-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CSIRT Description for Cyberzaintza
- - - ----------------------------

1.	About this document

	This document contains a description of Cyberzaintza in according to RFC 2350 https://www.ietf.org/rfc/rfc2350.txt

	It provides basic information about the Cyberzaintza team, its channels of communication, and its roles and responsibilities.

1.1.	Date of Last Update

		This is version 1.1 published 28-03-2025.

1.2.	Distribution List for Notifications

		Notifications of updates are submitted to our constituency using established communication channels.

1.3.	Locations where this document may be found

		The current version of this document is available from the Cyberzaintza web site:
		https://ciberseguridad.euskadi.eus/adjuntos/rfc_2350.txt

1.4.	Authenticating this Document
		This document has been signed with the Cyberzaintza’s PGP keys. The signatures are also on our Web site, under https://ciberseguridad.euskadi.eus/contacta-con-cyberzaintza/
		
2.	Contact Information

2.1.	Name of the team

		Cyberzaintza - Basque CyberSecurity Agency

2.2.	Address

		Cyberzaintza - Basque CyberSecurity Agency
		Parque Tecnológico de Álava
		Albert Einstein 46, 3ª planta - Edificio E7
		01510 Vitoria-Gasteiz
		Spain

2.3.	Time zone
		
		Central European Time – CET (GMT+0100, and GMT+0200 from April to October).

2.4.	Telephone number
		
		+34 945 236 636
		Available during normal working hours. From 08:15 to 17:00 from Monday to Thursday and from 08:00 to 15:00 on Friday. During summertime (1st of June to 30st of September) 08:00 to 15:00 Monday to Friday. This timetable is applicable except national holidays and holidays applicable in the city of Vitoria-Gasteiz.

		+34 900 104 891
		After hours support for high/emergency priority incidents.

2.5.	Facsimile Number

		Not Available

2.6.	Other Telecommunication
		
		+34 944 037 000

2.7.	Electronic Mail Address
		
		csirt [@] cyberzaintza.eus
		This is the mail to contact CSIRT representatives for general purposes. Do not use for incidents reporting.

		incidencias [@] cyberzaintza.eus
		This is the mail to report a computer security incident related to our constituents.

2.8.	Public Keys and Other Encryption Information

		Cyberzaintza has the following PGP keys:
				
		CSIRT representatives contact (do NOT use for incidents reporting)
		csirt [@] cyberzaintza.eus
		Key ID: 0x959DC3E47AD1A427
		Fingerprint: 4C32 CBFF F2D8 5BEA 6798 AED2 959D C3E4 7AD1 A427

		For constituents incidents
		incidencias [@] cyberzaintza.eus
		Key ID: 0xD6DC320D2DC5C50A
		Fingerprint: 9EE7 86DA 1598 CF7C 3104 3338 D6DC 320D 2DC5 C50A

		The keys and its signatures can be found at the usual large public keyservers and under:
		https://ciberseguridad.euskadi.eus/contacta-con-cyberzaintza/

2.9.	Team Members

		Incidents Response Chair is Asier Martínez

		Asier Martínez Retenaga
		asier.martinez [@] cyberzaintza.eus
		Key ID: 0x43A3DB3D466AA0E3
		Fingerprint: 8B67 B4A8 4718 B0EB 069B AED9 43A3 DB3D 466A A0E3
		

2.10.	Other Information
		
		General information about Cyberzaintza, as well as links to various recommended security resources can be found at https://ciberseguridad.euskadi.eus/

2.11.	Points of Customer Contact

		For reporting a computer security incident, the preferred method is by email at the Cyberzaintza incidents mailbox, incidencias [@] cyberzaintza.eus. If possible, when submitting your report, use the template mentioned in section 6.

2.12.	Operating hours
		
		Incident Response Team is available 24x7x365.

3.		Charter

3.1.	Mission Statement

		The purpose of the Agency is to promote and coordinate cybersecurity in the Basque public sector as defined in Law 3/2022, of 12 May, on the Basque Public Sector, in the field of security of information systems and electronic networks within the remit of this sector, and to support and promote training in cybersecurity and the secure digital development of the Basque Autonomous Community, its public administration, its citizens and its business fabric.
		
3.2.	Constituency

		Cyberzaintza supports incident response and security services for:
		-	Cybersecurity services and incident response for the public sector of the Basque Country.
		-	Security services for private sector and citizens of the Basque Country.
		
3.3.	Sponsorship and Affiliation 

		Cyberzaintza is sponsored by the Security Department of the Basque Government.

3.4.	Authority

		Cyberzaintza operates as a regional CERT, under the mandate of Law 7/2023, of 29 June, on the creation of the Basque Cybersecurity Agency.
		
4.	Policies

4.1.	Types of Incidents and Level of Support

		Cyberzaintza address all types of computers security incidents, which occurs at its constituency. 
		
		Cyberzaintza may act upon requests of one of its constituents or may act if one of its constituents is involved in a computer security incident.
		
