A Deep Dive into CBESTIn a previous article I provided an overview of Intelligence-Led Testing Frameworks used globally. I referred to CBEST as “something of a ‘Founding Father’, emulated by other frameworks”. In this article we will take a deeper look at CBEST, learning about its origin, understanding the process and its benefits whilst providing those embarking on this journey with some helpful pointers.BackgroundThe rise in sophisticated cyber-attacks targeting the financial sector in the early 2010’s established the need for a more comprehensive approach to exercising defensive teams and ensuring operating resilience. Traditional Penetration Tests (also referred to as IT Health Checks in the UK), whilst effective in identifying and exploiting vulnerabilities to reduce the attack surface, are not geared towards simulating real and likely attacks on financial organisations. In 2014, the Bank of England decided a new approach was needed – the goal to enhance cyber resilience in the UK financial sector. CBEST was developed, becoming the first intelligence-led penetration testing framework specifically designed to simulate real-world cyber-attacks, providing financial institutions with a robust method to assess and improve their security measures against emerging and targeted threats.
Fig.1 Regulated Frameworks TimelineWithin four years the European Central Bank, inspired by the Bank of England’s initiative, developed their own European framework and published Threat Intelligence-based Ethical Red Teaming (TIBER-EU). Since then, numerous other frameworks have emerged as Regulators seek to boost cyber resilience in their respective geographies.Breakdown CBEST exercises comprise of several key phases.Scoping and Planning: Defining the scope of the testing, including the systems to be targeted. It also includes the selection of accredited threat intelligence and penetration testing providers.Threat Intelligence: Conducted to identify and understand not only the most likely and significant threat actor’s and their capabilities, but also the threat surface as presented by the Firm under review. A set of probable and realistic scenarios are developed and supported by a targeting pack of information about the people, processes and technology.Intelligence led Penetration Testing: Performed for each of the selected scenarios where the techniques exhibited by the identified threat actors are enacted on live production systems. Testing in ‘live’ is a key component of CBEST and ensures that all findings are grounded in reality. A set of KPIs are also measured around the Firm’s ability to conduct their own threat intelligence and the state of their detection and response.Reporting and Remediation: After testing is complete, a detailed report is provided which includes the findings of the exercise - listing vulnerabilities alongside recommendations for remediation.Follow-Up and Review: The final phase involves reviewing the remediation efforts and arranging any follow-up tests to ensure that vulnerabilities have been addressed. This phase also includes a review of the overall effectiveness of the CBEST process, and any lessons learned.Scenario SelectionAs mentioned in the breakdown above, Threat Intelligence suggests the most likely and realistic attacks a Firm may face, and examples may include:
- Malicious Insider
- Social Engineering (Spear-Phishing)
- Supply Chain Compromise
- Perimeter breach
This dictates the kind of attacks carried out during the Penetration Testing phase. Specific pre-requisites related to each scenario must be in place prior to kick-off, and these are communicated by the testing provider through the test plan. One scenario that has increased in prevalence over recent years is Supply Chain Compromise.Supply Chain Compromise is of particular interest to Regulators because it is so hard to defend against. Implicit trust placed in providers alongside disaggregated supply chains make it difficult to prevent initial compromise. Events like the SolarWinds, 3CX and MOVEit attacks reinforce this notion, and so it often agreed that this scenario commences from the point of exploitation. This simulates a supplier or third-party software provider being subject to a malicious update that grants a Threat Actor with a back door to an internal host, usually in an elevated context.
Fig.2 Supply Chain Scenario BreakdownStarting from the point of exploitation is often a bitter pill to swallow for Firms, as it feels akin to providing the testing provider with a ‘leg-up’ into the environment. Given the time allocated to a CBEST, alongside the legal and risk management implications, performing compromise of an organisation’s third parties to play out the end-to-end sequence of events does not currently represent a feasible option. As mentioned, the threat landscape constantly reminds us that the initial access phase of this kind of attack is almost impossible to defend, so the driver is to allow the Firm to evidence protective and detective controls, alongside response measures that would make it harder for a threat actor to move to critical business functions to perform compromise actions once inside the estate.“These scenarios represent an opportunity for a Firm/FMI to test controls within the network rather than at the perimeter, where defences may be less concentrated. Malicious Insider and Supply Chain Scenarios are a feature of the threat landscape. These scenarios should always be analysed and discussed during CBEST.” Bank of England, 2024Challenges and ConsiderationsScenarios like the one above require a degree of planning and buy in to ensure they commence from an agreed position, and this is one challenge amongst others when conducting a CBEST. Other key challenges include:Maintaining Operational IntegritySecrecy is paramount to the delivery of a ‘realistic’ test. If the engagement is uncovered early on, then results and findings can be caveated. Firms need to ensure the stealth of the engagement is maintained and beware of the following pitfalls that can ‘give the game away’:
- Setting up insider accounts and referencing the third-party testing organisation, or using tester’s real names
- Arranging meetings that reference the engagement in the title.
- Making the Control Group too large, which risks ‘letting the engagement slip’.
ResourcesA CBEST requires significant time and effort from both the Firm and testing providers. This can be a challenge for smaller organisations with limited resources. Heading into a CBEST ill-equipped can result in difficulties providing pre-requisites to testers and slower approval routes during the testing phase. This can put undue strain on the engagement and risks lengthening the exercise, further exacerbating resource issues. If the level of testing conducted is inadequate, the Firm risks the Regulator asking for a re-run.Path to ProductionTesting on live production systems can feel uneasy – but is something the Regulators will mandate because a Threat Actor will not operate solely in pre-production if they gain access to the IT estate. There are ways to demonstrate compromise of Production systems without adversely impacting operations, and a competent Red Team will be able to facilitate this via collaboration with the Firm’s Control Group.Letting it ‘Play Out’When a detection occurs, it is tempting to call a halt to proceedings, especially if resource and effort is being absorbed that could impact normal operations. Firms should consider that full exercising of defensive response in this way does not happen often and represents a golden opportunity that should be leveraged by allowing the response to play out in full, where possible, with an eye on risk management. It gives both the Firm and the Regulators a view of the end-to-end process, providing greater opportunities to evidence layered defence in depth and identify improvements where necessary.
Fig.3 FAQsConclusionSince 2014, the CBEST testing framework has become a critical tool in enhancing the cyber resilience of the UK financial sector. By providing a realistic and comprehensive approach to testing, CBEST helps Firms identify and address their exposures, ensuring they are better prepared to protect, detect, and respond to cyber-attacks. As an approved provider, LRQA Nettitude have supported many Firms through the process, from scoping and planning to reporting and remediation, managing the risk of testing in live environments whilst ensuring the exercise remains threat led. We may simulate adversaries, but our focus (in contrast), is to improve the Firms we work with through a partnership approach.Bobby Spooner is a Principal Security Consultant at LRQA. LRQA has a world-leading reputation for delivering cyber assurance services within the Financial Services sector. As one of the first CBEST approved Penetration Testing service providers, LRQA have expertise across intelligence-led red teaming frameworks across the globe.
