success stories

Joint Ethical Hacking and Digital Surveillance Service

Customer

Spanish Stock Exchanges and Markets

Sector

Banking & Fintech

Capabilities used

As for the Digital Surveillance service, we started to create all our own tools and to use third-party tools for the collection of findings.

For the ethical hacking exercises, numerous security audits were carried out manually by members of the Oesia Group hacking team under different approaches and different typologies.

Other companies or players involved

Initially, we only interacted with the BME Group, but later, with the absorption by SIX, we began to interact with the SIX Group as an additional player in the projects.

 

Situation

We have to go back to 2015, when the Digital Surveillance service was not too developed in the cybersecurity world. We saw the opportunity to collaborate with Grupo BME in the development of a service that would be able to monitor something that had not been reviewed to date, the company's Internet exposure. Gradually, new types of findings were introduced to the service, thus increasing its quality and importance within the BME Group, until a finished product was achieved, which is of great value to the client today.

In addition, the amount of development and growth that BME underwent created a great need to verify that everything that was published was audited and had no security breaches, as it is a critical infrastructure and a data leak or exploited vulnerability could be critical.

Tasks

Since the beginning of the project, new Digital Surveillance tools have been provided, either tools designed by ourselves or third parties. The project has evolved from having four types of monitored objectives to 12, which brings much more value to the client. With these advances, others gradually emerged, such as early warning of vulnerabilities or crisis management in special situations related to the customer's entity.

On the other hand, after starting the audit work, we have been improving the techniques to carry out these same, since the knowledge of how they work, as well as their architectures was increasingly transparent, with the passage of time have been carried out audits of internal networks, review of the bastionado of the equipment, audits to web and desktop applications etc. ... All this in order to secure the organization and prevent future attacks.

Action

The development of new recurring tasks has been a general trend during the project, either due to improvements in the service itself or to customer specifications, to which we have been adapting to achieve a finished product adapted to the specific needs of BME. The language used for communications with the client has also been modified, since the change of interlocutor from BME Group to SIX, each process had to be modified to translate each element into English (presentations, meetings, reports, etc...).

Thanks to the knowledge obtained about the organization during the years working together, we have been able to carry out completely customized audits adapted to the client's needs, using different work methodologies such as OWASP, MITTRE, the TIBERS framework, etc... This has allowed us to adapt perfectly to the client's needs and offer the highest possible quality.

Result

As a result of all these actions carried out throughout the project cycle, it has been possible to obtain a stable product of great value for the client, since it monitors more novel elements that cannot be monitored with classic cybersecurity tools and procedures.

In terms of technical audits, we have been able to detect a large number of possible security breaches before they were published and could have been a real problem for the organization, thanks to these detections we have been able to correct the errors and make secure publications.