About the RNS

The CCN-CERT has traditionally collaborated and collaborates in several SOCs of different sizes, at the level of Ministries, Provincial Councils/Town Halls or Local Entities, recently accruing Essential Services Operators. In this dynamic, the need arose to create a tool to interconnect the SOCs so that any suspicious cyberattack attempts could be stopped in its tracks immediately, even before determining whether it was an actual attack or not.

Subsequently, in late 2020, the European Commission launched its Cybersecurity Strategy for the Digital Decade whereby European network of SOCs, based on Artificial Intelligence tools, took on a relevant role. The Commission's justification stems from the fact that Europe had suffered a pandemic of ransomware and the existing CSIRT network at European level had not been able to stop it. So the emphasis now was on detection in the SOCs.

All of this leads CCN-CERT to create the National SOC Network, a platform that integrates all SOCs in the national territory, whether public or private.

Its main aim is to boost the protection capability of its members by almost immediately blocking any sign of irregular activity that is being detected at any point of the Administration.

Participating entities

Entities from the following categories may join the National Network of SOCs:

Public entities

Public entities

Bodies of the Spanish Public Administration. Their security services are generally provided by contracted providers.

Provider entities

Provider entities

Private sector companies that provide SOC services in other entities, whether public or private, protecting Spanish assets.

Private entities

Private entities

Private sector companies, with their own SOC protecting their Spanish assets, without providing said SOC services to other entities.

These entities must be under the protection of a SOC, whether internal or external:

External SOC

SOC belonging to a supplier entity, protecting one or several entities, both public and private. The person responsible will, therefore, be a person from the supplying entity. And the name will be related to said supplier (e.g. SOC SupplierA).

Own SOC

SOC belonging to the public or private entity itself, whether with its own personnel or subcontracted (to one or several supplier entities). The person responsible will, therefore, be a person from said public or private entity (but not from the supplying entity, where applicable). And the name will be related to said entity (e.g. SOC CompanyA or SOC MinistryB).

In addition, currently private entities and suppliers can have the following levels (based on their participation):

icono gold Gold

Level assigned to private entities and suppliers with a high level of participation.

icono informed Silver

Level assigned to private entities and suppliers with a normal level of participation.

icono Inhabilitado Disabled

Level assigned to private entities and suppliers that have stopped participating in information sharing.

Participation will be measured through shared technical information which will be valued and scored in line with the nature thereof and its relevance.

Given that the RNS is intended to serve as a tool to improve the information security of Public Administrations, said Administrations will be able to progressively promote the adoption of this categorisation of "Gold" and "Silver" as differentiating values when evaluating commercial proposals from providers competing for public contracts.

To the three previous categories (public, supplier and private entities) are added two special categories:

Source entities

Source entities

Entities not related to a SOC, but that are willing to contribute to the RNS by providing information on cyber threats shareable with all its members. Large technology companies could fall into this category. Their accession is at the discretion of the CCN.

Link entities

Link entities

National or international Communities with which the RNS may have exchange links. Exchanges with ENSOC, LATAM, CERT-EU could fall into this category... Their accession is at the discretion of the CCN.

Logo Entity Type Level of Participation Renewal Date

Information to be shared

The main asset of the National Network of SOCs is the indicators of attacks or compromises (IOA/IOC) which may be occurring at the current time in any of the member entities. Always under the premise of "only sharing what I myself am already blocking". To be precise:

  • IP addresses of attackers (or alleged attackers)
  • Domain from compromised (or supposedly compromised) sites
  • Specific URL with harmful content
  • Signatures or Hashes of files with harmful content
  • E-mail addresses propagating harmful content
  • Threat detection rules owing to network behaviour (SNORT rules), harmful content (YARA rules).
  • Specific navigation headers, such as "user-agent" and others.

It is not the aim of the National Network of SOCs to share information that may contain personal data or data of the victims. Nor reports or generic investigations on threats in cyberspace if they are not taking effect in any of the members. As regards the first point, each entity will have to worry about filtering the information it deems appropriate. And as far as the second point is concerned, this involves the REYES solution of the CCN-CERT, where all the cyberintelligence information is centralised.

