Select Page

Intelligence Led Testing (STAR)

Simulated Target Attack Response (STAR) is an approach to security assessment that was created by CREST. STAR assessments are a technical approach to help organisations understand what their cybersecurity risks are.

LRQA Nettitude is a CREST STAR approved Threat Intelligence (TI) Provider, delivering in-depth assessments for clients across the globe. STAR engagements commence with a comprehensive STAR Threat Intelligence assessment of the likely threats that are relevant to an organisation. This includes reviewing: 

  • Geopolitical threat intelligence
  • Human intelligence
  • Technical intelligence
  • Open source intelligence
  • Closed source intelligence

What Is The Purpose Of The STAR Assessment?

The STAR assessment will help to identify the organisation’s digital footprint and will review relevant data associated with social media, code repositories, the supply chain and any associated clients.  As part of a STAR Threat Assessment, LRQA Nettitude reviews threat actors that have been known to be targeting the organisation directly, targeting their industry, the geographies they operate within or the supply chain that they engage with. This approach results in a comprehensive report that provides detailed guidance about the organisations unique cyber threat footprint.

Once the intelligence backdrop has been extensively reviewed, a series of test scenarios are created.  These test scenarios focus on providing test plans that can be leveraged by a STAR Threat Intelligence provider. These test plans provide the following deliverables:

CREST - STAR Threat Intelligence
CREST Threat Intelligence
  • Details of threat actors that are known to be targeting similar types of organisations.
  • Geopolitical assessment of these threat actors’ modus operandi.
  • Classification of threat actor according to anticipated level of sophistication.
  • Details of the motivations and goals for the relevant threats.
  • Details of the targets and objectives that threats are known to pursue.
  • Known TTPs for each threat actor.
  • Open-source and technical intelligence assessment so as to measure. and quantify the attack surface.
  • Creation of actionable threat led test scenarios for use by a red team.

Main Components Of a STAR Assessment

STAR assessments are broken down into 3 components: STAR threat assessment, STAR targeted attack assessment and Incident response maturity assessment (IRMA).

STAR assessments are similar to red team engagements as they are focused on depth of assessment, and determining whether a specific objective can be achieved. They leverage the concepts of red teaming, however STAR assessments are designed to simulate known threat actors and their associated Techniques, Tactics and Procedures (TTPs).

STAR Threat Assessment

STAR targeted attack engagements reflect some of the most sophisticated approaches to cybersecurity assurance available within the market today. The STAR framework was created by CREST to enhance existing Intelligence-led red teaming in a manner that could be used to mimic known threat actors. In many instances, threat actors are known to have defined modus operandi, and have known Techniques, Tactics and Procedures. STAR targeted attack engagements are designed to help organisations understand whether a specific threat actor could be successful in achieving their known or stated objectives. STAR assessments are objective focused, meaning that they focus on determining whether a specific threat actor can achieve their goal. As a consequence, STAR engagements will provide deep assurance for an organisation, as opposed to wider assurance that could be delivered from vulnerability assessments or penetration testing.

A STAR targeted attack engagement will:

  • Help an organisation measure their depth of defence and depth of response
  • Identify the vulnerabilities that a threat actor could exploit to achieve their goal
  • Deliver assurance against probable threats, as opposed to assuring against possible threats
  • Use intelligence-led methodology
  • Focus on determining whether a specific objective can be achieved
  • Simulate known threats
Penetration tests differ from STAR engagements and red teaming engagements, as the former is usually focused on identifying all exploitable vulnerabilities within a defined scope.   Penetration tests do not focus on achieving a specific objective and consequently do not provide assurance on whether a specific threat actor could achieve their overall goal.

STAR Targeted Attack Assessment

An organisation’s attack surface will usually cover people, process and technology. It will also include direct organisational elements as well as indirect components introduced through the customer base or through the supply chain. All of these components marry together to form something known as an attack tree. The concept behind this is that each branch and twig represents a separate path that an attacker could take to reach a leaf. The leaf in this instance is analogous to the attacker’s goal.

Within a tree, there are hundreds and thousands of routes through to a leaf, however, some routes are easier to traverse, and some routes have a greater probability of getting to a leaf than others.

When a threat tree is meshed together with threat actors’ modus operandi, goals, motivations and TTPs, it is possible to generate a probable attack path (based upon evidence) that the attacker is likely to pursue to achieve their objective.

STAR assessment engagements are designed to support organisations in delivering assurance against probable attack paths, resulting in a much more focused and accurate form of assessment. During a STAR engagement, LRQA Nettitude simulates probable attack paths, based upon threat intelligence briefings as opposed to a never-ending assessment that continually iterates through every possible attack trajectory.

Incident Response Maturity Assessment (IRMA)

Organisations have historically focused on defensive security and have less robust approaches to delivering assurance around their detection and response capability. More often than not, organisations try to address detection and response by implementing a SIEM appliance or a SOC, without tuning it to the attack paths that are pursued by their adversaries. STAR engagements are designed to help organisations deliver greater levels of assurance around their detection and response capabilities.  By performing an Incident Response Maturity Assessments (IRMA), LRQA Nettitude measures the organisations effectiveness of detecting the TTP’s and attack paths of likely threats and adversaries.

LRQA Nettitude has delivered STAR assessment engagements for some of the most sophisticated organisations in the world. LRQA Nettitude is one of only a handful of elite organisations to be both a CREST accredited STAR TI provider as well as a CREST accredited STAR Attack provider. This unique capability allows us to deliver end to end threat-led attack simulations, delivering unique value to the board.

General Enquiry.