spanish national cyber exercise with the financial sector · spanish national cyber exercise with...
TRANSCRIPT
Spanish National Cyber Exercise
with the Financial Sector
48th TF-CSIRT meeting – 13th May 2016 – Riga
Javier Berciano
2013
New National Security Strategy
Objective: guarantee a secure use
of the networks and information
systems
National Security Strategy
Identifies risks from cyberspace as the main risks for the security of Spain
Strategy: strengthening prevention,
detection and defence capacities
against cyber-attacks
Partnership Framework Agreement
State Secretariat
for Security
Secretary of State for
Telecommunications and the
Information Society
National Centre for Critical
Infrastructure Protection National Cybersecurity Institute CERTSI + =
2012Partnership Framework Agreement in
Cybersecurity:
Impulse, coordination and supervision
of all policies and activities related to
the protection of critical infrastructures
Development of cybersecurity and of the digital
confidence of citizens, of the Spanish research and
academic network (RedIRIS) and of businesses in
strategic sectors.
A benchmark for the technical resolution of
cybersecurity incidents that affect essential services
Prevention Mitigation Response
critical
infrastructure
operators
companies
citizens
Security and Industry CERT (CERTSI)
Research and
academic network
Cyber Coordination Office
Technical coordinating body of the Ministry of the Interior
It guarantees the liaison and the technical coordination necessary for efficiently
accomplishing the tasks that the different bodies carry out in the area of
cybersecurity
CyberEx
Formats
Simulation
•Focus: test procedures and capacities
•Roles involved: managers and technicians
•Location/Size: variable
•Duration and time: one day
Role-play
•Focus: test decision making
•Roles involved: managers and senior management
•Location/Size: variable
•Duration and time: one day
Procedural
Formats
Formats
Red/Blue Team
• Focus: test defence capacities
• Roles involved: technicians
• Location/Size: variable
• Duration and time: one day
Continued attack
• Focus: test resistance to attacks
• Roles involved: all, mainly technicians
• Location/Size: variable
• Duration and time: several consecutive days
Analysis
• Focus: train technical capacities
• Roles involved: technical team
• Location/Size: variable
• Duration and time: one day
Technical
CYBEX 2012
• 5 players
• Heterogeneous, multiple sectors
• Simulation of a technical attack on perimeter services
• Evaluation of technical and organisationalcapacities
CyberEx 2013
• Heterogeneous, multiple sectors
• Simulation and a technical attack on the perimeter and WiFi
• Evaluation of technical and organisationalcapacities
• Simulation of tecnical analysisof an incident
CyberEx 2014
• 15 players
• Aimed at strategic operators.
• General simulations, operational and technical.
CyberEx 2015
• Cyberexercisefocused on strategic operators.
• An introduction to a sectoral exercise focused on business.
Evolution of CyberEx
Teams
Banks
Investment firms
18
13
2
3 Phases
Phase I: Continued attack
Phase II: Role-play
Phase III: Incident simulation Payment methods2
Insurance129 September – 19 October
Specialisation in the Financial Sector
CyberEx 2015
Phase I: Continued attack
Phase I: Continued attack
Phase I: Continued attack
Phase I: Continued attack
3 campaigns
Advertisement (only to know if people clicks everywhere)
Impersonating IT department (you must update X software, only for steal
corporate credentials)
Impersonating client/provider (document attached with macro, gather
information from system and user for exfiltration, no malicious activities or
real documents exfiltration)
Phase I: Continued attack
Phase II: Role-play
Phase III: Incident simulation
2016 unique indicators
Phase 1: Continued attack
58 controls
Phase 2: Role-play
14 controls
Phase 3: Simulation
12 controls
Organisational and technical
aspects
28 controls
18
fin
an
cia
len
titie
s
Evaluation
Report of each entity
Global report
Anonymised report
Infographic
Evaluation
Thank you!