About the RNS
The CCN-CERT has traditionally collaborated and collaborates in several SOCs of different sizes, at the level of Ministries, Provincial Councils/Town Halls or Local Entities, recently accruing Essential Services Operators. In this dynamic, the need arose to create a tool to interconnect the SOCs so that any suspicious cyberattack attempts could be stopped in its tracks immediately, even before determining whether it was an actual attack or not.
Subsequently, in late 2020, the European Commission launched its Cybersecurity Strategy for the Digital Decade whereby European network of SOCs, based on Artificial Intelligence tools, took on a relevant role. The Commission's justification stems from the fact that Europe had suffered a pandemic of ransomware and the existing CSIRT network at European level had not been able to stop it. So the emphasis now was on detection in the SOCs.
All of which led the CCN-CERT to create the National Network of SOCs, a platform that incorporates the SOCs of all public bodies of the Spanish Administration, together with the provider entities which supply said SOC services and the public entities that benefit from them.
Its main aim is to boost the protection capability of its members by almost immediately blocking any sign of irregular activity that is being detected at any point of the Administration.
Entities from the following categories may join the National Network of SOCs:
Bodies of the Spanish Public Administration. Their security services are generally provided by contracted providers.
Companies that, with their own staff, provide their cybersecurity or SOC services (Implementation, Operation, Maintenance...) to any entity of the Spanish Public Administration.
Entities that do not meet the requirements of the 2 previous categories, but to which it is wished to allow access to the information exchanged in the RNS.
Public entities and providers interact with each other through SOCs and the following scenarios may arise:
belonging to a Provider, which provides service to one or several Public Administrations. Its manager will thus be someone from the company. And the name will be related with said company. e.g. SOC CompanyA
rendered by one or several Providers (or even with their own staff) and which covers one or several Public Administrations. Its manager will be a public employee. And the name will be related with the Public Administration. e.g. SOC MinistryB
In addition, at present the provider entities may have the following levels (based on their participation):
Providers with a high level of participation. They will have immediate access to all the information shared and consolidated in the RNS.
Suppliers with a normal level of participation. They will have access to the information shared and consolidated in the RNS, but with some delay.
Participation will be measured through shared technical information which will be valued and scored in line with the nature thereof and its relevance. Given that the RNS is intended to serve as a tool to improve the information security of Public Administrations, said Administrations will be able to progressively promote the adoption of this categorisation of "Gold" and "Informed" as differentiating values when evaluating commercial proposals from providers competing for public contracts.
Network integration is materialised through the use of collaborative tools. Firstly, by means of an instant messaging solution (Element), both by the public entities that benefit from the SOC services and by the companies that provide their services thereat. This solution is used both to spread alerts about ongoing incidents (or indicators of possible incidents) and to share other types of information of interest: cybersecurity reports, SOC operating procedures, administrative or service contracting procedures…
Another collaborative tool is the threat information sharing platform (MISP) where both Indicators of Attacks (IOA) and Indicators of Compromise (IOC) are registered, centralised and distributed. In reading mode, for those less mature public entities that only need to access the technical data of a threat in certain situations (for example, in the event of an alert notified through the messaging solution). Or in integration mode, directly connecting the tools of the most mature SOCs, in such a way that the distribution of the indicators to be blocked is provided to the rest of the entities.
In the short term, the existing federated deployment of the cyber incident notification tool LUCIA will be integrated into the RNS. So that it can be used as another indicator both of the SOC's commitment to the rest of the members and of the evolution of cyber incidents in national territory.
And in the medium-term, other solutions will be integrated into the RNS: IRIS for the real-time display of cybersecurity status in the RNS; ANA to be able to generate from the RNS a warning system in the event of the publication of vulnerabilities; the SIEM, to collect those critical alerts generated by the SOCs and which can serve as a data source to correlate incidents from a global perspective
All of which is centralised at this website, where in the private area you will have access not only to the information belonging to the entity itself but to all shared information. And the entities will also be able to share with the others interesting information such as: use cases, examples of specifications, service indicators for SOC, procedures…
Examples of usage of said infrastructure
Critical incident in Entity with MISP: the entity involved shares the attendant IOA/IOC in Element, anticipating that which will later be in the MISP. If the event is already in MISP, the ID may be provided in the Element message so that people access the MISP to obtain the information.
Entities without MISP: they receive the information via Element and can act by blocking. If the MISP ID has been shared, they will have to access the MISP via the website to download the information and block it.
Entities with MISP: they receive the information via Element so as to receive advance notice (and to be able to carry out blocking in advance), but they may wait for the information to be synchronised with their MISP.
Non-critical incident in Entity with MISP: the entity will register the incident in the MISP, with its usual procedure, without the need to alert via Element.
Entities without MISP: if they don’t enter the MISP, they won’t know
Entities with MISP: the entity will be synchronised and they may act as usual.
Incident in Entity without MISP: the entity may upload the information to the RNS MISP via Element. If said information passes the assessment process, it will be shared via Element with the other entities as well as through the MISP.
Benefits of participating
For providers with "Gold" level, the main benefit is the access to all the IOC/IOA shared in the RNS from the outset. So, the protection from said threats to clients can be transferred almost immediately. And, indirectly, better positioning vis-à-vis the contracting processes in which belonging to the National Network of SOCs with said level has been specified as a requirement.
For the other providers, the benefits are the same although they are slightly delayed over time.
And as regards public entities, not only access to the aforementioned indicators, but also to a sharing forum where they will be able to exchange recommendations about SOC management. Such as contracting models, recommendations on suppliers, the definition of indicators for the measurement of services…
Accession and permanence
The requirements for an organisation to join the National Network of SOCs as a public entity are:
- Belonging to the Public Sector(in Spain)
- Having cybersecurity or SOC services
- Accepting the code of ethics and professional conduct of the RNS
- Having installed and using LUCIA to notify incidents to the CCN-CERT regarding any of their clients (or being in the process of implementing
In turn, the requirements that companies must meet to join as Providers are:
- Being a company (public or private)
- Providing cybersecurity or SOC services to the Public Sector (in Spain)
- Accepting the code of ethics and professional conduct of the RNS
- Using LUCIA to notify incidents to the CCN-CERT regarding any of their clients (or being in the process of implementing)
If the requirements listed above are met, the accession process consists of:
- Application by the entity: Filling in the accesion form to be found at the website of the RNS, indiating whether you are a public entity or a provider.
- Provisioning by the RNS in the available tools. And notification to the entity of the relevant credentials
- Confirmation of accession and publication of the membership at the website.
Once they have joined the National Network of SOCs, the entities must comply with the following terms of permanence which will be reviewed on a quarterly basis:
- To keep meeting the accession requirements
- To use the tools at the disposal of the RNS: continuously accessing the messaging solution and being aware about the information exchanged; accessing the exchange solution in due time in order to have the capacity to download the technical information exchanged;…
- Additionally, for provider entities, sharing technical information which is innovative and relevant. Using the tools available to the RNS, so that said information can be properly assessed and scored.
If the terms of permanence are not met, expulsion from the RNS will be considered.