To enable it to accomplish its many missions as a major transport operator in France and abroad, the SNCF Unified Public Group relies on a range of digital services and technologies, whether offered by the GPU itself or by external service providers.
In this context, the project of the Information Research Unit (CRI) of the Cybersecurity Department of the SNCF Group has been engaged for several years in reducing the attack surface of its information system on the Internet and in hunting down data leaks in order to reduce the risk of computer attacks.
The SNCF Group's IS includes several hundred applications structured by Business Departments, and several hundred thousand digital assets (terminals, servers, etc.) physically distributed throughout the country and abroad.
The CRI project aims to implement, through a centrally coordinated approach, means to detect vulnerable elements exposed on the Internet and that could be the subject of an attack, elements that could damage the image of the SNCF Group on the Internet, publications on forums and social networks claiming or preparing an attack on our IS, and leaks of confidential information (accidental or intentional).
The strategic approach for the project is to use open-source intelligence methods to detect these elements and alert the relevant teams for each element detected.
The SNCF Group is looking for a managed Threat Intelligence service, not a software or hardware solution. The service provided must make it possible to anticipate, detect and alert SNCF teams to cyber threats related to the exposure of SNCF resources and data on the Web.
The main types of threats identified to be analysed are the risks associated with data leaks related to SNCF brands and their public exposure, known or unknown exposed resources (Shadow IT) by IS teams and their possible configuration defects, digital fraud as well as risks associated with the image of SNCF brands through monitoring of social networks and forums.
The target missions of the IRC project can be summarized as follows:
Implementation of strategic surveillance to prevent various attacks;
Anticipation of the risks of fraud and brand theft / identities on all possible channels (anonymous networks, social networks, etc.);
Control of the exposure of the SNCF IS to attacks;
Detection of information leaks (SNCF employees, SNCF customers, technical or confidential information);
Identification of compromised SNCF partners;
Periodic report on the state of the threat to French companies (transport companies).
Things to look out for:
DATA LEAKAGE
The service must make it possible to detect publications containing confidential corporate or personal data relating to customers or employees of the SNCF Group.
Some examples:
LEAKAGE OF CUSTOMER OR AGENT DATA, LEAKAGE OF COMPANY INFORMATION, LEAKAGE OF TECHNICAL DATA, ETC.
CONFIGURATION RISQUEE
The service must make it possible to identify IT assets within a given perimeter with a risky configuration for an information system.
Some examples:
SSL MISCONFIGURATION, DATA ACCESSIBLE WITHOUT AUTHENTICATION, EXPOSED AND VULNERABLE SENSITIVE SERVICE, ADMINISTRATION PORTAL AND NON-PRODUCTION WEB PUBLICATIONS, ...
UNCONTROLLED PUBLICATION
The service must make it possible to identify IT assets in a given perimeter that are presented as dangerous by a third party or present vulnerabilities.
Some examples:
PUBLICATION OF A VULNERABILITY ON A SOCIAL NETWORK OR SPECIALIZED SITE, CLAIM OF AN ATTACK OR POTENTIALLY COMPROMISED ASSET, ETC.
FRAUDS, CROQUERIES
The service must make it possible to identify publications presenting fraud techniques as well as scams relating to the given scope and which may impact the image of the SNCF Group or abuse the SNCF Group's customers.
Some examples:
SALE OF FRAUDULENT OR STOLEN TICKETS, ANNOUNCEMENT OF REFUND FRAUD, SALE OF CONFIDENTIAL PERSONAL DOCUMENTS, ETC.
In addition to these elements to be detected, it is requested that a periodic threat intelligence report, specific to the "Transport" sector of activity, be delivered.
Optional services:
DOMAIN NAME MONITORING
The bidder will offer an option for the detection of potentially fraudulent domain names relating to the scope provided is a plus. The aim is to inform the SNCF Group of any purchase, sale or modification of domain names relating to the scope in order to detect, in advance of the phase, potential phishing sites.
CATALOGUE OF "ON-DEMAND" SERVICES
The bidder will propose examples of services in the field of Threat Intelligence, under the name below:
Simple service: 2 to 6 hours of treatment;
Volume: 15
Average service: 1 day to 3 days of treatment;
Volume: 10
Complex service: 3 to 5 days of treatment.
Volume: 5
Any volume indicated is purely indicative and not binding for the SNCF Group.