I-CRT – Intelligence-led Cyber Resilience Testing
The Office of the Superintendent of Financial Institutions (OSFI) is now asking Canada’s systemically important (SIBs) and internationally active insurance groups (IAIGs) to perform controlled assessments of their cyber resilience.
I-CRT is a supervisory tool that supplements Guideline B-13, allowing Federally Regulated Financial Institutions (FRFI’s) to meet regulatory expectations to have measures in place that create resilience against cyber-attacks and disruptions. This ensures the stability and security of the financial sector in Canada.
OSFI has created the Intelligence-led Cyber Resilience Testing (I-CRT) framework, which aims to simulate relevant real-world threats to assess cyber resilience, using independent suppliers, to help SIBs and IAIGs identify areas where they could be vulnerable to sophisticated cyber-attacks.
How LRQA Nettitude can help you
LRQA Nettitude’s I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known tactics, techniques, and procedures (TTPs) to assess and enhance your organization’s security posture. With our team of consultants, we partner with your organization and OSFI to ensure risk management is at the forefront of all I-CRT engagements.
How does I-CRT differ from traditional testing?
In traditional penetration testing, the goal is to uncover vulnerabilities within a specific scope. I-CRT, on the other hand, requires an evaluation to obtain focused threat intelligence for the CBFs to create threat scenarios.
Red Teaming does not follow automated patterns and is not an emulation of a threat actor’s TTPs. Instead, it is a bespoke and tailored simulation of threat actor’s sophistication levels and capabilities, enabling the testing team to make decisions similar to the threat actor, based on new intelligence as the attack unfolds.
It is a practical approach to test and assess an FRFI’s ability to detect and respond to a cyber-attack.
Threat intelligence against Critical Business Functions (CBF’s)
I-CRT requires organizations to commission a TIP, Threat Intelligence Service Provider, to conduct a threat intelligence gathering exercise. LRQA Nettitude is an approved Threat Intelligence provider across regulatory frameworks (CBEST, GBEST, iCAST, TIBER) and can deliver the following:
- Intelligence on geo-political threats known to be operating in the sector and sub-sector
- TTP and Modus Operandi of threat actors known to be targeting similar types of organizations including MITRE references
- Open Source Intelligence (OSINT) relating to the organization and the industry they operate within
- Gather and review closed source intelligence relevant to the organization 02 GBEST Threat Intelligence Requirements
- Creation of a series of scenarios that reflect real-world ‘likely’ threats
- Inclusion of TTP’s to be simulated, goals to be executed and targets to be pursued
- All Threat Intelligence is reviewed and ratified by OSFI prior to Red Team execution
LRQA Nettitude has comprehensive methodologies for Threat Intelligence, and is continually adapting its information sources and collection techniques, providing you with relevant and timely actionable intelligence and advice.
An I-CRT exercise will be delivered in the following five high-level stages:
What makes LRQA Nettitude unique?
LRQA Nettitude has been delivering compliance-driven technical assurance assessments for over a decade. As a multi-accredited company, we have a team of in-house, highly skilled, and certified individuals, supported by a team of consultants that have been active contributors to the Simulated Target Attack & Response (STAR), CBEST, TIBER, iCAST and GBEST.
I-CRT requirements have been designed for Canadian FRFI’s while maintaining alignment with global threat-led frameworks.
LRQA Nettitude has developed its own state-of-the-art custom tooling, PoshC2, that allows the simulation of a wide range of threat actors from commodity threat actors to advanced persistent threats (Nation State) that are known to be prevalent.
- Reflection of the types of TTPs that threat groups are known to be leveraging.
- This toolset is unique within the industry and is one of the reasons why LRQA Nettitude’s team has been highly successful in supporting the organization’s intelligence-led assurance strategies.
- LRQA Nettitude has also developed open-source tooling that allows for a wider range of threat actors to be accurately simulated which is backed by subject matter experts in Red Teaming, with high levels of skill and experience in mature and complex environments
I-CRT – Intelligence-led cybersecurity testing brochure
LRQA Nettitude’s I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known tactics, techniques, and procedures (TTPs) to assess and enhance your organization’s security posture. With our team of consultants, we partner with your organization and OSFI to ensure risk management is at the forefront of all I-CRT engagements.
