-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CSIRT Description for INCIBE-CERT ================================= INDEX 1. About this document 1.1 Date of Last Update 1.2 Distribution List for Notifications 1.3 Locations where this Document May Be Found 1.4 Authenticating this Document 1.5 Document Format 2. Contact Information 2.1 Name of the Team 2.2 Address 2.3 Time Zone 2.4 Telephone Number 2.5 Facsimile Number 2.6 Other Telecommunication 2.7 Electronic Mail Address 2.8 Public Keys and Other Encryption Information 2.9 Team Members 2.10 Other Information 2.11 Points of Customer Contact 2.12 Operating hours 3. Charter 3.1 Mission Statement 3.2 Constituency 3.3 Sponsorship and/or Affiliation 3.4 Authority 4. Policies 4.1 Types of Incidents and Level of Support 4.2 Co-operation, Interaction and Disclosure of Information 4.3 Communication and Authentication 5. Services 5.1 Incident Response 5.1.1 Incident Triage 5.1.2 Incident Coordination 5.1.3 Incident Resolution 5.2 Proactive Activities 5.2.1 Announcements 5.2.2 Vulnerability Analysis 5.2.3 Security Tools 5.2.4 User Awareness Program 5.2.5 Archiving services 5.3 Security Quality Management Services 5.3.1 Documentation 5.3.2 Statistics 5.3.3 Education and Training 6. Incident Reporting Forms 7. Disclaimers ***************** 1. About this document 1.1 Date of Last Update This is version 2.3, published 2022-05-30. 1.2 Distribution List for Notifications Notifications of relevant updates are submitted to our constituency using established communication channels. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the INCIBE-CERT WWW site; its URL is https://www.incibe-cert.es/sites/default/files/rfc_2350.txt Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed inline with INCIBE-CERT PGP key. See section 2.8. 1.5 Document Format This document is distributed in plaintext format using UTF-8 character set (rfc3629). 𝐈𝐭 𝐬𝐡𝐨𝐮𝐥𝐝 𝐛𝐞 𝐨𝐩𝐞𝐧 𝐰𝐢𝐭𝐡 𝐚 𝐫𝐞𝐚𝐝𝐞𝐫 𝐭𝐡𝐚𝐭 𝐬𝐮𝐩𝐨𝐫𝐭𝐬 𝙐𝙏𝙁𝟴. 2. Contact Information 2.1 Name of the Team INCIBE-CERT Spanish National Cybersecurity Institute - Computer Emergency Response Team 2.2 Address INCIBE-CERT Avda. José Aguado 41 24005 Leon Spain 2.3 Time Zone INCIBE-CERT follows the timezone of mainland Spain, which is entry Europe/Madrid in Olson database. As of the date of this document, and pending any changes that may result from an approval of Procedure 2018/0332/COD, the used timezone is CET (UTC+0100) during winter time, and CEST (UTC+0200) during daylight saving time, active from 01:00 UTC on the last Sunday in March to 01:00 UTC on the last Sunday in October, pursuant EC Directive 2000/84/EC. 2.4 Telephone Number 017 / +34 900 116 117 A general-purpose cybersecurity helpline is provided free of charge by INCIBE via the short-number 017 (available when called from a Spanish line) for its citizens and companies, from 09:00 to 21:00, 12×7×365. Incident reports will be escalated to INCIBE-CERT when appropriate. +34 987 877 189 Available during normal working hours (see section 2.12). Not suitable for incident communication, which should happen through the established electronic mail addresses (see section 2.7). +34 647 300 717 After hours support for Critical Infrastructures incidents and high/ emergency priority ICT incidents. 2.5 Facsimile Number +34 987 261 016 (this is NOT a secure fax) 2.6 Other Telecommunication Although the preferred form of communication is through electronic mail, telephone, videoconference and other telecommunications options may be arranged on request. 2.7 Electronic Mail Address incidencias [@] incibe-cert.es This is the email address to report a computer security incident related to Spanish citizens or enterprises. If you are reporting an incident, this is probably the appropriate email address. pic [@] incibe-cert.es This is the email address to report a computer security incident related to Spanish Critical Infrastructures. iris [@] incibe-cert.es This is the email address to report computer security incidents affecting Spanish Research and Academic Network (RedIRIS), see section 2.11. spamtrap2350 [@] incibe-cert.es This is an email address to get blacklisted and classified as spam, expressly allowing further distribution of its contents and/or classifications. SHOULD NOT be used. Sending anything to this address implies a willful acceptance of the aforementioned terms, as well as an irrevocable waiver of any right, worldwide, in such content, to the extend permitted by law. servicios [@] incibe-cert.es General purpose email contact for Digital Service Providers. MUST NOT be used for incident reporting. cert [@] incibe-cert.es General purpose CERT representatives email contact. MUST NOT be used for incident reporting. 