Ce site est une archive officieuse de l'ancien site de l'ANSSI, remplacé fin novembre 2023.
Veuillez aller sur https://cyber.gouv.fr/ pour naviguer le site officiel.

Cyberdefence Centre

Round the clock, seven days a week, its men and women work together to protect France's citizens and vital interests against cyber-attack.

Step inside the Cyberdefence Centre to find out what the main cyber-threats are and what resources are deployed by ANSSI to counter these.

What is the Cyberdefence Centre?

Housed within the Cybersecurity Operational Centre (COSSI) and working round the clock, seven days a week, the Cyberdefence Centre groups the various different COSSI entities into a single infrastructure devoted to:

  • monitoring cyber-threats and alerting government authorities and victims;
  • directing ANSSI’s cyberdefence operations;
  • managing COSSI’s operational relations with its partners and victims of cyber-attacks.

 

Cyberdefence Centre Site

Inaugurated by the Prime Minister on 20 February 2014, ANSSI’s Cyberdefence Centre is located on the Quai de Grenelle in Paris’s 15th arrondissement. Some fifty agents are assigned to this site. This headcount may be boosted to up to eighty individuals in the event of a major crisis. Locating ANSSI’s Cyberdefence Centre together with the Ministry of Defence’s Cyberdefence Analysis Centre (CALID) allows for close coordination between the two centres.

 

What does cyber-threat monitoring involve?

Round the clock monitoring and immediate alerting of potential victims, government authorities and sometimes technical intervention teams when there are signs of a potential cyber-attack against the interests of the Nation.

This threat monitoring involves:

  • detection on an international scale of potential signs of a cyber-attack appearing in the media or on the Internet or which are made known to ANSSI by its national and international partners; [For profiles and portraits of these cyber-attack monitoring agents click here}
  • supervision of government website and network security for the earliest possible detection of any attack or attempted attack that could disrupt or affect them. [For profiles and portraits of these monitoring supervisorsclick here]

 

What is a cyberdefence operation?

A cyberdefence operation is the coordination of the various resources at the disposal of the Operational Centre (COSSI) in order to understand a large-scale cyber-attack and neutralise it (permanently block it).

A cyberdefence operation is composed of a number of stages:

  • Detection. Sometimes by chance, but more often thanks to network and systems monitoring using supervisory tools, or information provided by a third party;
  • Assessment. This involves confirming the attack and establishing:
    • How the attacker entered
    • What actions it has carried out on the network
    • How far it has reached
    • What actions it has already undertaken or may yet undertake
    • The objective is to assess the extent to which networks have been compromised.
    • Whether traps have been set Whether data has been stolen How that data was removed

    The objective is to understand the nature of the attack in order to block it. For profiles and portraits of digital investigation analysts and reverse system analysts, click here

  • Remediation. This stage seeks to block the attacker and tighten cybersecurity to prevent its return. This is “drastic”action intended to “eject” the attacker from the network that it has compromised and set in place a level of security that prevents its return using the same modus operandi. Often, the lower the victim’s initial level of cybersecurity is, the more costly the actions and measures necessary to succeed in doing so will be.

From the assessment stage up until the remediation stage, supervision by means of detection probes enables any changes in the attacker to be monitored and ensures that it does not return by another means.

In such cases of large-scale attack, ANSSI is able to advise or provide technical expertise, mobilising competences, the deployment of which is coordinated by a cyberdefence operations manager [For profiles and portraits of cyberdefence operations managers, click here].

These competences are as follows:

  • auditing, to map the victim’s network, particularly the infiltration, propagation, and exfiltration pathways and the primary security failings that the attacker could use [For profiles and portraits of auditors, click here]
  • digital investigation, in order to analyse the compromised machines and ascertain which actions the attacker performed and which attack tools it was able to utilise vulnerability analysis, to identify applications or hardware failings that the attacker was able to utilise [For profiles and portraits of digital investigation analysts, click here]
  • supervision, for detection and surveillance of the attacker’s activity [For profiles and portraits of vulnerabilities and malware analysts, click here]
  • reconstruction, to formulate an action plan of technical measures to be implemented in order to stop the attacker’s activity and prevent it from taking hold again.