2023 CBEST thematic

Foreword

1: Overview

Cyber resilience is a top priority for the regulators. Over the past few years, the regulators have increased their focus on operational resilience significantly. By ‘operational resilience’, we mean the ability of firms/FMIs, and the financial sector, to absorb and adapt to shocks and disruptions, rather than contribute to them.^{footnote [2]}

To improve the resilience of systemically important firms/FMIs and by extension the wider financial system, we run the CBEST programme to assess the cyber resilience of firms/FMIs’ important business services.^{footnote [3]} CBEST promotes an intelligence-led penetration testing approach that mimics the actions of cyber attackers intent on compromising an organisation’s important business services and disrupting the technology assets, people and processes supporting those services. This approach means that there is a ‘golden thread’ linking the security testing to threats, to the activities of an organisation and the potential impact to the wider economy (Figure A).

As part of CBEST testing, systemic financial institutions undergo live tests that assess their detection and response capabilities through simulations of the most relevant cyber scenarios.

Figure A: Intelligence-led ‘golden thread’

CBEST’s purpose is to provide a prioritised assessment that allows firms/FMIs to better understand weaknesses and vulnerabilities in their environments. Based on this they can take appropriate remedial actions, thereby improving their resilience and by extension, that of the wider financial system. As regulators, we draw thematic lessons to inform our supervisory priorities across cybersecurity and cyber resilience.

The regulators are publishing thematic findings from the latest cycle of CBEST assessments on participating banks, insurers, asset and investment managers, and FMIs.

This publication is the result of collaboration between the regulators and the National Cyber Security Centre (NCSC), the UK’s public cyber authority. In Sections 6 and 7, we provide links to relevant NCSC guidance for these topics and other NCSC cyber resources. These links represent recommended technical guidelines but are not intended to set new regulatory requirements.

2: Objectives

This publication will be useful for SMF24, CISO, CIO, COO, CRO and Cyber specialists of your firm.

The intention of this publication is to make the lessons learned through our regulatory programmes widely available to benefit the entire UK financial sector. We encourage you to use these findings to:

(a) consider threat intelligence observations and identified weaknesses and address similar weaknesses in your organisation;

(b) raise awareness in your senior executive team; and

(c) inform the work of your risk and internal audit functions.

3: The thematic process

The findings are based on the penetration testing and detection and response assessment results. We also share observations about the threat intelligence generated through CBEST and thematic trends via the Cyber Threat Intelligence Maturity Assessment Tools. These observations could be helpful for firms/FMIs considering their own threat-led testing programmes.

The regulators continue to engage with firms/FMIs, international regulators, and government agencies to develop CBEST. We would welcome any feedback or comments on these thematic findings. Please send them to CBEST@bankofengland.co.uk.

4: Threat intelligence in CBEST

As a threat intelligence-led testing framework, CBEST requires testers to simulate threat actors identified by cyber threat intelligence (CTI) experts. In this section, we share observations about threat intelligence which could be helpful for firms/FMIs considering their own threat-led testing programmes.

Intelligence can improve a firm/FMI’s understanding of the specific threat environment that they operate within:

‘Strong situational awareness, acquired through an effective CTI process, can make a significant difference in the FMI’s ability to pre-empt cyber events or respond rapidly and effectively to them. Specifically, a keen appreciation of the threat landscape can help an FMI better understand the vulnerabilities in its critical business functions and facilitate the adoption of appropriate risk mitigation strategies’.^{footnote [4]}

These observations are not intended, and should not be interpreted, as a substitute for a firm/FMI’s own internal intelligence activities and should not be used as an articulation of the entire threat landscape.

4.1: Threat actor observations

There were three primary types of threat actor involved in CBEST scenario simulations:

• state actors, or advanced persistent threats (APTs);
• organised criminal groups; and
• insider threats.

CBEST continues to demonstrate the value of simulating privileged internal attackers, such as malicious insiders and/or supply-chain attacks. These scenarios represent an opportunity for a firm/FMI to test controls within the network rather than at the perimeter.

To improve realism and introduce complexity, scenarios occasionally layer competing motivations or intensifiers (such as APTs executing supply-chain attacks or staff being blackmailed by cyber criminals). This linking of multiple actors in a single scenario enables high-value testing, such as the exploration of unusual or unexpected vectors of attack along trusted pathways.

Scenarios had a wide range of threat actor motivations, in line with the diverse and dynamic threat landscape. Indicative motivations included:

(a) financial gain;

(b) information theft;

(c) operational disruption;

(d) reputational damage; and

(e) theft of personally identifiable information.