2.8 Public Keys and Other Encryption Information The above email addresses have the following PGP keys associated: For Spanish citizens or enterprises incidents: INCIBE-CERT incidents (2022-2024) Key ID: 0xE076DE7D Fingerprint: 6C17 FFC1 9811 BBA9 9B46 8970 2FD2 3299 E076 DE7D For Spanish Research and Academic Network (RedIRIS) incidents: iris [@] incibe-cert.es Key ID: 0x2006B232 Fingerprint: D2DE 1DBE F689 ED1E 0312 34D9 8984 EB58 2006 B232 For incidents affecting privately-owned Spanish Critical Infrastructures: INCIBE-CERT - PIC (2022-2024) Key ID: 0x27AC8617 Fingerprint: 4C3B 416C 1195 0C6C 0983 31C5 7E3B A385 27AC 8617 Email contact for Digital Service Providers (do NOT use for incident reporting): INCIBE-CERT services (2022-2024) Key ID: 0xAF590946 Fingerprint: 9524 8C29 CCC5 B051 A365 E8DB 7BE8 8A92 AF59 0946 CERT representatives contact (do NOT use for incident reporting): cert [@] incibe-cert.es Key ID: 0xCDDE9B18 Fingerprint: A414 7A1D C36C DE8C 44DE B828 9898 7B0B CDDE 9B18 The keys themselves and their signatures can be found at the usual large public keyservers, by Web Key Directory (WKD), and at: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys 2.9 Team Members An alphabetic list of team members and their associated PGP keys follow. In order to form their corresponding email addresses replace the bracketed character with an at sign. Alejandro Cueto alejandro.cueto [א] incibe.es Key ID: 0xAF7AA5DD2613DE1B Fingerprint: 8A2A 7F4D D580 D3E8 42EA 6E60 AF7A A5DD 2613 DE1B Ángel González angel.gonzalez [ㄤ] incibe.es Key ID: 0x0D06FA70B6419693 Fingerprint: A9CF 6918 833E CB56 B4AA E614 0D06 FA70 B641 9693 Estrella Alfageme estrella.alfageme [α] incibe.es Key ID: 0x42FF3CB7BFF84417 Fingerprint: 89BA 924B ECC3 7338 D570 79F9 42FF 3CB7 BFF8 4417 Francisco Fernández francisco.fernandez [𝓕] incibe.es Key ID: 0x999127228D6EA554 Fingerprint: 48F3 B334 0E61 1669 0475 0394 9991 2722 8D6E A554 Jorge Chinea (incident response project manager) jorge.chinea [Χ] incibe.es Key ID: 0xAC04754DF542CFCE Fingerprint: 15B2 BB67 822F 1FAE 1004 7B0E AC04 754D F542 CFCE Rubén Calleja ruben.calleja [֍] incibe.es Key ID: 0xD920FA5B7386FC8A Fingerprint: 163D EE1E 1DAA 0F3A 3E04 37FB D920 FA5B 7386 FC8A Sandra Salán sandra.salan [ß] incibe.es Key ID: 0x097F20BC6D460E9C Fingerprint: 3916 150E 2D2C B0FE 6830 DBBC 097F 20BC 6D46 0E9C 2.10 Other Information General information about INCIBE-CERT, as well as links to various recommended security resources can be found at https://www.incibe-cert.es 2.11 Points of Customer Contact For reporting a computer security incident the preferred method is by email at INCIBE-CERT reporting mailbox, incidencias [@] incibe-cert.es. To report an incident involving a Spanish critical infrastructure the preferred method is by email at PIC reporting mailbox pic [@] incibe-cert.es To report an incident involving Spanish Research and Academic Network (RedIRIS) the preferred method is by email at iris [@] incibe-cert.es. To check if an IP address is within this remit, please check the information available in: https://www.rediris.es/cert/IH/ambito_actuacion.php If possible, when submitting your report, use the template mentioned in section 6. Alternatively, you may send your notification using the following form https://www.incibe-cert.es/notificaciones 2.12 Operating hours Incident Response services are available 24×7×365. Regular business hours for other services, as well as certain incidents considered non-critical after triage and requiring further input, are as follows: Normal hours: - 09:00 to 18:00 from Monday to Thursday, from 08:00 to 15:00 on Friday. On summer time (15 June to 15 September): - 08:00 to 15:00 Monday to Friday. Business hours follow holidays applicable in the city of León and involve the following days: - New year (January 1) - Epiphany (January 6) - Maundy Thursday - Good Friday - Castile and León Day (April 23) - Labour Day (May 1) - St John (June 24) - Assumption (August 15) - St Froilán (October 10) - National day (October 12) - All Saints Day (November 1) - Constitution Day (December 6) - Immaculate Conception (December 8) - Christmas Eve (December 24) - Christmas (December 25) - New Year's Eve (December 31) with the next day becoming a holiday should any of the above happen to be a Sunday on a given year. 3. Charter 3.1 Mission Statement The purpose of INCIBE-CERT is serving as a preventive and reactive support related to ICT security. It has a vocation of public service as a nonprofit organization and offers help that, in all cases, is free and rapidly managed. 3.2 Constituency INCIBE-CERT supports incident response and security services for: - All Spanish Enterprises and Citizens - Spanish private Critical Infrastructures and Strategic Operators - Spanish Digital Service Providers - Spanish Research and Academic Network (RedIRIS). - Limited Service (incident handling and coordination with other IRTs as a last point of contact for emergency or high priority security matters) for the rest of ".es" domains. 3.3 Sponsorship and/or Affiliation INCIBE-CERT is operated by the Spanish National Cybersecurity Institute (INCIBE), a state limited company attached to the Secretary of State for Digitalisation and Artificial Intelligence. INCIBE holds CIF [Spanish tax ID code] A24530735, and its corporate address is located at Avenida José Aguado, 41 24005 León. It is registered with the Business Registry of León in volume 1070; folio 100, sheet LE-16,676. 