-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CERT Description for CERT-Arteria ================================= INDEX 1. About this document 1.1 Date of Last Update 1.2 Distribution List for Notifications 1.3 Locations where this Document May Be Found 1.4 Authenticating this Document 1.5 Document Format 2. Contact Information 2.1 Name of the Team 2.2 Address 2.3 Time Zone 2.4 Telephone Number 2.5 Facsimile Number 2.6 Other Telecommunication 2.7 Electronic Mail Address 2.8 Public Keys and Other Encryption Information 2.9 Team Members 2.10 Other Information 2.11 Points of Customer Contact 2.12 Operating hours 3. Charter 3.1 Mission Statement 3.2 Constituency 3.3 Sponsorship and/or Affiliation 3.4 Authority 4. Policies 4.1 Types of Incidents and Level of Support 4.2 Co-operation, Interaction and Disclosure of Information 4.3 Communication and Authentication 5. Services 5.1 Incident Response 5.2 Malware / Artifact Analysis 5.3 Proactive activities 5.4 Cyber patrol and intelligence 6. Incident Reporting Forms 7. Disclaimers ***************** 1. About this document 1.1 Date of Last Update This is version 1.0, published 2021-01-12. 1.2 Distribution List for Notifications Notifications of relevant updates are submitted to our constituency using established communication channels. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the CERT-Arteria WWW site; its URL is https://www.arteria.com.mx/cert_/01/CERT-Arteria-RFC2350.txt Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed inline with CERT-Arteria PGP key. See section 2.8. 1.5 Document Format This document is distributed in plaintext format using UTF-8 character set (rfc3629). 2. Contact Information 2.1 Name of the Team CERT-Arteria Arteria Comunicaciones - Computer Emergency Response Team 2.2 Address Guillermo Gonzalez Camarena No. 1100 Santa Fe Alcaldia Alvaro Obregon C.P. 01210 CDMX Mexico 2.3 Time Zone CERT-Arteria follows the timezone of Mexico, which is entry GMT-6. As of the date of this document, the used timezone is CNM (UTC -6) during winter time, and (UTC -5) during daylight saving time, active from 02:00 UTC on the first Sunday in April to 02:00 UTC on the last Sunday in October. 2.4 Telephone Number (52) 55 5351 5560 Available during normal working hours (see section 2.12). Not suitable for incident communication, which should happen through the established electronic mail addresses (see section 2.7). 2.5 Facsimile Number 55 2167 3340 (this is NOT a secure fax) 2.6 Other Telecommunication Although the preferred form of communication is through electronic mail, telephone, videoconference and other telecommunications options may be arranged on request. 2.7 Electronic Mail Address CERT [@] arteria.com.mx This is the email address to report a computer security incident related to enterprises. If you are reporting an incident, this is probably the appropriate email address. 2.8 Public Keys and Other Encryption Information The above email addresses have the following PGP keys associated: For enterprises incidents: CERT-Arteria incidents (2020-2022) Key ID: 352D 4530 6E3A C874 Fingerprint: 8D0CFEC5435506C84B9408BC352D45306E3AC874 The keys themselves and their signatures can be found at the usual large public keyservers, by Web Key Directory (WKD), and at: https://www.arteria.com.mx/cert_/01/pgp-public-keys/ArteriaCERTPublicKey.txt 2.9 Team Members An alphabetic list of team members and their associated PGP keys follow. In order to form their corresponding email addresses replace the bracketed character with an at sign. 2.10 Other Information General information about Arteria CERT, as well as links to various recommended security resources can be found at https://www.arteria.com.mx/cert_/01/ 2.11 Points of Customer Contact For reporting a computer security incident the preferred method is by email at CERT-Arteria reporting mailbox, CERT [@] arteria.com.mx If possible, when submitting your report, use the template mentioned in section 6. Alternatively, you may send your notification using the form in: https://www.arteria.com.mx/cert_/01/ 2.12 Operating hours Incident Response services are available 24 × 7 × 365. Regular business hours for other services, as well as certain incidents considered non-critical after triage and requiring further input, are as follows: Normal hours: - 09:00 to 18:00 from Monday to Friday. Business hours follow holidays applicable in Mexico and involve the following days: - January 1 - February 5 - March 21 - May 1 - September 16 - November 21 - December 25 with the next day becoming a holiday should any of the above happen to be a Sunday on a given year. 3. Charter 3.1 Mission Statement Actively participate in the creation of a trustworthy cybersecurity ecosystem for our clients, through providing prevention and response capabilities to emerging cyber threats. 3.2 Constituency The CERT-Arteria service provides its services internally to the business units of Arteria Comunicaciones, as well as to our clients according to the previously established service levels. 3.3 Sponsorship and/or Affiliation The CERT ARTERIA Cybersecurity Incident Response Team is a business unit of the company Arteria Comunicaciones, S.A. de C.V. 3.4 Authority The CERT ARTERIA Cybersecurity Incident Response Team exercises shared authority towards the other Arteria Comunicaciones business units, participates in the decision process during an incident and influences without making the decision alone. Regarding external clients, CERT-Arteria does not have a decision of authority and acts as an external advisor, provides suggestions, mitigation strategies and recommendations. 