Assess My Cyber Resilience
Intelligence-led Cyber Resilience Testing (I-CRT)
The Office of the Superintendent of Financial Institutions (OSFI) is now asking Canada’s systemically important (SIBs) and internationally active insurance groups (IAIGs) to perform controlled assessments of their cyber resilience.
I-CRT is a supervisory tool that supplements Guideline B-13, allowing Federally Regulated Financial Institutions (FRFI’s) to meet regulatory expectations to have measures in place that create resilience against cyber-attacks and disruptions. This ensures the stability and security of the financial sector in Canada.
OSFI has created the Intelligence-led Cyber Resilience Testing (I-CRT) framework, which aims to simulate relevant real-world threats to assess cyber resilience, using independent suppliers, to help SIBs and IAIGs identify areas where they could be vulnerable to sophisticated cyber-attacks.
How LRQA Nettitude can help
LRQA Nettitude’s I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known tactics, techniques, and procedures (TTPs) to assess and enhance your organization’s security posture.
With our team of consultants, we partner with your organization and OSFI to ensure risk management is at the forefront of all I-CRT engagements.
How does I-CRT differ from traditional testing?
In traditional penetration testing, the goal is to uncover vulnerabilities within a specific scope. I-CRT, on the other hand, requires an evaluation to obtain focused threat intelligence for the CBFs to create threat scenarios.
Red Teaming does not follow automated patterns and is not an emulation of a threat actor’s TTPs. Instead, it is a bespoke and tailored simulation of the threat actor’s sophistication levels and capabilities, enabling the testing team to make decisions similar to the threat actor, based on new intelligence as the attack unfolds.
It is a practical approach to test and assess an FRFI’s ability to detect and respond to a cyber-attack.
Threat Intelligence against Critical Business Functions (CBFs)
I-CRT requires organizations to commission a TIP, Threat Intelligence Service Provider, to conduct a threat intelligence gathering exercise.
LRQA Nettitude is an approved Threat Intelligence provider across regulatory frameworks (CBEST, GBEST, iCAST, TIBER) and can deliver the following:
- Intelligence on geo-political threats known to be operating in the sector and sub-sector
- TTP and Modus Operandi of threat actors known to be targeting similar types of organizations including MITRE references
- Open Source Intelligence (OSINT) relating to the organization and the industry they operate within
- Gather and review closed source intelligence relevant to the organization 02 GBEST Threat Intelligence Requirements
- Creation of a series of scenarios that reflect real-world ‘likely’ threats
- Inclusion of TTPs to be simulated, goals to be executed and targets to be pursued
- All Threat Intelligence is reviewed and ratified by OSFI prior to Red Team execution
LRQA Nettitude has comprehensive methodologies for Threat Intelligence and is continually adapting its information sources and collection techniques, providing you with relevant and timely actionable intelligence and advice.
An I-CRT exercise will be delivered in the following five high-level stages:
What makes LRQA Nettitude unique?
LRQA Nettitude has been delivering compliance-driven technical assurance assessments for over a decade.
As a multi-accredited company, we have a team of in-house, highly skilled, and certified individuals, supported by a team of consultants that have been active contributors to the Simulated Target Attack & Response (STAR), CBEST, TIBER, iCAST and GBEST.
I-CRT requirements have been designed for Canadian FRFIs while maintaining alignment with global threat-led frameworks.
LRQA Nettitude has developed its own state-of-the-art custom tooling, PoshC2, that allows the simulation of a wide range of threat actors from commodity threat actors to advanced persistent threats (Nation State) that are known to be prevalent.
- Reflection of the types of TTPs that threat groups are known to be leveraging.
- This toolset is unique within the industry and is one of the reasons why LRQA Nettitude’s team has been highly successful in supporting the organization’s intelligence-led assurance strategies.
- LRQA Nettitude has also developed open-source tooling that allows for a wider range of threat actors to be accurately simulated which is backed by subject matter experts in Red Teaming, with high levels of skill and experience in mature and complex environments
I-CRT – Intelligence-led cybersecurity testing brochure
LRQA Nettitude’s I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known tactics, techniques, and procedures (TTPs) to assess and enhance your organization’s security posture. With our team of consultants, we partner with your organization and OSFI to ensure risk management is at the forefront of all I-CRT engagements.
Assess My Cyber Resilience