3.4 Authority The terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union designates INCIBE-CERT as the Spanish National CSIRT for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators. This is reiterated as well in the "Real Decreto 43/2021, de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información." Furthermore, the "Real Decreto 311/2022, de 3 de mayo, por el que se regula el Esquema Nacional de Seguridad" explicitely states the obligation for private law entities that provide services to the Public Administration of Spain that they shall notify INCIBE-CERT about the incidents that affect them. As such, INCIBE-CERT operates as a national CSIRT under the auspices of: - Ministry of Economic Affairs and Digital Transformation, State Secretary of Digitalisation and Artificial Intelligence. - Ministry for Home Affairs, on behalf of the State Secretariat for Security. Regarding Critical Operator incidents. 4. Policies 4.1 Types of Incidents and Level of Support INCIBE-CERT is authorized to address all types of computers security incidents which occur at its constituency. INCIBE-CERT may act upon requests of one of its constituents or may act if one of its constituents is involved in a computer security incident. The level of support given by INCIBE-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and INCIBE-CERT available resources to handle it at the time, though in all cases some response should be expected within one working day. Prioritization will take into account the parties affected and the risk of the incident, as determined from its typology and the criteria set forth on section 6.1.1 of the National Guide of Incident Handling and Notification, which is available at https://www.incibe-cert.es/guias-y-estudios/guias/guia-nacional-notificacion-y-gestion-ciberincidentes In most cases, INCIBE-CERT will provide pointers to the information needed to implement appropriate measures. INCIBE-CERT is committed to keeping its constituency informed of potential vulnerabilities and, where possible, will inform its community of such vulnerabilities before they are actively exploited. 4.2 Co-operation, Interaction and Disclosure of Information INCIBE-CERT will cooperate with other organizations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. A special collaborative relationship has been established with Spanish Police Forces about Cybercrime and Cyberterrorism issues. Nevertheless INCIBE-CERT will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only. Unless explicitly authorized, the identity or vital information of victims of computer security incidents will not be divulged. INCIBE-CERT operates under the restrictions imposed by Spanish law. Therefore INCIBE-CERT may thus be forced to disclose certain information in order to comply with some legal obligation or explicit court order. 4.3 Communication and Authentication Telephones will generally be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. INCIBE-CERT mail server supports receiving encrypted SMTP sessions (rfc3207) and opportunistically encrypts the outgoing mail when possible. Senders are encouraged to use a MSA implementing MTA-STS (rfc8461) so that downgrade attempts can be automatically blocked by compliant clients. Note that high sensitivity data should be encrypted prior to being passed on to the SMTP layer. Network file transfers will be considered similar to e-mail for these purposes: sensitive data should be encrypted prior to transmission. INCIBE-CERT publishes its PGP keys (see section 2.8) and encourages those contacting INCIBE-CERT to use them for higher confidentiality. INCIBE-CERT will use end-to-end pgp-encrypted mail where possible. There is a procedure through which the keys of certain high value constituents are kept updated. However, any entity contacting INCIBE-CERT is welcome to provide their own PGP key to secure further communications. For plaintext mails, authentication is provided through cleartext pgp signatures by the aforementioned keys. 5. Services 5.1 Incident Response INCIBE-CERT will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the initial cause of the incident (such as the vulnerability exploited). - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate security teams. - Making reports to other CSIRTs. - Composing announcements to users (members of the constituency), if applicable. 5.1.3 Incident Resolution When requested by the affected party and within their capabilities INCIBE-CERT may additionally provide: - Technical Assistance. This may include analysis of compromised systems. - Recommendations on Eradication or Elimination of the cause of a security incident (the vulnerability exploited) and its effects. - Recovery Aid in restoring affected systems and services to their status before the security incident. - Forensics and Post-Mortem investigations. - Suggestions in securing the system from the effects of the incident. INCIBE-CERT will collect statistics concerning incidents which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks. Please note that INCIBE-CERT primary role is one of Incident Coordination, with no enforcing power attached. As such, it may not always be possible to reach a successful resolution of all incidents reported to INCIBE-CERT, as the actual resolution relies on positive action by the responsible party. 