Threat actors acted with varying objectives on important business services. The entirety of the confidentiality, integrity, and availability triad was observed in targeting and scenario generation; all were roughly equal in their overall frequency.

4.2: Threat intelligence maturity assessment observations

The CBEST process includes a self-assessment against the CREST Cyber Threat Intelligence Maturity Assessment Tools. The tool has four themes: governance, programme planning and requirements, threat intelligence operations, and resilience.

Firms/FMIs, on average, had higher scores in A: Governance and D: Resilience. This suggests that firms/FMIs have good foundations (in terms of management and sustainability/repeatability) behind their CTI operating models but weaker outcomes in integration with the business and the production and dissemination of intelligence deliverables.

Firms/FMIs, on average, had lower scores in B: Programme planning and requirements and C: Threat intelligence operations.

These cover the approach to staff and management of resources in a CTI function, and the end-to-end intelligence lifecycle. Together, these suggest that firms/FMIs could bridge their strong foundations with practical implementation.

5: Thematic findings from testing

5.1: Identity and access management

Weak or absent access management for critical assets makes unauthorised access to critical information, services, and resources more likely. The regulators regard effective identity and access management as a key objective for foundational cyber hygiene.

Positive examples^{footnote [5]} included:

(a) hardening of Active Directory, an area that sees frequent and sustained targeting during attacks; and

(b) usage of strong authentication for human accounts.

Common gaps included:

(c) lack of establishment, sufficient strength, and/or enforcement of policies and standards that govern identity and access management;

(d) insufficient hardening of privileged and service accounts; and

(e) a lack of strong (multi-factor) authentication for critical assets such as servers.

5.2: Staff awareness and training

Staff are central to any organisation’s ability to operate securely. Without sufficient training, employees could cause accidental or intentional damage to the confidentiality, integrity, or availability of information assets. As regulators, we observe the whole-of-organisation effort required for firms/FMIs to remain resilient. This includes highly technical staff, ordinary users, and external-facing staff.

Positive examples included:

(a) execution of rapid and high-quality response by specialist security staff;

(b) eradication of threats to protect important business services;

(c) timely and proactive reporting of active simulated phishing campaigns; and

(d) usage of strong passwords that proved resistant to hash cracking attempts.

Common gaps included:

(e) a failure to scan for, and evaluate the root cause of, the availability of secrets or credentials being held on easily accessible internal repositories;

(f) a failure to sufficiently review and measure cyber hygiene, particularly for passwords;

(g) over-exposure of sensitive data in public media on firm/FMI-owned websites, as well as those of third parties (including open-source ‘scrapers’); and

(h) sensitive technical information disclosed in job descriptions, posts on corporate websites, or social media.

5.3: Secure configuration

Appropriately configured IT assets and systems can prevent unintended or unauthorised misuse of critical assets. Ensuring that systems are designed, provisioned, and tested correctly and robustly reduces the attack surface to both internal and external attackers. Misuse, exploitation, corruption, and outright bypass of entire layers of controls might be made possible by a threat actor identifying and exploiting misconfigurations of assets and services. Whereas securely deployed and well-managed resources could be essential in slowing or disrupting the ability of threat actors to progress their attacks.

Positive examples included:

(a) firms/FMIs who securely configured foundational infrastructure services demonstrated better resilience by disrupting less sophisticated attack paths taken by lower-skilled simulated attackers.

Common gaps included:

(b) insecure configuration, or a lack of testing, of key templates and certificates;

(c) susceptibility to memory-based attacks exploiting passwords cached or stored in security services; and

(d) a failure to achieve the principle of least privilege/functionality to prevent misuse of a range of human and non-human accounts.

5.4: Network security

Weaknesses in networks make unauthorised access to sensitive data and systems more likely. Weaknesses also assist an attacker by making it easier to move around the target infrastructure, increasing the impact of an attack. The regulators note that security weaknesses in relation to corporate networks remain a recurring issue in CBEST testing.

Positive examples included:

(a) highly segmented networks, particularly around critical infrastructure;

(b) ring-fencing of core systems/services within dedicated ‘bastion zones’ (though note that bastions can be attacked if not properly managed); and

(c) usage of industry standards and good practice to harden infrastructure or assets that support important business services.

Common gaps included:

(d) insufficiently segregated corporate networks;

(e) a lack of segregation, reflecting a firm’s mapping of important business services; and

(f) weaknesses arising from exposure to group-owned or controlled networks (such as limiting exposure of secure network areas from lateral movement from other group entities).

5.5: Incident response and security monitoring

Gaps in monitoring, logging, and detecting malicious activity mean incidents are not contained and threat actors are not eradicated from the network. This exposes systems that deliver important business services to harm or disruption. The CBEST findings continue to illustrate the importance of sufficient, comprehensive, and timely security monitoring.

