STAR-FS is aimed at UK regulated financial services organisations that are in the next tier down from those targeted through CBEST. STAR-FS has been created to provide a higher level of assurance to stakeholders for these organisations that cyber resiliency capabilities are effective and working.
CREST developed the STAR-FS framework to deliver controlled bespoke, intelligence-led cyber security testing relevant to this size of organisation, which accurately replicates cybersecurity threats to critical assets.
The CREST Scheme was developed to help the UK Financial Authorities understand the cyber security posture of selected regulated entities, has proved to be an effective way to deliver tailored intelligence-led cyber security tests. To allow other organisations in the UK Financial Services Sector to have access to a similar type of assurance service, the STAR-FS scheme has been developed by CREST.
STAR-FS assessments are similar to CBEST engagements as they both leverage the concepts of red teaming and utilise threat intelligence to simulate the tactics, techniques and procedures (TTPs) of threat actors against financial institutions. However, STAR-FS assessments are designed to allow for a lighter or optional involvement of the Regulator.
Problem And Solution
As attacks leveraging known threat vectors continue to evolve, organisations should be aware that cyber defences may become inadequate against the latest attack variants. Verifying the effectiveness of security controls through Intelligence-led simulated attacks enables organisations to see how their defences perform against the identified threats and to plan for remediations. STAR-FS helps in this sense, by requiring organisations to commission Threat Intelligence Services from a STAR-FS approved Threat Intelligence provider. As result of the Threat Intelligence activities a number of threat scenarios are defined and then utilised by an Intelligence-led Penetration Testing team to simulate real world attacks for the scenarios defined.
About The Service
Remaining resilient to cyber-attacks is crucial for the UK Financial Services Sector since financial institutions form the backbone of UK economy. To help organisations achieving cyber-resilience, CREST have created the Simulated Target Attack and Response for the Financial Services (STAR-FS) Framework.
STAR-FS is a guiding framework to help UK financial sector organisations defining realistic and current threat scenarios to be used to perform intelligence-led penetration testing.
According to the implementation guideline, STAR-FS engagements are to be structured in four main components:
1. the initiation, to define the scope and select the providers for the subsequent components
2. the threat intelligence exercise, to develop threat scenarios and agree on a plan to be handed over to the penetration testing service provider;
3. the penetration testing, to test the targeted critical systems and assess the detection and response capabilities.
4. the reporting, to finalise the remediation plan and share it with the Regulator.
Each of these are now discussed in more detail:
- Ensuring that the scope is clearly agreed and that all relevant stakeholders are included is essential. Nettitude will ensure a dedicated project manager oversees every part of the engagement and a full RACI model will be put in place for all stakeholders. Communications, escalations, risk management and debriefs/reporting needs will be fully discussed and agreed.
The threat intelligence exercise
- Nettitude operates a leading Cyber Threat Intelligence team, staffed by ex-military intelligence officers and law enforcement to provide the most advanced type of service. The experience gathered on CBEST engagements allows us to identify real-world scenarios to help organisations identify and understand where gaps are.
The penetration testing
- Nettitude threat intelligence led penetration testing services are delivered with the support of a state-of-the-art custom tooling to simulate sophisticated threat actors that are known to be prevalent within the Financial Services Sector. As a consequence, when we engage in threat intelligence led services we are able to deliver a true reflection of the types of TTPs that threat groups are known to be leveraging. This toolset and tradecraft is unique within the industry and is one of the reasons why Nettitude’s team has been highly successful in supporting organisations’ intelligence led assurance strategies.
- Nettitude reports have been designed to inform both senior stakeholders and business owners as well as the technical teams within engineering, operations and the detect and response functions. Remediation guidance, regulator debriefs and executive debriefs will be delivered with pragmatic advice in a collaborative and supportive manner.
Nettitude is well positioned to deliver the Threat Intelligence and Penetration Testing required by the STAR-FS guidelines, thanks to our extensive experience with CBEST; of which our clients benefit from the following –
- Nettitude has a full team of CBEST certified individuals that hold CREST CCSAS, CCSAM and CCTIM certifications and a strong list of CBEST testimonials to support our capability to operate within this space.
- Threat Intelligence Exercises – Nettitude have built a team from diverse backgrounds including military and civilian police intelligence, cyber technical experts and offensive security consultants. We operate a very strong open source intelligence finding capability that brings real life results into our reports. We focus on providing actionable intelligence that is specific to your organisation and sector.
- Penetration Testing Exercises – Nettitude’s red team is renowned for their experience and continually evolving capabilities. Using dedicated vulnerability researchers and highly skilled red team members with our own in house highly sophisticated toolsets Nettitude is able to mimic and replicate a wide range of threat actor behaviours and techniques. A very clear risk-based approach to operational security and transparency at all levels of the engagement ensure successful outcomes where assurance levels can be determined with real value.
