Testing Times: The CBEST Scheme and Simulated Cyber Attack Scenarios

CBEST is the Bank of England’s intelligence-led cyber adversary simulation framework, used for testing systemically critical financial organisations through simulated cyber attack scenarios based on real-world threats and risks. As Owen Wright explains, a CBEST exercise lasts approximately 20 weeks and has four distinct phases.

During the initial phase, the Bank of England and the relevant regulator, ie the Financial Conduct Authority and/or the Prudential Regulation Authority, will discuss and then agree on a scope for the exercise and work closely with the organisation’s internal project team that will manage the exercise.

The subsequent ‘Threat Intelligence’ phase involves an accredited cyber threat intelligence provider, researching and constructing a detailed report on the background and threats the firm faces. This includes an open-source intelligence gathering exercise to help build attack scenarios for the following penetration testing phase.

During this phase, which normally lasts about ten weeks, an accredited CBEST penetration test provider will carry out a simulated version of the actual cyber attacks detailed in the scenarios. It will do this in a planned and risk managed way, ensuring day-to-day operations of the target organisation are not impacted.

At the end of testing, an in-depth report is delivered duly detailing what was achieved by both the attackers and defenders, along with specific findings and issues identified.

The fourth and final phase is the closure one. This involves presentations and meetings between all the relevant parties to discuss the findings and, importantly, the remediation plans.

Access to sensitive data

Clearly, the cyber security team performing the CBEST exercise has access to sensitive data and, potentially, operationally critical pieces of infrastructure. Therefore, having confidence and trust in their capabilities and experience is vital.

The CBEST framework stipulates that the threat intelligence and penetration testing phases are carried out by companies accredited by CREST – a not-for-profit body that provides internationally-recognised accreditations for organisations and professional level certifications for individuals providing penetration testing, adversary simulation, cyber incident response, threat intelligence and Security Operations Centre services.

A register of firms is listed on the CREST website at https://www.crest-approved.org

The use of simulated targeted attacks is not just confined to the world of banking and finance. Increasingly, large and medium-sized organisations are using these techniques to identify and rectify vulnerabilities in their cyber security defences before the criminals do. Penetration testing is used to test individual systems or applications, whereas so-called red teaming or ‘adversary simulation’ tends to cover a wider spectrum of attack activities, targeting the people, processes and technology within an organisation and with broader objectives.

Common vulnerabilities and issues

Some of the most common vulnerabilities and issues found on these tests include:

Perimeter security

*e-mail security – weaknesses in blocking unsolicited mail with malicious links or payloads

*web filtering – misconfigurations which allow access to websites with malicious content

Widespread access to sensitive internal information

*internal information security – sensitive information (eg passwords) left on open and accessible internal information stores or wikis

Network segmentation and access

*domain trust and flat networks – networks that have grown organically (via acquisition or through operational necessity) often lack segregation of sensitive assets and an understanding of domain trust interplays. This can facilitate gaps in security and create opportunities for attackers which were never envisaged

Ongoing supervisory strategy

Owen Wright

Owen Wright

Performing a penetration test or ‘Red Team’ exercise is just the start. In the case of CBEST, the remediation plan may form part of the regulator’s ongoing supervisory strategy. Therefore, finding and fixing any shortcomings with controls that protect, detect and responds to attacks can only be a good thing.

Approaching the test as a positive exercise to improve security will always result in the firm gaining more value and ensure a more collaborative approach and dialogue with the regulator. It’s a win-win scenario.

The cyber landscape and the sophistication of criminal attack techniques is continually evolving. On that basis, staying one step ahead is critical. Following the success of CBEST, other financial regulators are developing similar cyber attack frameworks. These include iCAST run by the Hong Kong Monetary Authority, TIBER within the European Union and AASE, which is run by the Association of Banks in Singapore.

For global institutions this is important, as they may well find themselves having to conduct multiple exercises across different regions. Therefore, establishing internal teams with experience and knowledge to manage these tests is a wise move. It’s clear that this will be an area of increasing international regulatory activity.

Owen Wright is Global Director of Assurance at Context Information Security

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts