CBEST assessments reflect some of the most sophisticated types of assessments that exist within the financial services sector today. Created by the Bank of England and supported by CREST, CBEST testing assessments have the following key elements:
- Make significant use of Cyber Threat Intelligence.
- Deliver sophisticated Red Team style assessments that mimic known threat actors.
- Provide Incident Response maturity assessments.
CBEST engagements are unique when compared to many other types of assessments. This is due to the following key elements:
- CBEST engagements can only be instigated by the Bank of England. The Bank of England are involved in the scoping of the assessments and determine which types of assets and systems comprise the test scope.
- The threat intelligence used to determine the testing approaches is augmented by GCHQ (Government Communications Head Quarters).
These 2 elements make CBEST engagements highly unique, providing unparalleled levels of value to all of the stakeholders involved in the assessments.
CBEST Threat Intelligence Requirements
CBEST requires organizations to commission a threat intelligence gathering exercise by a CBEST approved threat intelligence provider. This exercise:
- Reviews geopolitical threats known to be operating in the sector and sub-sector.
- Reviews TTP and Modus Operandi of threat actors known to be targeting similar types of organizations.
- Reviews Open Source Intelligence relating to the organization and the industry they operate within.
- Gathers and reviews closed source intelligence relevant to the organization.
- Creates a series of scenarios that reflect real world ‘likely’ threats.
- Includes of TTPs to be simulated, goals to be executed and targets to be pursued.
- All threat intelligence is reviewed and ratified by GCHQ.
LRQA Nettitude has extensive experience with CBEST testing and has a full team of CBEST certified individuals that hold CREST CCSAS, CCSAM and CCTIM certifications. All of our CBEST engagements are fully project managed, and we have dedicated managers assigned to each CBEST engagement that we deliver. We have comprehensive methodologies for our CBEST process, and a strong list of testimonials to support our capability to operate within this space.
Advanced Red Team Tooling
LRQA Nettitude has developed its own state of the art custom tooling to mimic sophisticated threat actors that are known to be prevalent within the financial services sector. As a consequence, when we deliver CBEST testing engagements, we are able to deliver a true reflection of the types of TTPs that threat groups are known to be leveraging. This toolset is unique within the industry and is one of the reasons why LRQA Nettitude’s team has been highly successful in supporting organizations’ intelligence led assurance strategies.
How LRQA Nettitude Can Help
LRQA Nettitude has a strong reputation for delivering cyber assurance within the Financial Services sector. We have worked on intelligence-led red teaming frameworks in the UK, US and many other European and Middle Eastern countries. Our team have amassed significant experience in assessing high speed critical financial systems and we fully understand both the intricacies and the risks associated within the sector.
LRQA Nettitude was one of the first CBEST approved Penetration Testing service providers. We have been committed to working with both the financial services regulator and CREST from the outset, and consequently have taken a proactive role in supporting and educating the sector. In 2017, we worked with SC Magazine to create a specific eBook, titled CBEST demystified. This eBook was issued to help explain what CBEST is, and how it delivers value within the financial services sector.
Additional Global Cyber Resiliency Frameworks
As time has progressed, it has become apparent that intelligence led assurance programs have enhanced the resiliency of the financial system. Consequently, multiple regulators around the world started to explore creating their own frameworks. Following the publication of CBEST, a number of further frameworks have been developed to support a similar approach for the Dutch National Bank (DNB), Hong Kong Monetary Authority (HKMA) and the European Central Bank (ECB). These include the following:
- TIBER-EU: Recognising the challenge of having multiple competing frameworks, the European Central Bank decided to look at building a pan-European framework that could be leveraged across the whole of the Eurozone. This framework has been called TIBER-EU, and it is designed to provide commonality of approaches, yet flexibility for domestic regulators to implement their own discrete assurance activities. At this stage, TIBER-EU only references the need for certified and accredited service providers and does not define minimum requirements. It is expected that national or European authorities will use TIBER-EU to develop their own domestically focused TIBER-XX regimes. They must follow TIBER-EU, but may add to this for their own needs.
- C-RAF (iCAST): The Hong Kong Monetary Authority (HKMA) has developed a Cyber Risk Assessment Framework (C-RAF) that includes elements of a maturity assessment and drives the scope of Authorising Institutions (AI) subject to Intelligence Led Cyber Attack Simulation Testing (iCAST) phases.
Please contact us to find out how LRQA Nettitude can test your organisation against these frameworks.
To learn more about the cyber resiliency frameworks available and in development globally, and the key differences between them, take a look at our research paper.