Operator Services

INCIBE-CERT provides a 24x7x365 response service to cybersecurity incidents that, using or being directed at technological elements, may affect the correct functioning of critical, strategic infrastructures or essential services, as well as digital service providers. Throughout the process, the team in charge of the service coordinates with the operator´s security team, as well as with other entities that can facilitate the mitigation of the impact: ISPs, international CERT/CSIRTS and State Security Forces and Corps (FCSE). Furthermore, in the case of critical operators and essential service providers, coordination is carried out with their competent authorities according to RD 43/2021. Access more information.

In special cases of severity or high impact on the operation of critical, strategic infrastructures or essential services, INCIBE-CERT, in addition to its incident response and early warning services, will deploy additional capabilities that will results in the expansion of the usual services of the CERT with more technical, operational, and human resources, which will serve to receive and manage more notifications and incidents, detect, analyze, and prevent more cybersecurity threats related to the situation, provide support to more operators and entities affected or at risk, and issue more technical reports, operational and strategic towards the different roles within the operators as well as other groups. 

As a consequence of the activity it carries out and alliances with third parties, INCIBE-CERT brings together a large number of events, alerts, and notices regarding cybersecurity. These events are enriched and correlated to obtain evidence of possible security incidents. Subsequently, they are crossed with the Operator´s own public assets (IP addresses and domains) which results in the proactive identification of incidents that are reported to the operator. 

The information collecting service of INCIBE-CERT (IGA) is responsible for collecting intelligence on operators from open sources (OSINT – Open Source Intelligence), as well as detecting vulnerabilities associated with their assets that are accessible from the Internet. The goal of IGA is to help the operator increase the protection of their published services through a better understanding of their exposure level. “Information Gathering” (also known as “footprinting”) is a common tactic used by cybercriminals as a preliminary step before attacking an entity. It involves collecting as much information as possible from open sources (search engines, social networks, public websites with filtered or collected content, etc.). This information allows the attacker to create a “profile” of their target, thus increasing the chances of success. In fact, an attacker will spend 90% of their time detailing a good profile of their target and 10% carrying out their attack. Access more information. 

The service consists of deploying a device designed to transfer cybersecurity intelligence from INCIBE-CERT to the Internet gateway of certain critical operators. The purpose of the device is to provide a detection layer that complements the entity´s protection capabilities. While the incidents detector does not protect against attacks, it is responsible for identifying specific cases where a machine within the entity has been compromised. Access more information. 

The immediacy of technical information regarding new Zero-Day vulnerabilities and other threats affecting IT and industrial control systems is crucial for any cybersecurity response. The effort in technological monitoring provides dynamic information that INCIBE-CERT evaluates and assesses to generate specific messages and alerts, with the aim of communicating the risk to which an entity might be exposed and proposing the best mitigation strategies. This minimizes the impact, even during the period when the manufacturer is developing the part. Access more information.

INCIBE-CERT provides a threat information sharing service called ÍCARO, through which it shares information on cyber threats of interest (analysis, Indicators of Compromise – IOCSs, other detection mechanisms and rules, etc.). The aim is for participating entities to use this information to enhance their detection and protection capabilities. The information shared via ÍCARO is continuously updated and includes analysis from INCIBE-CERT on relevant threats in the Spanish environment, as well as information shared by other key national and international actors. Access more information.