The Government has launched the CBEST framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers.
Developed with the Bank of England (BoE), Her Majesty’s Treasury and the Financial Conduct Authority, as well as CREST, this is the first of initiative of its type to be led by any of the world’s central banks.
This news follows the launch of the Cyber Essentials scheme last week, which was designed for small businesses and permitted self-accreditation. CBEST is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK.
It will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are. CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm.
CBEST differs from other security testing currently undertaken by the financial services sector as it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services.
CREST has helped develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to achieve. CREST president Ian Glover, said: “CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.
“For the first time, CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced.
“Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST.”
Don Smith, director of technology at Dell SecureWorks, said: “It has become clear that the current cyber security testing methods used in the financial sector are not sufficient to pro
tect organisations against more sophisticated attacks. CBEST differs because testing will be based on threat intelligence and an understanding of the real threat, something that is all too often overlooked.
“Testing will only be truly useful if it is based on, or conducted in conjunction with comprehensive threat intelligence. What’s more, organisations must ensure that threat intelligence services are tailored to their environment and delivered by an intelligence provider that is continuously monitoring the cyber threat landscape.
“This, in combination with the activation of a simulated targeted attack, will help to ensure organisations are ready should the worst happen. Cyber attacks are constantly evolving and in such a changeable security landscape, intelligence- led testing is the only way to prepare defences against the most persistent and sophisticated attacks.”
Darren Anstee, director of solutions architects at Arbor Networks, said: “The launch of the new CBEST framework is welcome as intelligence led, more persistent test scenarios will provide a better way for organisations to assess and improve their overall security posture.
“Helping the management teams within financial organisations to better understand the threats they face, and the gaps in their current security solutions, services and processes will be invaluable.”
James Chappell, Chief Technology Officer at Digital Shadows, said: “To be effective, CBEST tests must be based on realistic, threat-informed scenarios. The Bank of England is therefore seeking to form partnerships with commercial suppliers of threat intelligence and security testing services to help establish a ‘best practice’ approach to defining and executing the tests. Essentially the threat intelligence service suppliers will provide threat intelligence to security testers, augmented by Government support, who will use it to target their attacks.”