Additionally, it is also being shared on the network:

  • Generic detection rules and use cases
  • Cybersecurity reports
  • Operating procedures of a SOC
  • Administrative or service contracting procedures

And soon they will also be able to be shared:

  • Metrics and indicators to use in a SOC to improve its management
  • Whitelists with legitimate locations
  • Vulnerabilities
  • SIEM Alerts
  • ...

Technological infrastructure

ElementNetwork integration is materialised through the use of collaborative tools. Firstly, by means of an instant messaging solution (Element). This solution is used both to spread alerts about ongoing incidents (or indicators of possible incidents) and to share other types of information of interest: cybersecurity reports, SOC operating procedures, administrative or service contracting procedures...

Element

MispAnother collaborative tool is the threat information exchange (MISP), where you can register, centralize and distribute both Indicators of Attacks (IOA) and Indicators of Attacks. Commitment (IOC). The registration of said IOC/IOA in the MISP can be done through the messaging tool or from this website. Or in integration mode, directly connecting the tools of the most mature SOCs, in such a way that the distribution of the indicators to be blocked to the rest of the entities is facilitated.

Misp

Additionally, the existing federated deployment of the cyber incident notification tool LUCIA is integrated into the RNS. So that it can be used as another indicator both of the SOC's commitment to the rest of the members and of the evolution of cyber incidents in national territory.

And in the medium-term, other solutions will be integrated into the RNS: IRIS for the real-time display of cybersecurity status in the RNS; ANA to be able to generate from the RNS a warning system in the event of the publication of vulnerabilities; the SIEM, to collect those critical alerts generated by the SOCs and which can serve as a data source to correlate incidents from a global perspective

All of which is centralised at this website, where in the private area you will have access not only to the information belonging to the entity itself but to all shared information. And the entities will also be able to share with the others interesting information such as: use cases, examples of specifications, service indicators for SOC, procedures...

Benefits of participating

For all entities, the main benefit is access to all IOCs/IOAs shared in the RNS from the beginning. So that they can receive, from their SOC, protection against these threats almost immediately. As well as other shared information: use cases, metrics...

Additionally, and for those entities of the private sector, whether suppliers or private, that enjoy the "Gold" level, a better positioning in relation to contracting processes in which belonging to the National SOC Network with said level has been specified as a requirement.

Finally, and only for public entities, access to a sharing forum where they will exchange recommendations regarding the management and direction of the SOC. Such as contracting models, recommendations on suppliers, definition of indicators for measuring services...

Accession and permanence

The requirements for an entity to join the National SOC Network, apart from accepting the code of ethics and professional conduct of the RNS, are:

As a public entity

  • Belonging to the Public Sector in Spain
  • Record high, very high and critical incidents in LUCIA
  • Be protected by a SOC (or in process), whether its own or external

As supplier entity

  • Do not belong to the Public Sector in Spain
  • Provide SOC service to other entities
  • Have your own SOC (or in process) protecting Spanish assets

As private entity

  • Do not belong to the Public Sector in Spain
  • Do not provide SOC services to other entities
  • Have your own SOC (or in process) protecting Spanish assets

In order to be able to register said SOC in the National SOC Network, they must:

  • Have an MISP instance (or in process) with access to the Internet
  • Be certified as SOC (when the standard is published)

If the requirements listed above are met, the accession process consists of:

  • Application by the entity: Filling in the accesion form to be found at the website of the RNS
  • Provisioning by the RNS in the available tools. And notification to the entity of the relevant credentials
  • Confirmation of accession and publication of the membership at the website

Once they have joined the National Network of SOCs, the entities must comply with the following terms of permanence which will be reviewed on a quarterly basis:

  • To keep meeting the accession requirements
  • To use the tools at the disposal of the RNS: continuously accessing the messaging solution and being aware about the information exchanged; accessing the exchange solution in due time in order to have the capacity to download the technical information exchanged;...
  • Additionally, for supplier and private entities (as well as source entities), share technical information that is novel and relevant

If the terms of permanence are not met, expulsion from the RNS will be considered.