RFC 2350 S-CSIRT TPL: WHITE - Public Distribution 1. Document Information 1.1. Date of last update: This is the version 1.0, published on May 10, 2022. . 1.2. Distribution Lists: There is no specific distribution channel. Changes are announced on the Seresco website ( https://r2sc.com/es/CSIRT ). 1.3. Document Location: The latest version of the document is published in https://r2sc.com/es/CSIRT. 1.4. Authentication of the Document: This document has been digitally signed by S-CSIRT's PGP keys. The signatures are also on S-CSIRT web site (https://r2sc.com/es/CSIRT/claves-publicas). 2. Contact informatiion 2.1 Name of the Team S-CSIRT: Serescos's Computer Security Incident Response Team. 2.2 Address S-CSIRT, Seresco Santa Susana 14, 33007 Oviedo (Asturias) Spain 2.3 Time Zone Central European Time - CET (GMT+0100, and GMT+0200 DST). 2.4 Telephone Number +34 985 235 364 (available during working hours, from 8 AM to 6 PM). 2.5 Fax Number Not available. 2.6 Other Telecomunications Videoconference options available. 2.7 Electronic Mail Address csirt@seresco.es. This is the email for report information security incidents and vulnerabilities. csirt.noreply@seresco.es. This is the email used by the team to share information with the constituents about security alerts. Don't use this email to put in contact with the team to share information. 2.8 Public Keys and Encryption Information S-CSIRT has the the following PGP key for the csirt@seresco.es email: Key ID: 0xFD9E0317 Fingerprint: 4D88 2CC0 001C 7D97 A146 F5B6 CC50 F299 FD9E 0317 The key and the signature can be found on S-CSIRT website https://r2sc.com/es/CSIRT/claves-publicas The csirt.noreply@seresco.es email has a MIME certificate to sign and encript the outgoing information. 2.9 Team Members Not publicly disclosed. 2.10 Other Information Information about the services provided by S-CSIRT and and in general by the security team can be found on the web site: https://r2sc.com 2.11 Points of Customer Contact For reporting a computer security incident the preferred method is using the email indicated in the section 2.7. To submit the comunication, if possible, use the template indicated in the section 6. 2.12 Operating hours The incidente response team is available at the following times: - Service inquires: office hours (9.00h - 18.00 CET since october to may and 8.00h - 15.00 CET since june to september). - Incident detection, treatment and response, is available 24x7, subject to contract provisions established with S-CSIRT constituents. - Incident notification by third parties other than constituency: office hours (9.00h- 18.00 CET, since october to may and 8.00h - 15.00 CET since june to september), through the email address csirt@seresco.es. 3. Charter 3.1 Mission Statement S-CSIRT is a CSIRT created with the dual objective of offering information and assistance to Seresco personnel (in this sense it's and internal CSIRT), as well as to the organizations that hire its services (in this sense is a commercial CSIRT), to reduce the risk of computer security incidents, as well as to respond to such incidents when they occur. With this mission, detection services such as event monitoring and management, prevention services such as vulnerability management and awareness, as well as incident management, response and recovery are offered. 3.2 Constituency S-CSIRT's contituency is the customers base. The list of clients is not public to keep confidential because of the clients contract. S-CSIRT is also the internal CSIRT of the company. 3.3 Sponsorship and/or Affiliation S-CSIRT is part of the company Seresco, S.A. Seresco is a Spanish company dedicated to the development of software solutions and the provision of services within the field of Information and Communication Technologies (ICT) with more than 50 years of experience in the sector. 3.4 Auhority As commercial CSIRT, S-CSIRT operates under the contractual agreements established with its customer base. 4. Policies 4.1 Types of Incidentes and Level of Support The typology of security incidents managed by S-CSIRT are clasified by: - Malware - Availability - Obtaining information - Attempt Intrusion - Intrusion - Compromised information - Fraud - Harmful Content - Policies - APTs S-CSIRT may act upon requests of one of its constituency or may act if one of its constitunts is involved in a a compuer incident. The level os support will vary depending on the severity of the incident and its potential impact, and its also determined by the contractual agreements stablished with the constituence.In cases where S-CSIRT does not manage the necessary control systems, we will collaborate with the clients' IR or IT teams. 4.2 Co-operation, Interaction and Disclosure of Information S-CSIRT considers that the coordination and exchange of information with other CSIRT is a matter of vital importance, since this cooperation improves the effectiveness and efficiency in the resolution of cybersecurity incidents. The team operates according under the restrictions of GDPR. (or Ley Orgánica 3/2018, de 5 de diciembre, de Protección de datos personales y garantía de los derechos digitales). S-CSIRT is willing to collaborate with the authorities whenever required. 4.3 Communication and Authentication The means available for communication is mainly by the email encripted indicated in the section 2.6 and 2.7. In addition, S-CSIRT recognizes and follows the FIRTS TLP (Traffic Light Protocol) for the exchange of information. 