- When we engage in threat intelligence led services, we are able to deliver a true reflection of the types of TTPs that threat groups are known to be leveraging. This toolset and tradecraft is unique within the industry and is one of the reasons why Nettitude’s team has been highly successful in supporting organisations’ intelligence led assurance strategies
Nettitude delivers services that align with the following financial services initiatives
CBEST – We work closely with the UK financial services regulators to deliver intelligence-led red teaming for financial services organisations. As one of the first organisations to have been accredited by both the Bank of England and CREST for CBEST Threat Intelligence and Red Teaming services, we have some of the strongest experience and testimonials available for UK financial services organisations.
STAR-FS – We have been accredited by CREST to deliver Threat Intelligence Led Penetration Testing for Financial Services under the STAR-FS scheme. Aimed at Leveraging on the experience gained on a number of CBEST engagements, we can support organisations in the UK Financial Services Sector conducting Threat Intelligence and Penetration Testing; as well as acting on the recommendations provided, as defined by the STAR-FS scheme.
NYDFS – We deliver risk assessment and technical assurance services that align with the requirements of NYDFS. We are able to support organisations develop strategies that will allow them to measure and report against this financial services regulation. Through our New York City-based team, we provide strategic guidance and services to many financial services organisations that are required to comply with these regulations.
TIBER (TIBER-NL and TIBER-EU) – We are fully immersed in TIBER (Threat Intelligence Based Ethical Red Teaming) framework, and can provide all elements of the Threat Intelligence and Red Teaming requirements. Our consultants deliver services across the EU, and we have language skills in most EU countries.
iCAST – We deliver services that align with the HKMA intelligence-led red teaming framework. We have a local presence in the region and can support organisations undertaking C-RAF and iCAST assessment. We frequently deliver services that are required to align with iCAST, TIBER and CBEST in unison.
AASE – Within the Singaporean market, the ABS has issued a framework called AASE, (Adversarial Attack Simulation Exercise). This leverages threat intelligence and red teaming activity to deliver services that are focused on the financial services segment. Although AASE is a framework as opposed to regulation, we are able to provide full spectrum services that align with these requirements.
GLBA – The Graham Leach Baley act specifically requires financial services organisations to adhere to a series of security requirements, designed to protect non-public personal information. Nettitude is able to deliver assurance activities and managed detection and response services that are specifically aligned with the requirements of this act.
PSD2 –Requires EU financial services organisation to share data in a harmonious fashion. As part of this framework, it gives more control to consumers that wish to move data or services between financial organisations. The standard has a number of cyber-related ramifications, as many providers have opted to open up access to their applications through APIs. Nettitude provides consulting and assurance services to align with this financial services directive.
For larger financial services organisations that operate in multiple territories, it is increasingly challenging to navigate all of the different regulations. Nettitude has extensive experience in supporting senior stakeholders to navigate these cybersecurity frameworks. Our research team launched a review and analysis that compared some of these frameworks in 2019. This can be downloaded here.
Can you use the same provider for both TI and PT services?
There is no guidance that states a firm cannot procure services from the same provider as long as they are accredited in each of the key areas (TI & PT) and listed on the CREST website. https://service-selection-platform.crest-approved.org/accredited_companies/star_fs/
How is STAR-FS different from CBEST?
CBEST was designed for TIER 1 financial organisations, whereas STAR-FS is applicable across the entire sector and can be used to assess the cyber capability without requiring regulator or government involvement.
Is this a pass or fail assessment?
This assessment is not designed to be a pass or fail but to highlight weaknesses across the firm in terms of people, process and technology.
What are the key features from a STAR-FS test?
• Intelligence-led penetration testing and red teaming
• Real-world attack simulation using known threat actors and their TTPs
• Assesses an organisations ability to detect, respond and recover from known-threats
• Continual risk management with both CREST CCSAS and CCSAM consultants
• Reporting and recommendations to all levels (executive/management/technical teams), enabling capability uplift across people, process and technology
• In-depth detection and response assessments (DRA) with custom reporting
• Reporting and recommendations aligned to the MITRE ATT&CK framework
What are the benefits of having a STAR-FS test?
• Designed to simulate real-world attack scenarios and attack paths
• Trains and measures the effectiveness of people, process and technology used to defend the organisation
• Conducted by Nettitude’s CREST certified consultants CCSAS, CCSAM and CCTIM
• Dedicated Technical Team Leader, Risk Manager and Project Manager assigned
• Enhances the security posture, ensuring responses are measured and repeatable
• Improves the ability to identify, protect, detect, respond and recover
• Remediation and threat strategies to manage risks and improve capabilities
• Extensive knowledge of common findings and thematic vulnerabilities, which need to be monitored throughout a STAR-FS assessment
Request a free quote