We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page

CBEST

CBEST assessments reflect some of the most sophisticated types of assessments that exist within the financial services sector today. Created by the Bank of England and supported by CREST, CBEST testing assessments have the following key elements:

  • Make significant use of Cyber Threat Intelligence.
  • Deliver sophisticated Red Team style assessments that mimic known threat actors.
  • Provide Incident Response maturity assessments.

CBEST engagements are unique when compared to many other types of assessments. This is due to the following key elements:

  • CBEST engagements can only be instigated by the Bank of England. The Bank of England is involved in the scoping of the assessments and determines which types of assets and systems comprise the test scope.
  • The threat intelligence used to determine the testing approaches is augmented by GCHQ (Government Communications Head Quarters).

These two elements make CBEST engagements highly unique, providing unparalleled levels of value to all of the stakeholders involved in the assessments.

CREST - STAR Threat Intelligence
CBEST
CREST Threat Intelligence
CBEST

LRQA Nettitude is one of only a handful of CBEST-approved service providers to be accredited by both CREST and the Bank of England as CBEST Penetration Testing providers and CBEST Threat Intelligence providers. This unique capability allows us to provide our clients with end-to-end CBEST services.

CBEST threat intelligence requirements

CBEST requires organisations to commission a threat intelligence gathering exercise by a CBEST-approved threat intelligence provider.  This exercise:

  • Reviews geopolitical threats known to be operating in the sector and sub-sector.
  • Reviews TTP and Modus Operandi of threat actors known to be targeting similar types of organisations.
  • Reviews Open Source Intelligence relating to the organisation and the industry they operate within.
  • Gathers and reviews closed-source intelligence relevant to the organisation.
  • Creates a series of scenarios that reflect real-world ‘likely’ threats.
  • Includes TTPs to be simulated, goals to be executed and targets to be pursued.
  • All threat intelligence is reviewed and ratified by GCHQ.

LRQA Nettitude has extensive experience with CBEST testing and has a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications.  All of our CBEST engagements are fully project-managed, and we have dedicated managers assigned to each CBEST engagement that we deliver.  We have comprehensive methodologies for our CBEST process, and a strong list of testimonials to support our capability to operate within this space.

Advanced red team tooling

LRQA Nettitude has developed its own state of the art custom tooling to mimic sophisticated threat actors that are known to be prevalent within the financial services sector. As a consequence, when we deliver CBEST testing engagements, we are able to deliver a true reflection of the types of TTPs that threat groups are known to be leveraging. This toolset is unique within the industry and is one of the reasons why LRQA Nettitude’s team has been highly successful in supporting organisations’ intelligence led assurance strategies.

How LRQA Nettitude can help

LRQA Nettitude has a strong reputation for delivering cyber assurance within the Financial Services sector. We have worked on intelligence-led red teaming frameworks in the UK, US and many other European and Middle Eastern countries. Our team have amassed significant experience in assessing high speed critical financial systems and we fully understand both the intricacies and the risks associated within the sector.

LRQA Nettitude was one of the first CBEST approved Penetration Testing service providers. We have been committed to working with both the financial services regulator and CREST from the outset, and consequently have taken a proactive role in supporting and educating the sector. In 2015, we worked with SC Magazine to create a specific eBook, titled CBEST demystified. This eBook was issued to help explain what CBEST is, and how it delivers value within the financial services sector.

Additional global cyber resiliency frameworks

As time has progressed, it has become apparent that intelligence-led assurance programs have enhanced the resiliency of the financial system. Consequently, multiple regulators around the world started to explore creating their frameworks. Following the publication of CBEST, many further frameworks have been developed to support a similar approach for the Dutch National Bank (DNB), Hong Kong Monetary Authority (HKMA) and the European Central Bank (ECB). These include the following:

  • TIBER-EU: Recognising the challenge of having multiple competing frameworks, the European Central Bank decided to look at building a pan-European framework that could be leveraged across the whole of the Eurozone. This framework has been called TIBER-EU, and it is designed to provide commonality of approaches, yet flexibility for domestic regulators to implement their discrete assurance activities. At this stage, TIBER-EU only references the need for certified and accredited service providers and does not define minimum requirements. It is expected that national or European authorities will use TIBER-EU to develop their own domestically focused TIBER-XX regimes. They must follow TIBER-EU but may add to this for their own needs.

General Enquiry

General Enquiry