Successful Response to a Major Security Incident
By Arturo Navarro
CISO Experience
Amidst the conflict in Ukraine, my role as CISO necessitated the management of frequent DoS attacks and the monitoring of communication channels often used by these groups to broadcast their intentions.
I spearheaded the development of an all-encompassing defense strategy, integrating threat intelligence and advancing network segmentation. Through the application of deception techniques and proactive threat hunting, we effectively neutralized the attackers, thereby strengthening our cybersecurity resilience.
A significant incident involved collaboration between an external company and a banking group entity, under my leadership as Global CISO, leading to the compromise of a user’s access permissions. The Play ransomware group exploited this access to exfiltrate information for extortion purposes after launching an attack.
Successful Response to a Major Security Incident
The attack was detected post-launch, attributed to improperly configured alerts for indicators of compromise, primarily due to a communication gap about their existence from the compromised entity. Response measures were promptly and effectively localized, allowing for the removal of the compromised production environment and the establishment of isolated environments for forensic analysis and the deployment of new services in a secured manner. Notably, we opted against utilizing Active Directory backups, choosing instead to rebuild them from the ground up.
An immediate crisis management framework was put in place, facilitating transparent communication with both internal and external stakeholders, including regulators and customers, regarding the incident. This approach ensured consistent updates without the need for a specialized communication agency.
The cornerstone of our successful incident response strategy included rapid action, comprehensive forensic analysis, and efficient team communication. By isolating the affected systems, eliminating the threat, and restoring operations with minimal downtime, we significantly mitigated the attack’s impact. Future enhancements could focus on improved threat detection through advanced monitoring, asset identification, and AI-driven anomaly detection.
Coordination with Public Agency
I have demonstrated a consistent ability to coordinate our company’s security operations effectively with national cybersecurity agencies, such as INCIBE, CNPIC, and CCN, during extensive malware campaigns and orchestrated DoS attacks. This cooperation entailed the exchange of threat intelligence, the implementation of recommended protective measures, and participation in joint briefings, highlighting the critical role of public-private partnerships in bolstering collective defense strategies against cyber threats.
Throughout my tenure as Global CISO, I also engaged with various regulatory and government organizations to ensure compliance and reinforce security measures. These interactions included collaborations with the Bank of Spain (Banco de España) for regulatory compliance and financial security, the Data Protection Agency (Agencia de Protección de Datos) for data privacy law adherence, and the National Center for the Protection of Critical Infrastructures (Centro Nacional de Protección de Infraestructuras Críticas - CNPIC) to protect essential services and infrastructure.