In León last week, the Spanish National Cybersecurity Institute (INCIBE) hosted a live demonstration of its capabilities for detecting, mitigating, and responding to cyber incidents.
INCIBE, which operates under the Ministry of Digital Transformation and Civil Service through the State Secretariat for Digitalization and Artificial Intelligence, invited CSO Spain to observe the high-impact simulation, which was aimed at training personnel and testing and improving the security of its information systems and digital services.
“It is very important for every organization to be trained and educated so that when they are suffering a cyberattack they know how to act,” Patricia Alonso, manager of INCIBE, told CSO Spain.
As Alonso pointed out, it’s one thing to know there are crisis procedures; it’s another thing to be able to put them through their paces. “When an incident happens, we get nervous, we don’t remember, or we don’t know what to do. It is very important to be clear about the procedure to follow and to practice it,” she said.
INCIBE.
“If a company is trained, it will have no problems knowing what to do at all times or how to communicate what has happened,” she added. “And that means, among other advantages, having a faster recovery.”
Visibility exercise
The exercise presented by INCIBE involved red-teaming, in which part of the organization, the red team, plays the role of an attacker to test and help improve the security practices of those participating in the defense, the blue team.
As cybercriminals, INCIBE’s red team re-created an advanced attack and realistic crisis scenario, in which it exploited a vulnerability in INCIBE’s systems and managed to launch, using intrusion techniques, a ransomware attack on the infrastructure that supports the services managed by Incibe.
The simulation allowed INCIBE’s expert cybersecurity protection teams to test and improve the procedures used in all phases of managing a cyber incident — preparation, identification, containment, mitigation, recovery, and post-incident action.
Patricia Alonso, manager of INCIBE
INCIBE.
“At INCIBE we have to lead by example, and the simulation has been just that: to show how an attacked company responds, in this case ours. To do this we have chosen ransomware, as it is the incident that most people are likely to be aware of at the moment; and because it is the one that most companies report to us,” Alonso said.
“We have to be prepared for a cyberattack of this type, and what we wanted to check is whether we suffered from any type of vulnerability that could be exploited by attackers. Luckily, that was not the case. In addition, we also wanted to test our recovery and contingency systems,” she added.
For information purposes, INCIBE has offered annual simulation sessions to more than 160 strategic Spanish companies through its CyberEx program. To this end, it has provided the necessary tools to train them in responding to security incidents. This year, the institute expects 30 new companies to join this initiative, thus expanding the network of organizations prepared to face cyber threats.
Likewise, INCIBE stressed the importance of coordination with the competent authorities and other response teams as key elements in the detection and mitigation of cyberattacks. During the simulation, response actions, the activation of contingency services, and the recovery of services in production were demonstrated.
“One of the aspects that we wanted to highlight with this cyber exercise was the holding of a videoconference to check that all the teams were constantly connected. Our crisis committee, in which the management committee participates, was also represented in this videoconference,” Alonso said.
“And it is very important that they do so because they have to know what the consequences of not making investments in cybersecurity are; and, in the event that a service has been affected, this incident has to be reported to the backup center. That is why it has been so important to have the means of communication, so that citizens know what to do in the event of suffering a cyberattack,” she said.