Positive examples included:

(a) efficient and flexible workflows that allow intelligence to feed new preventative controls and/or detection use cases to prevent repeated compromise; and

(b) comprehensive and rapid response capabilities (whether through automation or skilled staff) able to eradicate active attacks before they could impact important business services.

Common gaps included:

(c) insecure, overly permissive, or easily accessible incident ticketing, tracking, and escalation systems;

(d) a lack of specialist staff ready to execute complex response activities; and

(e) a lack of logging (both in production and non-production environments) or insufficient log retention.

5.6: Data security

Protecting the confidentiality, integrity, and availability of critical data is integral to the safety and soundness of important business services. Data security can be the last line of defence, even where perimeter and network controls have failed.

Positive examples included:

(a) deployment of strong encryption algorithms; and

(b) usage of full-drive encryption to mitigate attacks where assets were physically out of an organisation’s control.

Common gaps included:

(c) inadequate levels of protection for at-rest and in-transit; and

(d) inconsistencies in levels of data protection, for example in how data backups are created and stored.

6: NCSC perspectives

6.1: Identity and access management

Organisations need to understand, document, and manage access to networks and information systems. This should include ensuring users that can access data or services are appropriately verified, authenticated, and authorised. Activities to support this area include policy development, establishment of identity, privileged access management, architectural design, and monitoring.

6.2: Staff awareness and training

Organisations need to ensure staff have appropriate awareness, knowledge, and skills to carry out their organisational roles effectively. Activities to support this include developing a positive security culture, and actively engaging with staff to communicate about network and information system security, and how it relates to their jobs.

6.3: Secure configuration

Architecture and configuration of assets/systems are critically important, whether that is at the start of any development, to end of life. Getting security right at the start helps create systems that are easier to keep secure and can reduce the need for costly rework in the future.

Organisations need to understand the context and risks they face and decide whether they can accept them. A layered approach to security makes compromise and disruption difficult for potential attackers. This includes reducing the impact of compromise to prevent attackers from moving laterally within systems, preventing malware from running on devices if the attackers do reach endpoints, and planning for backup and recovery. It is also important to make detection and investigations of compromises easier through defined and tightly controlled communication methods, and log collection for monitoring of the system.

6.4: Network security

Network security is a critical component to prevent unauthorised system access or disruption. Activities to support this include building stronger security architectures, segregating the most critical services and systems into higher security zones, and network boundary protection. Additionally, reducing the attack surface by limiting flows and components to only those that are necessary, securing the platform by default, and building a separate management layer through dedicated equipment and network separation.

6.5: Incident response and security monitoring

Incident response and security monitoring help to make compromise detection easier and reduce the impact of compromise. Within incident response, organisations need to put in place well-defined incident management and mitigation processes. These should be tested to ensure continuity of essential functions in the event of system or service failure. There should also be mitigation activities to limit the impact of compromise.

For security monitoring, organisations need to monitor the security status of the networks and systems supporting the essential functions, to detect potential security problems, and to track ongoing effectiveness of protective security measures.

6.6: Data security

Effective data security ensures data stored or electronically transmitted is protected from actions that cause adverse impact on essential functions. Organisations need to consider protections for data in transit, data at rest, protecting data on mobile devices, secure disposal, and architecting the systems design to protect important data.

7: Additional NCSC cyber security resources

7.1: NCSC recommendations and general guidance

• Register for the NCSC’s Early Warning Service. This free service helps organisations investigate cyber attacks by notifying them of malicious activity that has been detected in information feeds. If already registered, use the Early Warning portal to view and make changes to registered assets and contact details.
• Register for the Cyber Security Information Sharing Partnership is a joint industry and government digital service to allow UK organisations to share cyber threat information in a secure and confidential environment.
• Ensure that your organisation knows how to report a cyber security incident. See NCSC for reporting an incident.
• Implement the NCSC’s guidance on actions to take when the cyber threat is heightened and on maintaining a sustainable strengthened cyber security posture.
• Find general and specific advice and guidance on the NCSC website, to help improve the cyber security of your organisation. Recent publications include:
  • Building off of Large Language Models: Exercise caution when building off LLMs.
  • Updated guidance on building a Building a Security Operations Centre (SOC).
  • How to assess and gain confidence in your supply chain cyber security.
• Attend CYBERUK, the UK government’s flagship cyber security event.
• Firms/FMIs in the finance sector can engage the NCSC Finance Sector Team at cnifinance@ncsc.gov.uk.