The value of regulator-driven red teaming: CBEST

How do we in the UK avoid something like the Colonial Oil Pipeline ransomware attack happening? How would you feel if your mobile phone suddenly stopped working altogether? What if ambulances couldn’t respond to 999 emergency calls? What if the mechanism of government suddenly ground to a halt?

The UK is pro-active in ensuring our critical services meet a level of resilience against attacks by capable threat actors – that not only do all they can to prevent attacks, but that should an attack be attempted, that they are pro-actively alerted to indicators of compromise, and can respond effectively to contain the threat, evict the attacker, and restore to a known-good with minimal impact. The level of resilience that relevant companies have to meet is regulated. These regulators include the Bank of England and Prudential Regulation Authority (PRA) and Cabinet Office depending on which sector is being assessed.

Events like the Colonial pipelines hack in the US, and the Irish NHS attacks, demonstrate why a level of regulation of resilience in cyber space is perhaps a good thing. The fact is that these threat actors can act largely with impunity (being based offshore), so it is incumbent on companies to implement a sufficient level of resilience to ensure they can maintain business continuity in the face of such attacks, especially when ‘customer’ or ‘clients’ or ‘patients’ regard the service being delivered as critical.

CBEST Summarised

CBEST is a framework of periodical threat-intelligence-based Red Team Simulated Attacks against tier-1 financial institutions mandated by the Bank of England and Prudential Regulation Authority (PRA). CBEST is thorough in that three scenarios and objectives are mapped out by the threat intelligence phase, and this is what guides the Red Team. So the objectives and scenarios are as close to real-world as possible, and that is what is used to assess the target’s resilience. Banks have to perform CBEST assessments every 3 years to ensure their resilience.

The regulator also sees the output of the assessment and have visibility of how that roadmap is implemented, and can penalise the bank if they are not remediating efficiently. No one wants to order a meal and be left red-faced when their card doesn’t work, or be left without central heating in the winter, and this is why Pen Test Partners are a member of the prestigious CBEST framework, delivering CBEST Red Team Simulated Attacks in concert with our Threat Intel partners, most notably Security Alliance.

Why is CBEST so good?

The key to why CBEST is such a good framework is that companies who deliver the engagement have to meet a very rigorous set of standards. For the Red Teaming phase for example, the engagement must be delivered by a CCSAM (CREST Certified Simulated Attack Manager) and a CCSAS (CREST Certified Simulated Attack Specialist), both of which must have 14,000 hours of penetration testing experience and 4000 hours of testing financial institutions. The experience is onerous enough, and the exam to achieve that title itself is so hard that at last count there were less than 50 in the UK!

STAR-FS

STAR-FS is another regulated framework created by the PRA and Financial Conduct Authority (FCA) for financial institutions a tier below CBEST. Again shaped by threat intel, again this is designed to assure the regulator that target organisations have a sufficient level of resilience to be able to withstand attack from capable threat actors.

GBEST

GBEST is the government equivalent of CBEST in that the consultants require the same qualification, and that the Red Team Simulated Attacks are led by threat intelligence and involve 3 scenarios. Regulated by the Cabinet Office and with input from NCSC, GBEST ensures that our government departments meet a level of resilience to maintain the Confidentiality, Integrity and Availability of all of our data, all the way up to data that is protectively marked as TOP SECRET.

GCASE

GCASE is another regulate framework for government departments that involves only 1 scenario, but with a key difference – the procurement of the service is actually undertaken by the regulator, the Cabinet Office themselves. This removes any bias in the procurement process, embedding variance in the service delivery which can only be a good thing.

Making your job easier

By taking the onus away from the company and onto the regulator to ensure all of the companies under their remit are meeting their obligations, it actually makes CISOs jobs easier. It means they don’t have to make the business case for budget, and when they get pushback against implementing MFA, they can just point at the regulator and say ‘we have to!’. Not only that, but it means that relevant companies all meet a regulated level of resilience, meaning their clients and their employees can rest assured their data is secure.

With the proliferation of Ransomware and it’s acceptance by the criminal fraternity as an effective revenue stream, conducting testing that will genuinely reduce the risk of the kind of business operation-halting event that we have seen with colonial pipeline is even stronger. The sad fact is that because everything in business is guided by the ‘bottom line’, lots of companies do the bare minimum without a demonstrable ROI. What that means is that without someone poking them with a very sharp stick, companies will take the chance and hope for the best.

What engagements delivered within these regulated frameworks do is not only demonstrate how a real-world attacker would be able to compromise the target organisation, the resultant report contains recommended remediation which can be used as a roadmap to build a framework of controls to protect those crown jewels and minimise other business-critical risks.

Pen Test Partners maintains the appropriate technical knowledge, skill and competency required to deliver CBEST services as required by the PRA. We have a world class team and your engagement will be undertaken by CCSAM and CCSAS professionals.

Pen Test Partners has been successfully delivering CBEST, GBEST and STAR services in concert with Threat Intelligence providers like Security Alliance since the inception of the CBEST framework.