzBqbRrtAt19ZhZ/Ww1m7/4rcYMcIxnGXRLyns7jlaPW6OULH+3adks9lEhE G3+EKyyq1QGWwY0OYFgoQe44BvgzsGlMKjGGYPoiLKoGYxSozHGHJcPrJKncatiW 4o0r87luuR5HgJKJ6B8RAVQlrtBmnJuuftRm7b6/eHMUiw6deBWNLPe5XK5pF+rW EN7GX0a0/DjJ3VP/tceN07aotfRSTcxGzA== =hciL -----END PGP SIGNATURE-----