An insight by MWR InfoSecurity
According to a world renowned cybersecurity company, financial institutions should start looking at more innovative and comprehensive ways to stress, and enhance their organisation’s defensive capabilities – including through the usage of adversarial simulations, or ‘Red Teaming’.
“In the cybersecurity context, adversarial simulation exercises take a holistic approach, when compared to traditional penetration testing exercises,” explained MWR InfoSecurity technical director Benjamin Harris.
“Where penetration testing focuses on validating technical controls or identifying technical weaknesses in specific assets, adversary simulation exercises place emphasis on the target organisation’s ability to prevent, detect and respond to adversaries targeting critical functions, across multiple technical and non-technical domains. These assessments look to stress the defensive capabilities of an organisation, with the view to ultimately identifying areas for enhancement and strengthening within these capabilities,” elaborated Harris.
MWR InfoSecurity, an F-Secure company, is a cybersecurity consultancy which was established in 2003 and provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools.
“Adversary simulations are driven by goals or objectives, typically representing the real objectives and motivations of real-world adversaries,” said Harris.
These assessments look to stress the defensive capabilities of an organisation, with the view to ultimately identifying areas for enhancement and strengthening within these capabilities.
Recently, the Association of Banks in Singapore (ABS) published a set of guidelines for the financial industry in Singapore to further encourage banks and other financial institutions to carry out adversarial attack simulation exercises.
The guidelines – known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines – provide financial institutions (FIs) with best practice and guidance on planning and conducting Red Teaming exercises to stress and enhance their organisational resilience.
“Such guidelines are designed to provide organisations with a framework and approach for stressing organisational resilience: This is achieved through simulating and replicating the sophistication and aggressiveness of real-world adversaries – utilizing similar tactics, techniques and procedures (TTPs),” said Harris.
This holistic approach to ensuring the resilience of organisations and their critical functions follows in the footsteps, and builds upon a number of similar successful frameworks utilised by financial institutions in other regions – the Bank of England’s CBEST scheme, the De Nederlandsche Bank’s TIBER scheme and the Hong Kong Monetary Authority’s iCAST scheme.
“In the course of consultation with ABS, MWR InfoSecurity shared insights from our experience of running successful exercises and our views on how these exercises can be conducted to yield the most value to strengthen organisations’ resilience. We were also able to share insights from our involvement with similar exercises globally, including similar regulator-led exercises,” shared Harris.
The guidelines follow a general pattern of increased awareness with regards to cybersecurity across financial organisations, highlighting the significant evolution of the threat landscape and the evolution of approaches needed to counter this change.
The methodology employed by AASE aims to provide a more authentic and holistic view of a FI’s resilience. By simulating realistic attacks during the exercise and taking into consideration the relevant threat landscape and adversaries, the following benefits can be achieved:
– An assessment of the organisational resilience against adversarial attack techniques, tactics and procedures.
– Identification of weaknesses in security controls and associated risks not detected by standard vulnerability and security testing methodologies.
– An assessment of the FI’s security incident management and/or crisis management response and processes.
– A safe, controlled opportunity to identify and enhance the security posture of a FI reducing risk of cyber compromise.
– An opportunity for the defensive teams, such as the security monitoring or incident response team to gain experience and be more proficient in detecting and responding to incidents.
– Provide pragmatic direction to the involved stakeholders as well as confidence in an informed post-activity short, medium and long-term security strategy.
These simulations cumulatively aim to stress and enhance the people, process and technology that are supporting an organisation’s defensive capabilities in an end-to-end manner.