CBEST will help UK financial institutions lead in IT security

Rowland Johnson is chief executive at Nettitude

Banks will always be targeted by criminals and cyber attacks have become their most vulnerable attack surface.  The challenge with cybercrime is that it is multi-facetted.  It isn’t simply about technology.  It extends through people and process, and reaches from the central infrastructure all the way out to end users conducting online banking or financial transactions on laptops, tablets or smart phones.  It has been said many times before, but cyber security is only as strong as the weakest link in the chain.  Because banks and financial firms have very large and sophisticated systems, this means that end-to-end security is notoriously difficult, writes Rowland Johnson

Responding to this challenge, the Bank of England (BoE) has created CBEST, an intelligence-led assurance framework, specifically designed for the financial services sector.  CBEST differs from previous testing programmes through being driven by cyber threat intelligence.  This means that CBEST will provide focus on the more sophisticated and persistent attacks against critical systems and essential services.

But what do these tests practically involve?  What should financial firms consider when assessing systems, and how can they prepare to meet the requirements of the framework?

First and foremost, CBEST testing requires a high level of sophistication in its methodology and overall capability.  As a consequence, CREST (The Council of Registered Ethical Security Testers) was approached to adapt their STAR (Simulated Target Attack and Response) accreditation and certification programme to one that meets the needs of the financial services sector.  ‘Penetration testing’ involves actively attempting to exploit vulnerabilities and exposures in a company’s infrastructure, applications, people and processes in order to secure those weaknesses against external hackers – CREST is recognised as the de-facto standard for delivering assurance around ‘penetration testing’ services, validating member companies as well as their employees.  STAR reflects the highest and most sophisticated type of assessment service available in the market today.  It requires organisations to have very robust risk management processes, whilst also ensuring that any individuals delivering testing have the highest level of capability within the industry.  CBEST takes the STAR certification one step further, by requiring organisations to demonstrate specific capability in the financial services sector.  The resulting CBEST framework is one that is highly sophisticated, and uniquely tailored to the financial services sector.

CBEST draws heavily upon cyber threat intelligence reports, which are provided by CREST approved intelligence providers.  These reports provide an insight into attacker’s tools, techniques and practices.  They provide information about who they are targeting, how they are behaving and what type of attacks they might initiate.  Commercial threat intelligence data is augmented by GCHQ which provides controlled threat data to ensure that the overall threat landscape is as accurate as possible.

CBEST is the first commercial programme that has seen penetration testing organisations and threat intelligence providers come together to deliver a tailored service for an industry vertical.  However, that alone is only part of the ingredients for a CBEST engagement to be delivered.  The Bank of England is the only regulator that is able to commission a CBEST engagement, and without its constant involvement in the intelligence gathering and testing phases, the engagement does not qualify under the auspices of CBEST.

How Does Intelligence Shape The Assessment?

A key aspect of the testing is threat intelligence.  Conventional penetration testing would be conducted under the guise of either internal or external assessment.  Internal testing simulated employees with physical access to a building and external testing simulated hackers out on the Internet.  Today there is a wide array of possible attackers, ranging from unsophisticated ‘script kiddies’, up through organised crime units, activists and on to nation states that have practically unlimited resources.  Cyber threat intelligence is hugely influential in determining that approach for delivering assessment services.  If a financial organisation is known to be targeted by a nation state, then the testing should be very stealthy, and the tools, techniques and practices should mimic those of the nation state.  That means that the organisation delivering testing will use highly customised tool chains as opposed to commercial tooling that may be more widely known and identifiable.  The ensuing result is that CBEST engagements that utilise threat intelligence will ensure that security assessment services will accurately reflect the real-world threat a financial organisation is facing.

The CBEST process

Ahead of any real-world CBEST testing, there is a comprehensive scoping and risk assessment process that must take place.  CREST has created this useful document that reviews the implementation procedure.  What must be established early on is the selection of a partner to provide the actual tests – CREST also provides a list of vendors that it has accredited to provide these services.  The Bank of England has also created FAQs and other resources to provide financial institutions with additional guidance.

The scoping exercise is typically conducted in a formal workshop where focus is given to identifying and categorising key systemic assets that have a critical impact on the financial institution’s operations.  This process is less about the specific device and application descriptions, and more about the generic placement, functions and their level of criticality.

Because CBEST engagements are designed to identify risks in systemically important financial institutions, testing must focus on critically important devices, applications and interconnections.  These types of systems are inherently valuable, and consequently it is absolutely crucial that a comprehensive risk management programme is followed throughout the whole CBEST lifecycle.  After the project workshops have completed, the CBEST testing organisation must present a formal risk assessment which must be approved as part of the project initiation.

CBEST intelligence gathering is typically collected over a series of weeks in advance of the testing engagement start date.  The intelligence gathering process will collect information from a series of sources, including human, technical and open source intelligence sources.  The commercial threat intelligence provider will create a highly tailored cyber report that will provide threat intelligence about the financial institution, the financial services sector, the geographies where they operate and the people that the employ.  It will provide insight into the known and active threat actors, along with their tools, techniques and practices.  At the point where this threat intelligence report is presented to the financial organisation, it will be augmented with threat data collected by GCHQ and delivered by the Bank of England.

The CBEST threat intelligence feed will shape the end-to-end testing phases.  Without the intelligence gathering phase, the CBEST testing company will be unable to start any form of assessment.

Once the testing phases commence, there is a range of active and passive reconnaissance conducted against the environment.  The output from these exercises is combined with the threat intelligence report to generate a CBEST staging platform.  This is a major point of difference between conventional testing programmes and those of STAR and CBEST engagements.  The staging platform mimics the tools, techniques and practices used by the threat actors identified within the intelligence reports.

The CBEST testing provider will be expected to create and deliver ‘weaponised’ exploits into the target organisation’s environment.  During this exercise they will actively attempt to exploit vulnerabilities in people, process and technology.  The CBEST provider will attempt to pivot through devices and resources, and ultimately target systemically important assets.  The process of this activity will identify strengths and weaknesses in the financial institution’s cyber security controls and countermeasures.

The CBEST provider will document all aspects of their activity, and will use this to report on the client’s detection and response capability.  The CBEST provider will provide an incident response maturity assessment that will be used to enhance and evolve future detection and response capabilities.

The CBEST testing framework is exceedingly detailed and it will take an organisation a good deal of investment to ensure that systems meet the rigorous requirements.  Ultimately, however, these are appropriate lengths to both counter the increasing threat, and which will help to position UK financial institutions as having some of the highest levels of IT security in the world.