Financial Institutions should start looking at Adversarial Simulations

An insight by MWR InfoSecurity


According to a world renowned cybersecurity company, financial institutions should start looking at more innovative and comprehensive ways to stress, and enhance their organisation’s defensive capabilities – including through the usage of adversarial simulations, or ‘Red Teaming’. 

“In the cybersecurity context, adversarial simulation exercises take a holistic approach, when compared to traditional penetration testing exercises,” explained MWR InfoSecurity technical director Benjamin Harris.

“Where penetration testing focuses on validating technical controls or identifying technical weaknesses in specific assets, adversary simulation exercises place emphasis on the target organisation’s ability to prevent, detect and respond to adversaries targeting critical functions, across multiple technical and non-technical domains. These assessments look to stress the defensive capabilities of an organisation, with the view to ultimately identifying areas for enhancement and strengthening within these capabilities,” elaborated Harris.

MWR InfoSecurity, an F-Secure company, is a cybersecurity consultancy which was established in 2003 and provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools.

“Adversary simulations are driven by goals or objectives, typically representing the real objectives and motivations of real-world adversaries,” said Harris.

These assessments look to stress the defensive capabilities of an organisation, with the view to ultimately identifying areas for enhancement and strengthening within these capabilities.

Recently, the Association of Banks in Singapore (ABS) published a set of guidelines for the financial industry in Singapore to further encourage banks and other financial institutions to carry out adversarial attack simulation exercises.

The guidelines – known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines – provide financial institutions (FIs) with best practice and guidance on planning and conducting Red Teaming exercises to stress and enhance their organisational resilience.

“Such guidelines are designed to provide organisations with a framework and approach for stressing organisational resilience: This is achieved through simulating and replicating the sophistication and aggressiveness of real-world adversaries – utilizing similar tactics, techniques and procedures (TTPs),” said Harris.

This holistic approach to ensuring the resilience of organisations and their critical functions follows in the footsteps, and builds upon a number of similar successful frameworks utilised by financial institutions in other regions – the Bank of England’s CBEST scheme, the De Nederlandsche Bank’s TIBER scheme and the Hong Kong Monetary Authority’s iCAST scheme.

“In the course of consultation with ABS, MWR InfoSecurity shared insights from our experience of running successful exercises and our views on how these exercises can be conducted to yield the most value to strengthen organisations’ resilience. We were also able to share insights from our involvement with similar exercises globally, including similar regulator-led exercises,” shared Harris.

The guidelines follow a general pattern of increased awareness with regards to cybersecurity across financial organisations, highlighting the significant evolution of the threat landscape and the evolution of approaches needed to counter this change.

 The methodology employed by AASE aims to provide a more authentic and holistic view of a FI’s resilience. By simulating realistic attacks during the exercise and taking into consideration the relevant threat landscape and adversaries, the following benefits can be achieved:

–          An assessment of the organisational resilience against adversarial attack techniques, tactics and  procedures.

–          Identification of weaknesses in security controls and associated risks not detected by standard  vulnerability and security testing methodologies.

–          An assessment of the FI’s security incident management and/or crisis management response and processes.

–          A safe, controlled opportunity to identify and enhance the security posture of a FI reducing risk of cyber compromise.

–          An opportunity for the defensive teams, such as the security monitoring or incident response team to gain experience and be more proficient in detecting and responding to incidents.

–          Provide pragmatic direction to the involved stakeholders as well as confidence in an informed post-activity short, medium and long-term security strategy.

 These simulations cumulatively aim to stress and enhance the people, process and technology that are supporting an organisation’s defensive capabilities in an end-to-end manner.


Please enter your comment!
Please enter your name here

Latest News

Bank Muamalat Approved 83% SME Payment Assistance Applications

With Covid-19 surge currently being experienced by the country seeing no sign of abating, many SME's who were already struggling during MCO...

Weekend Golf Getaway in Horizon Hills and Ponderosa

With Covid-19 looming, overseas travel is far and beyond anyone's wishes at the moment, but for frequent travelers keeping oneself locked up...

Coach Inspired By NYC Skyline

This holiday, Coach is updating its seasonal collection with the joyful release of its Coach 2020 Holiday Collection – the designs are...

Maxis Makes Top Management Changes After CTIO Departs

Maxis is seeing major changes in its top management, starting with the departure of its Chief Technology and Information Officer (CTIO), Morten...

Preparing for post-pandemic opportunities

Businesses in Malaysia must begin planning and preparing now to be able to leverage the opportunities that come with the eventual post-pandemic...

Must read

4 reasons why customer experience is the key to success

Vincent Tang, Regional Vice President, Asia, Epicor "Customer service" and "customer experience" are often used interchangeably. But there's a...

Deloitte report finds Malaysia among regional leaders in digital life adoption

An extensive survey conducted by Deloitte across age groups in eight countries in South and Southeast Asia showed that consumers aged between...

Malaysia needs to brand its startup ecosystem as one of world’s best, says KJ

Khairy Jamaluddin, Minister of Science, Technology and Innovation, said the country’s entrepreneurship ecosystem was on par with the world’s best, but Malaysia...

How today’s technology is key to industrial and manufacturing sector business continuity in a post-Covid-19 world

By  Dr. Ravi Gopinath, Chief Product Officer AVEVA , How the world does business was changing before the outbreak...