Hackers vs. hackers at BBVA

When we think of professions related to the financial sector, it is difficult to think of 'hackers'. The functions and profiles required in a bank have evolved a lot in recent years, partly due to the digitalization of the sector. What does a team of hackers do at BBVA? How is it organized? What are their main functions? What are the profiles of these professionals?

Hackers or highly specialized security operations teams are a crucial element in maintaining defenses against potential cyber-attacks. BBVA's team is responsible for conducting the necessary preventive, proactive and reactive actions to maintain the bank's security. These teams are made up of multidisciplinary professionals who are organized according to the cybersecurity guidelines of the NIST framework, an acronym for the US National Institute of Standards and Technology, a reference that helps manage and reduce the risks of any entity, as well as protect its networks and data.

BBVA's hackers are organized into offensive, defensive, and cross-functional teams that support both:

Offensive teams: Red Team and Ethical Hacking

These are teams that emulate cyberattacks in the same way that real cybercriminals operate, using the same tactics, techniques, and procedures. Every year, they carry out between 10 to 12 missions in different countries in which BBVA is present.

The Global Red Team is aimed at recognizing the Group's perimeter in order to identify weaknesses that could be used by third parties to their advantage. Although their work may seem simple, it involves a complete process, from the initial assessment of the situation to the analysis of higher-risk threats, through careful planning that can take months, to the execution of the attack.

The offensive teams also include Global Ethical Hacking, which conducts technical audits of the BBVA Group's environments and infrastructure. It is currently auditing more than 200 applications and thousands of domains and systems, both internal and external. The aim is to identify vulnerabilities, both manually and with the help of automated tools. In other words, analyses are carried out to identify vulnerabilities in all the relevant areas and to take offensive action to eliminate them and prevent potential risks.

Blue Team, defensive detection and response teams

The Blue Team is responsible for defending all of the bank's information systems against potential attacks by detecting and responding quickly to minimize the impact.

For monitoring and detection, there are teams such as the Global CERT, which is responsible for identifying, analyzing, and responding to any security event that may affect the Group and that may relate to the Bank's employees, customers, and infrastructure. In 2022, the number of incidents managed increased by 40% compared to the previous year, of which 32% were phishing incidents closed by the Global CERT.

This team acts as a single front end with a fast and agile 24x7 response, facilitating the arrival of all personnel who need to report or consult on any cybersecurity-related event.

In addition, the bank has a Threat Hunting team that adds the active layer of looking for threats that may have gone unnoticed in the monitoring and alerting systems. With all this information, this team generates and implements security controls to detect future attacks from Global CERT.

As for the response teams, they are responsible for the containment and mitigation of detected events, for forensic investigations to identify the root cause of relevant incidents, and for the appropriate attention and presentation of digital evidence in the event of possible legal requirements. In 2022, more than 5,000 prevention actions were carried out on BBVA Group assets, more than 2,000 requests for removal of content from social networks and 7,500 requests for evidence.

This team, a kind of cybercrime CSI, also designs the incident management, logging and communication processes, develops, and tests the action and response protocols with the various stakeholders, and identifies lessons learned from the incidents managed. It also conducts traceability analysis and continuous improvement processes to help streamline the incident response phase.

Intelligence and Cyber Platform, cross-cutting teams.

To complete this brigade against cybercriminals, the Bank has two transversal hacker teams: Cyber Intelligence and Cyber Platform. Intelligence and Cyber Platform. The former is responsible for focusing on trends and current threats, prioritizing risks so that all security operations teams can integrate them into their processes and direct their efforts toward a common defense. This team collects data on a daily basis from monitoring more than 200 intelligence sources, RRSS and managed forums/blogs, and more than 1,000 different channels.

This generates more than 300 reports with global coverage that help track both the current threat intelligence landscape and various conflicts of interest.

But this requires the best tools and solutions. The Cyber Platform team is responsible for improving, streamlining, and automating the processes of the other blocks by configuring and operating the set of tools used by all Security Operations teams.

Tools range from advanced data analytics to artificial intelligence. There are approximately 300 proprietary detection rules implemented, as well as automation tools and orchestration of attack remediation actions to help other teams provide a more immediate response.

Security Operations teams are organized around specific profiles: experts in identifying risks and vulnerabilities, protecting systems and infrastructure, detecting, and responding to any type of incident, managing security platforms to improve the efficiency of the ecosystem, and finally, experts in the intelligence that ultimately makes it possible to understand attackers and make decisions about them.

Each of these extremely specific profiles requires specialized training, both for their development and to keep them up to date. BBVA has several training levers on its campus, including expert content obtained internally by the area's own employees, available in more than 90 training courses; cyber-attack training platforms to cover and reinforce technical skills in all areas related to cybersecurity (among these platforms, the most powerful is based on Sans (www.sans.org), the largest certifier of reference in cybersecurity).

But in addition to this specific training, there is another type of more general training aimed at promoting safe behaviors and habits among all the Group's employees and society in general, as BBVA was the first financial institution in the world to share its knowledge on cybersecurity through Coursera, a learning platform with 97 million registered students.

In recent years, technological talent has become one of the most sought-after in the job market. It is increasingly common to see financial institutions, or any sector for that matter, looking for STEM (Science, Technology, Engineering and Mathematics) profiles related to software development, data analytics or cybersecurity specialties such as those mentioned above.