CBEST is the Bank of England’s intelligence-led cyber adversary simulation framework, used for testing systemically critical financial organisations through simulated cyber attack scenarios based on real-world threats and risks. As Owen Wright explains, a CBEST exercise lasts approximately 20 weeks and has four distinct phases.
During the initial phase, the Bank of England and the relevant regulator, ie the Financial Conduct Authority and/or the Prudential Regulation Authority, will discuss and then agree on a scope for the exercise and work closely with the organisation’s internal project team that will manage the exercise.
The subsequent ‘Threat Intelligence’ phase involves an accredited cyber threat intelligence provider, researching and constructing a detailed report on the background and threats the firm faces. This includes an open-source intelligence gathering exercise to help build attack scenarios for the following penetration testing phase.
During this phase, which normally lasts about ten weeks, an accredited CBEST penetration test provider will carry out a simulated version of the actual cyber attacks detailed in the scenarios. It will do this in a planned and risk managed way, ensuring day-to-day operations of the target organisation are not impacted.
At the end of testing, an in-depth report is delivered duly detailing what was achieved by both the attackers and defenders, along with specific findings and issues identified.
The fourth and final phase is the closure one. This involves presentations and meetings between all the relevant parties to discuss the findings and, importantly, the remediation plans.
Access to sensitive data
Clearly, the cyber security team performing the CBEST exercise has access to sensitive data and, potentially, operationally critical pieces of infrastructure. Therefore, having confidence and trust in their capabilities and experience is vital.
The CBEST framework stipulates that the threat intelligence and penetration testing phases are carried out by companies accredited by CREST – a not-for-profit body that provides internationally-recognised accreditations for organisations and professional level certifications for individuals providing penetration testing, adversary simulation, cyber incident response, threat intelligence and Security Operations Centre services.
A register of firms is listed on the CREST website at https://www.crest-approved.org
The use of simulated targeted attacks is not just confined to the world of banking and finance. Increasingly, large and medium-sized organisations are using these techniques to identify and rectify vulnerabilities in their cyber security defences before the criminals do. Penetration testing is used to test individual systems or applications, whereas so-called red teaming or ‘adversary simulation’ tends to cover a wider spectrum of attack activities, targeting the people, processes and technology within an organisation and with broader objectives.
Common vulnerabilities and issues
Some of the most common vulnerabilities and issues found on these tests include:
*e-mail security – weaknesses in blocking unsolicited mail with malicious links or payloads
*web filtering – misconfigurations which allow access to websites with malicious content
Widespread access to sensitive internal information
*internal information security – sensitive information (eg passwords) left on open and accessible internal information stores or wikis
Network segmentation and access
*domain trust and flat networks – networks that have grown organically (via acquisition or through operational necessity) often lack segregation of sensitive assets and an understanding of domain trust interplays. This can facilitate gaps in security and create opportunities for attackers which were never envisaged
Ongoing supervisory strategy
Performing a penetration test or ‘Red Team’ exercise is just the start. In the case of CBEST, the remediation plan may form part of the regulator’s ongoing supervisory strategy. Therefore, finding and fixing any shortcomings with controls that protect, detect and responds to attacks can only be a good thing.
Approaching the test as a positive exercise to improve security will always result in the firm gaining more value and ensure a more collaborative approach and dialogue with the regulator. It’s a win-win scenario.
The cyber landscape and the sophistication of criminal attack techniques is continually evolving. On that basis, staying one step ahead is critical. Following the success of CBEST, other financial regulators are developing similar cyber attack frameworks. These include iCAST run by the Hong Kong Monetary Authority, TIBER within the European Union and AASE, which is run by the Association of Banks in Singapore.
For global institutions this is important, as they may well find themselves having to conduct multiple exercises across different regions. Therefore, establishing internal teams with experience and knowledge to manage these tests is a wise move. It’s clear that this will be an area of increasing international regulatory activity.
Owen Wright is Global Director of Assurance at Context Information Security