4. Policies 4.1 Types of Incidents and Level of Support The CERT-ARTERIA Cybersecurity Incident Response Team provides remote support actions and services for cybersecurity incidents that may affect the integrity, availability and confidentiality of the information managed by the systems and processes of the beneficiaries of its services. Among the activities, the preparation, detection, containment, eradication, recovery and closure of cybersecurity incidents based on the application of processes, technologies and specialized knowledge are considered, in order to minimize the possible adverse impact for the organizations with which handles agreements and levels of services previously established. All confirmed incidents are classified according to their class, severity and urgency, in accordance with the established response plans and procedures, prioritizing responses based on the results of said classification. 4.2 Co-operation, Interaction and Disclosure of Information CERT-Arteria interacts constantly with the SOC / NOC teams belonging to Arteria Comunicaciones. The CERT-ARTERIA Cybersecurity Incident Response Team establishes levels of confidentiality according to the TLP (Traffic Light Protocol) protocol. Information of a confidential nature is only communicated and stored in a secure environment and, if necessary, using encryption technologies. All information provided to Arteria-CERT will be used to help resolve cybersecurity incidents. Information will only be distributed to other teams and members on a need-to-know basis (least privilege) and sanitized in their confidential items. Arteria-CERT uses the TLP (Traffic Light Protocol) for the exchange of information. 4.3 Communication and Authentication Telephones will generally be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. The preferred method of communication is by email with PGP keys. CERT-Arteria publishes its PGP keys (see section 2.8) and encourages those contacting CERT-Arteria to use them for higher confidentiality. Arteria-CERT will use end-to-end pgp-encrypted mail where possible. There is a procedure through which the keys of certain high value constituents are kept updated. However, any entity contacting CERT-Arteria is welcome to provide their own PGP key to secure further communications. For plaintext mails, authentication is provided through cleartext pgp signatures by the aforementioned keys. 5. Services 5.1 Incident Response Remote support actions and services for the prevention, detection, analysis, containment, eradication, recovery and closure of cybersecurity incidents based on the application of processes, technologies and specialized knowledge, in order to minimize the possible adverse impact for organizations. This may involve technical assistance in interpreting the data collected, providing contact information, or conveying guidance on mitigation and recovery strategies. 5.2 Malware / Artifact Analysis Arteria-CERT has the ability to perform static and dynamic analysis of malicious code samples to discover Indicators of Compromise / detection patterns. Managing artifacts involves receiving information and copies of artifacts that are used in attacks, reconnaissance, and other unauthorized activities. The analysis performed may include identifying the file type and structure of the artifact, comparing a new artifact with existing artifacts or other versions of the same artifact for similarities and differences, or reverse engineering to determine purpose and function. of the artifact. 5.3 Proactive activities Proactive services are designed to improve the constituency's infrastructure and security processes before any incident or event occurs or is detected. The main objectives are to avoid incidents and reduce their impact and scope when they occur. Preparation of a newsletter with Relevant Alerts / news that includes Indicators of Compromise / CVE. Collaboration with national and international associations and working groups on cybersecurity frameworks, best practices and recommendations. 5.4 Cyber patrol and intelligence Cyber patrol is used to detect criminals and organizations that commit fraud and crimes on Clear Web, Social Networks, and Deep / Dark Web. The monitoring will be carried out covertly and with the appropriate technological tools, as well as the Indicators of Compromise / likely responsible for the different criminal behaviors, such as: Sale of sensitive and confidential information such as user names and passwords, cards banking, customer databases, corporate plans, apocryphal and fraudulent websites among others. Cyber patrol has four services that cover fundamental aspects for the protection of the brand, reputation and assets, in order to avoid fraud or falsification of the image of the organization on the internet: Clear Web Monitoring, Deep / Dark Web Monitoring, Reports and Cyber Intelligence. 6. Incident Reporting Forms Check section 2.9 to choose the constituency affected by the incident you are about to report. Use the following template and send it by email to the appropriate address. Please, provide as much detail as possible, attaching any relevant file if needed (logs, email messages, screenshots... ): ================================================================= INCIDENT REPORT Have you reported this incident to other individuals or organizations?: - Type of incident detected (Phishing, Malware, DDoS, Unauthorized use/access...): Use the Taxonomy from the Reference Security Incident Taxonomy Working Group when possible, see https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md - When was this incident detected? (datetime and timezone): - Incident Details (short description of the incident): Complete the following information about affected system and attacker host (if known). --- Affected System (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Operating System: Primary purpose of the affected system (Workstation, Web/DNS/ FTP/Application/Database server, Router, Firewall...): --- End Affected System --- --- Attacker Host (Duplicate if needed) --- Hostname: Domain: IP Address: Port: Protocol: --- End Attacker Host --- ================================================================= This is the most preferable way to report a computer security incident to CERT-Arteria 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CERT-Arteria assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.