5.2 Proactive Activities Proactive services mean to reduce the number of actual incidents by timely giving proper and suitable information concerning potential incidents to the constituency. INCIBE-CERT additional proactive services include: 5.2.1 Announcements INCIBE-CERT will provide its constituency with information about ongoing attacks, security vulnerabilities, alerts in the general sense, and short-term recommended course of action for dealing with the resulting problems. 5.2.2 Vulnerability Analysis INCIBE-CERT will assist its constituency in reaction to the discovery of new vulnerabilities. A database is maintained collecting information of vulnerabilities, automatically and manually, via network scans and by other means. 5.2.3 Security Tools A repository of various tested security tools and security tools developed by INCIBE-CERT are provided to the general public through its website. 5.2.4 User Awareness Program The users' awareness of cybersecurity issues is improved by best practices guidelines programs, and appropriate measures. This implies an awareness of legal issues, in particular the enforcement of evidence collection. INCIBE-CERT will also attempt to provide valuable educational materials aimed at increasing the awareness of security as well as improving the overall knowledge of security techniques among the members of the constituency. These materials in electronic formats will be distributed through the official website: https://www.incibe-cert.es 5.2.5 Archiving services Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the INCIBE-CERT constituency. 5.2.6 Incident sharing Information of security incidents handled by INCIBE-CERT may be shared with other stakeholders in national Spanish cybersecurity. Other national CSIRTs, and particularly those members of the CSIRTs network established by Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS Directive), to which INCIBE-CERT belongs to, may also receive additional information about selected incidents. 5.3 Security Quality Management Services In order to supervise and to increase the quality of the offered services, the following services are performed: - Awareness building education/training - Users quality surveys 5.3.1 Documentation Documentation is maintained dealing with the following topics: - The procedures being part of the services are documented. - Results of Incident Management and Incident Analysis are documented, resulting in suggestions how to improve the services or systems, respectively. - Quality audits. 5.3.2 Statistics This service provides statistics of the offered services. The statistics serve as a base for calculate the impact of the incidents at national and sector level, evaluating the quality of the services and, if possible, improving them. 6. Incident Reporting Forms Check section 2.9 to choose the constituency affected by the incident you are about to report. Use the following template and send it by email to the appropriate address. Please, provide as much detail as possible, attaching any relevant file if needed (logs, email messages, screenshots…): ================================================================= INCIDENT REPORT Have you reported this incident to other individuals or organizations?: - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): Use the Taxonomy from the Reference Security Incident Taxonomy Working Group when possible, see https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md - When was this incident detected? (datetime and timezone): - Incident Details (short description of the incident): Complete the following information about affected system and attacker host (if known). --- Affected System (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Operating System: Primary purpose of the affected system (Workstation, Web/DNS/ FTP/Application/Database server, Router, Firewall...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Protocol: --- End Attacker Host --- ================================================================= This is the most preferable way to report a computer security incident to INCIBE-CERT. 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, INCIBE-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within. -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRmiDHNpfg2bP9JWAmhl+D5FDU+RwUCYpRrcgAKCRChl+D5FDU+ R/INAQCm+9Zi4JvzG5gCzAnwhOEvespu2cXPNWjD5Intz7mI/AD/WhYQFd0qOVmL n9X4WEoQ7k/H40+a5Sv+401TZFHd7A+IdQQBFgoAHRYhBDXjkwDLb7sB3KPKBtPJ r5uGFaN/BQJilGtyAAoJENPJr5uGFaN/7ycA/jlWHlTQT3eK19ZRiCgsLqwtU7Yg Y+sz5TohOxrYo/DSAP4/lH0MtNAEPR89n7hwV+Mz2JFzAsOLuHIAqD04uic6Aw== =9nOP -----END PGP SIGNATURE-----