5. Services 5.1 Monitoring The scope of this area includes the monitoring, analysis and identification of information related to security incidents based on the correlation of security events originated by a variety of data sources. By the SOC team, we made an identification of information related to potential incidents through the application of detection rules, searchs for patterns and anomalies based on machine learning techniques, intelligence techniques and threat detection, on the events and traces of actions generated in the different devices related to the analyzed systems. For the processing of this information, an architecture based on a SIEM system is used, which natively has the possibility for the integration of heterogeneous information sources, as well as the capacity for the configuration of detection rules based on both pattern search and modeling, and identification of anomalies. In a complementary way, the functional level of the SIEM is enriched through the use of other platforms through which the management of events and alerts is allowed, as well as the study and treatment of use cases related to threats and potential incidents. 5.1 Incidente Response The incident management area corresponds to the core of CSIRT services. Among the main functions is both the attention of the notifications that potential clients and third parties can make of incidents, and the management of those detected by the CSIRT itself as a result of the monitoring functions. The scope also covers the analysis and evaluation of the information received as well as all the functions of investigation, coordination and response. Collaboration with other CSIRTs will be taken into account, as well as the attention of organizations in the event of a crisis situation. All the services and functions that make up this area have their correspondence with the phases of the general procedure designed by S-CSIRT for the management of information security incidents. In relation to this area, the services contemplated in S-CSIRT are: - Acceptance of information security incident reports. Receipt reports of information security incidents. Processing and triage of information security incidents. - Analysis of information security incidents. Triage of information security incidents (prioritization and categorization. Collection of information. Coordination of detailed analysis. Analysis of the root cause of information security incidents. Cross-incident correlation. - Analysis of evidence - Mitigation and recovery. Establishment of the response plan. Ad hoc measures and containment. System Restore. Support for other information principal. - Coordination of information security incidents. Communication. Distribution of notifications. Distribution of relevant information. Coordination of activities. Reporting. Communication with the media. - Support in crisis management. Distribution of information to customers. Report on the status of information security. Communication of strategic decision 5.2 Vulnerability management The scope of this area includes services related to the detection, reporting, management and response of vulnerabilities, both by third parties and from other services of the CSIRT. In relation to this area, the services contemplated in S-CSIRT are the following: - Discovery / investigation of vulnerabilities. Detection of incident response vulnerabilities. Detection of vulnerabilities through public sources - Admission of vulnerability reports. Receipt of vulnerability reports. Triage and processing of vulnerability reports. - Vulnerability analysis. Triage of vulnerabilities (assessment and categorization). Root cause analysis. Development of vulnerability remediation: - Disclosure of vulnerabilities. Vulnerability Disclosure and Infrastructure Maintenance Policy. Announcement/Communication/Dissemination of vulnerabilities. Comments after disclosure of vulnerability - Vulnerability response. Detection / Scanning of vulnerabilities. Performing ethical hacking and pentesting. Remediation of vulnerabilities. It must be born in mind that the execution of these services is reduced to the scope of responsibility and capabilities of the CSIRT, so that the discovery and investigation of vulnerabilities focuses on those obtained from third parties or public sources, and that notifications of information are made about the customers themselves and in no case to vendors or developers of the solutions. 5.3 Awareness This service is offered by the CSIRT with the aim of helping customers in the field to carry out an analysis of their strengths and weaknesses in terms of the security measures implemented, by testing them. From this point of view, the service proposes the execution of Ciber exercises both for the test of organizational measures (procedures and policies) and techniques. 5.4 Consulting and Auditing The scope of this area is to be able to carry out an analysis that shows us in a precise way the cybersecurity posture of our clients, the preparation of a report that includes an action plan and a roadmap with possible improvements and recommendations and to be able to be compliant with other reference frameworks and security standards. 6. Incident Resporting forms Incident reporting can be done by sendign an email to the address indicated in the section 2.7. When making a notification, at least the following information must be indicated: - Organization affected. - Contact: person, email and telephon. - When the incident was detected. - Category/Type of incident: According to the categories included in the section 4.1. - Incident details: Provide a short desciption of the incident 7. Disclaimers While every precautions will be taken in the preparation of information,notificarions and alerts, S-CSIRT assumes no responsability for errors, omissions,or for damages resulting from the use od the information contained within.