|
The paper describes key components of a red team testing framework, compares existing frameworks, outlines the benefits and challenges of such frameworks, and highlights potential crossborder issues relating to red team testing.
In general, a red team test can be divided into four phases: reconnaissance; getting into the institution; getting through its systems; and getting out with the captured “flags” as defined in the scenarios. Red teams can use either a methodology with a clear sequence of events in a cyber attack life cycle, or one that focuses on techniques from the different tactics deployed by threat actors and jumps from one point in the attack life cycle to another depending on the situation. In terms of scope, a red team test typically covers the entire financial institution involving different teams, potentially including external threat intelligence3 and test providers. The test is conducted without the knowledge of those responsible for protecting the institutions from cyber attacks. Most of the surveyed jurisdictions have established red team testing frameworks with a number of common elements. The frameworks generally involve the following steps: defining the scope and risk management controls for the test; procuring threat intelligence and red team providers; gathering threat intelligence; conducting the actual test; analysing the test outcomes; putting in place a remediation plan; and sharing the lessons learned with stakeholders. The frameworks apply typically to large or critical financial institutions, but authorities may have discretion to include other financial institutions. The frameworks, however, differ in terms of whether threat intelligence and red team test providers must be external to the financial institution, accredited and formally assessed. An effective red team test is characterised by both firms and authorities being open about the results, learning from the weaknesses exposed and taking appropriate remedial actions. Unlike other risk assessment exercises, a successful red team test is not determined by whether a firm “passes” or “fails” the test. To truly benefit from red team testing, focusing on implementation of remediation measures after the test provides more value than just focusing on the test outcomes as evidence of weaknesses in the institution’s cyber practices.