		The level of support given by Cyberzaintza will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the Cyberzaintza’s resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities:
		
		-	Threats to the physical safety of human beings.
		-	Threats to the critical assets impacting or causing losses in industry.
		-	Root or system-level attacks on any Management Information, System or any part of the backbone network infrastructure.
		-	Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
		-	Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration.
		-	Denial of service attacks on any of the above three items.
		-	Any of the above at other sites, originating from the constituency of Cyberzaintza.
		-	Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.
		-	Threats, harassment, and other criminal offenses involving individual user accounts.
		-	Compromise of individual user accounts on multi-user systems.
		-	Compromise of desktop systems.
		-	Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.
		
		Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.
		
		In some cases, Cyberzaintza might provide pointers to the information needed to implement appropriate measures or might scale the incident to another public service provided by one of its partners.
		
		Cyberzaintza is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

4.2.	Cooperation, Interaction and Disclosure of Information  

		The relationship with other teams is based on trust that is formalised though NDAs generally. If a relationship requires more than the generic NDA, then a specific bilateral contract will be defined. If necessary SLAs are also defined.
		
		Cyberzaintza will cooperate with other organizations in the field of computer security. This cooperation also includes and often requires the exchange of information regarding security incidents and vulnerabilities. 
		
		Nevertheless, Cyberzaintza will protect the privacy of its constituency and therefore (under normal circumstances) pass on information in an anonymized way only. Unless explicitly authorized, the identity or vital information of victims of computer security incidents will not be divulged.
		
		Cyberzaintza will only provide information to other parties with the sole purpose of facilitating the tasks of containment, eradication and recovery of incidents under the general principle of providing the minimum information possible.
		
		Cyberzaintza operates under the restrictions imposed by the law of Spanish Data Protection Authority. Therefore, it is also possible that Cyberzaintza may be forced to disclose information due to a Court’s order. 

4.3.	Communication and Authentication

		Telephone and unencrypted e-mail are considered sufficient for the transmission of low-sensitivity data. If it is necessary to send high sensitivity data by e-mail, PGP will be used. Network file transfers will be considered similar to e-mail for these purposes. 
		
		Cyberzaintza contact template can be found in section 6. 
	
5.	Services

5.1.	Reactive Activities

		Reactive services are designed to respond to requests for assistance, reports of incidents from our constituency, and any threats or attacks against our systems.

5.1.1.	Incident Handling

		Cyberzaintza will assist its constituency in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of the incident management:

5.1.1.1 Incident Analysis

		-	Investigating whether indeed an incident occurred.
		-	Determining the extent of the incident.
		-	Establishing incidents prioritization.
		
5.1.1.2 Incident Response Support

		-	Cyberzaintza offers phone and mail support to its constituents, in order to help them deal with security incidents. Support can take the form of advice, pointers to web sites or vendor patches, to other CERTs, etc.

5.1.1.3 Incident Response Coordination

		-	Determining the initial cause of the incident.
		- 	Identifying the best partner or skill set needed to address the incident.
		-	Facilitating contact with appropriate security teams.
		-	Facilitating contact with Police Corps and law enforcement officials.
		-	Making reports to other CSIRTs.

5.1.2.	Vulnerability Handling

5.1.2.1	Vulnerability Response Coordination

		Vulnerability handling involves receiving information and reports about hardware and software vulnerabilities; analysing the nature, mechanics, and effects of the vulnerabilities; and developing response strategies for detecting and repairing the vulnerabilities. Activities include also facilitating the analysis of a vulnerability or vulnerability report; coordinating the release schedules of corresponding documents, patches, or workarounds; and synthesizing technical analysis done by different parties. 

5.1.3.	Artifact Handling

		An artifact is any file or object found on a system that might be involved in probing or attacking systems and networks or that is being used to defeat security measures. Artifacts can include but are not limited to computer viruses, Trojan horse programs, worms, exploit scripts, and toolkits. Artifact handling involves receiving information about and copies of artifacts that are used in intruder attacks, reconnaissance, and other unauthorized or disruptive activities. Once received, the artifact is reviewed. This includes analyzing the nature, mechanics, version, and use of the artifacts; and developing (or suggesting) response strategies for detecting, removing, and defending against these artifacts.

5.1.3.1 Artifact analysis

		We perform a technical examination and analysis of any artifact found on a system. The analysis done might include identifying the file type and structure of the artifact, comparing a new artifact against existing artifacts or other versions of the same artifact to see similarities and differences, or reverse engineering or disassembling code to determine the purpose and function of the artifact.

5.1.3.2 Artifact response

		This service involves determining the appropriate actions to detect and remove artifacts from a system, as well as actions to prevent artifacts from being installed. This may involve creating signatures that can be added to antivirus software or IDS.

5.1.3.3 Artifact response coordination

		This service involves sharing and synthesizing analysis results and response strategies pertaining to an artifact with other researchers, CSIRTs, vendors, and other security experts. Activities include notifying others and synthesizing technical analysis from a variety of sources. 

5.1.4.	Alerts and Warnings

		Cyberzaintza will collect statistics concerning incidents, which occur within or involve its constituency and will notify the community as necessary to assist it in protecting against known attacks.

5.2.	Proactive Activities

		Proactive services provide means to reduce the number of actual incidents by giving proper and suitable information concerning potential incidents to the constituency. Cyberzaintza additional proactive services include:
	
5.2.1.	Announcements

		Cyberzaintza will provide its constituency with information about ongoing attacks, security vulnerabilities, alerts in the general sense, and short-term recommended course of action for dealing with the resulting problems.

5.2.2.	Security-Related Information Dissemination

		Cyberzaintza will collect and disseminate computer and internet security related information.

5.3.	Security Quality Management Services

		In order to supervise and to increase the quality of the offered services, the following services are performed:
		
5.3.1.	Awareness Building

		Cyberzaintza works to increase security awareness of its constituents through developing informational resources that explain security best practices and provide advice on precautions to take. We also schedule seminars to keep constituents up to date with ongoing security procedures and potential threats to organizational systems.

5.3.2. 	Education / Training

		Cyberzaintza provides information to its constituents about computer security issues through seminars and workshops.	

5.3.3.	Cyberzaintza Team members Education & Training

		Team members are constantly trained to enhance their skills and capacities.
		
5.3.4.	Documentation

		A documentation is maintained, dealing with the following topics:
		-	The procedures being part of the services are documented.
		-	Results of Incident Management and Incident Analysis are documented, resulting in suggestions how to improve the services or systems, respectively.
		
6.	Incident Reporting Forms

		Use the following template and send it by email to the appropriate address. Please, provide as much detail as possible and attach any relevant file (log, email, image...):
		============================================================
		
		INCIDENT REPORT
		
		Your contact and organizational information
		- Name:
		- Organisation name, if necessary:
		- Specify sector type (such as banking, education, energy or public safety), if necessary:
		- Email address:
		- Telephone number:
		- Other (fax, ...):
			
		Have you reported this incident to other individuals or organizations?:
		-	Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...):
		-	When was this incident detected? (Provide datetime and timezone):
		-	Incident Details (Provide a short description of the incident):
		
		Complete the following information about affected system and attacker host.
		
		--- Affected System (Duplicate if needed) ---
		-	Hostname:
		-	Domain:
		-	IP Address:
		-	Port:
		-	Operating System:
		-	Primary purpose of the affected system (Workstation, Web/DNS/
		-	FTP/Application/Database server, Router, Firewall...):
		--- End Affected System ---
		
		--- Attacker Host (Duplicate if needed) ---
		-	Hostname:
		-	Domain:
		-	IP Address:
		-	Port:
		-	Protocol:
		--- End Attacker Host ---
		
		Description of the incident (duplicate in case of multiple incidents)
		- Dates:
		- Methods of intrusion:
		- Tools involved:
		- Software versions:
		- Other relevant information

			==========================================================

		This is the most effective way to report a computer security incident to Cyberzaintza via email. Via phone should also be required, asked and pursued the cited data.
		
7.	Disclaimers
		
		While every precaution will be taken in the preparation of information, notifications and alerts, Cyberzaintza assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained. 

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETDLL//LYW+pnmK7SlZ3D5HrRpCcFAmfmgzQACgkQlZ3D5HrR
pCdjPBAAkwY2Lx/403AnFDgOg6JOhQuTXHjgMyW8tJgV9x4jXSmftOUk3rNbxpWp
0A/9D/qoW26m9zAVOrSLIfKu2PN1PV7FUj61LPWwiUrmSo0egrMAgyeJ7dClc7DG
YwCFwslB+QscDNFDXPWwoxO5rj3She67+dVLGYxJ5pyNPrTUPaemSAUJ5VUU5IVV
KopkU01sSxoAd0jfzrPP/G0Idw9E8yS9+sTICbUNDJMA0qCVK5BZF54dJMHJb0Pp
4LUM3KLQRI2w3CqO35wQS6pQvnYXJ6wPpALVktRhTTjFWp7lVHOXlyS9ovyWpy5g
Y5u6ChOPt0kP1FwPPvn7k/P8V9HeVBwGnep1KgwpamYS3xviZaQTIOXsK6WIFCg9
EhvpzIzMC5XjROgWnThSzqWhkxiKPB3ZS9WjENChg3d0kiLfggYvS6Z9ZBZlHjXN
QxqxzcYJ/fC9Ehhki9vuUkvoK4QG3RyJXS4n7PbOswyapt/KkuZ/I8w9+xiUoDrX
cWQoxHF1zaZjKHit5QzD3AFEibuBh/1iQmNi4yHQeZc6C7XJ/Qe3zovd186EhcgP
mxKcT6aIXkiicKIJ8qiheqeIfK/G4ijMNWr7DxIqlurgE5JXyRW5WfBEIUh8S2iP
E8aKJrh3NTPc6SWcx6IFHV/+wJUjnMae4/7+v2KIElRjJJ2fMG0=
=wTpK
-----END PGP SIGNATURE-----