Intro and Overview
CBEST stands for Critical National Infrastructure Banking Supervision and Evaluation Testing.
CBEST provides a robust and rigorous framework designed explicitly for assessing and elevating cybersecurity defenses in the financial sector. CBEST is part of the Bank of England’s Prudential Regulation Authority (PRA) supervisory toolkit for assessing cyber resilience of organizations and businesses.
This blog covers the essential elements, purpose, and significance of the CBEST framework, exploring how it functions as a pivotal tool in combating cyber threats within the financial landscape. The reader should get a high-level overview of the CBEST process from the initial phase until closure and should walk away with a fundamental understanding of CBEST.
Firms operating within the financial sector should strongly consider integrating CBEST into their security measures due to its robust and specialized nature. CBEST provides a tailored and strategic approach to assessing the cyber resilience of crucial business services. By engaging in this comprehensive evaluation, firms gain a clear understanding of potential vulnerabilities and weaknesses within their systems. This knowledge empowers proactive remediation efforts, enabling the enhancement of cyber defenses and overall resilience. Additionally, the endorsement and utilization of CBEST align with regulatory compliance requirements, ensuring adherence to industry standards and enhancing credibility within the financial landscape. Overall, embracing CBEST not only fortifies a firm’s cyber resilience but also instills confidence in stakeholders regarding the security and reliability of their operations.
The following are stakeholders involved in the CBEST process.
- Control Group: The Control Group or CG is responsible for the management of the CBEST assessment, and its main responsibilities include compliance with CBEST minimum requirements, creating and maintaining project plans, risk management, maintaining assessment scope and confidentiality of the CBEST assessment.
- Control Group Coordinator: The Control Group Coordinator or CGC is responsible for coordinating all the test activities for the firm/FMI.
- Regulator: The overseeing authority, which could be either the PRA, the Financial Market Infrastructure Directorate (FMID) of the Bank of England, or the FCA, offers guidance and supervision throughout the assessment process, ensuring alignment with the CBEST framework.
- Threat Intelligence Service Provider: The independent Threat Intelligence service provider (TISP) is contracted by the firm/FMI to strategize and carry out a comprehensive threat intelligence analysis of its organization. The chosen TISP must hold CBEST accreditation and will conduct the TI analysis following the best practices outlined in the CBEST Cyber Threat Modelling guideline.
- Penetration Testing Service Provider: The Penetration Test service provider (PTSP) is an external entity contracted by the firm/FMI to strategize and conduct penetration testing based on the identified threat scenarios from the TI phase.
- National Cyber Security Centre NCSC: The UK National Cyber Security Centre (NCSC) is a government entity in the UK offering counsel and assistance to both public and private sectors on mitigating cyber threats. In the Threat Intelligence Validation phase, the NCSC will provide feedback on the threat scenarios and various components outlined in the Threat Intelligence Report and Targeting Report.
To perform an assessment with the CBEST framework, service providers must be accredited to perform threat intelligence and penetration testing services. Accredited service providers must be members of CREST.
The following are certifications required which are accredited by CREST (UK)
- Threat Intelligence Service Providers must have the CREST Certified Threat Intelligence Manager (CCTIM) certification.
- For Penetration Testing Service Providers, they must have the CREST Certified Simulated Attack Manager (CCSAS)
Project Team Structure and Key Points
All teams must collaborate for the assessment to be successful. The following are key points to follow during the assessment.
- Upon approval by the CG during the TI phase, the TISP must share its deliverables with the PTSP for informational purposes.
- The PTSP needs to conduct early reviews of the draft TI deliverables to ensure all necessary information is available for a seamless handover.
- Throughout the PT phase, the TISP should remain accessible to provide any additional support if required.
- The CG, TISP, and PTSP are expected to facilitate free information exchange with the regulator upon request.
CBEST Assessment Process
The CBEST Assessment process can be divided into 4 phases:
- Phase 1: Initiation Phase
- Phase 2: Threat Intelligence Phase (TI)
- Phase 3: Penetration Testing Phase (PT)
- Phase 4: Closure/Remediation Phase
Phase 1: Initiation Phase
This initial phase involves preparations by the firm or financial institution undergoing the CBEST assessment. The following steps are conducted:
Launch: The regulator contacts the organization and ensures all relevant authorities and stakeholders are informed and on-boarded.
Assembling the Control Group (CG): The CG comprises senior management representatives and subject matter experts from various domains within the organization. They oversee and facilitate the assessment process, ensuring that objectives align with business goals and that assessment activities don’t disrupt critical operations.
Engagement: A comprehensive project plan is formulated during this phase. It outlines the assessment’s scope, objectives, methodologies, timelines, roles, responsibilities, and communication protocols. It also includes a risk management strategy to identify, assess, and mitigate risks associated with CBEST activities.
Scoping: This stage relates to scoping the assessment, defining the boundaries, objectives, and systems to be assessed. It involves identifying the critical systems, services, and functionalities within the firm or financial institution that are crucial to the UK financial system’s stability.
Procurement: The organization engages with independent third-party service providers, including the Threat Intelligence Service Provider (TISP) and the Penetration Test Service Provider (PTSP). These providers should have CBEST accreditation and play pivotal roles in conducting the assessment.
Phase 2: Threat Intelligence Phase (TI)
The TI phase involves the Threat Intelligence Service Provider (TISP) conducting intelligence-gathering activities, such as reconnaissance and scenario development based on current and potential threats. This phase aims to identify potential threats and develop realistic scenarios for testing. The TI Phase is divided into 4 parts which are outlined in the following:
Direction: This initial phase involves setting the direction and objectives for the Threat Intelligence gathering process. During this phase, the objectives of the intelligence gathering exercise are defined, and the scope of the assessment is outlined. The Control Group (CG) and stakeholders work together to articulate specific intelligence requirements, including the critical systems and services to be assessed, the potential threat actors, and the expected outcomes of the intelligence phase.
Intelligence: This phase focuses on collecting and analyzing threat intelligence data. Various sources such as open-source intelligence, closed-source intelligence, dark web monitoring, threat feeds, and internal organizational data are gathered and meticulously analyzed by the Threat Intelligence Service Provider (TISP). The aim is to understand potential threat actors, their tactics, techniques, and procedures (TTPs), and emerging threats that might target the organization’s critical assets and systems.
Validation: After gathering intelligence, the Validation phase aims to assess the credibility, relevance, and accuracy of the collected threat intelligence. This step involves a review and validation process conducted by the Control Group and relevant stakeholders. The aim is to ensure that the gathered intelligence aligns with the defined objectives and accurately reflects the threat landscape that the organization might face.
Assessment: This stage involves synthesizing the validated threat intelligence into realistic threat scenarios. The TISP uses validated intelligence to create scenarios that simulate potential cyber-attacks on the organization’s critical systems and services. These scenarios are then used in the subsequent Penetration Testing Phase to assess the organization’s cybersecurity resilience and readiness against such threats.
Phase 3: Penetration Testing Phase (PT)
In this phase, the Penetration Test Service Provider (PTSP) performs penetration tests based on the threat scenarios identified during the TI phase. The goal is to simulate real-world attacks and assess the security controls’ effectiveness. This phase is also divided into 4 parts:
Planning: This initial stage involves comprehensive planning for the penetration testing activities. The Penetration Test Service Provider (PTSP) collaborates with the Control Group (CG) and stakeholders to define the scope, objectives, and methodologies for the assessment. The PTSP creates a detailed test plan outlining the specific techniques, tools, and procedures to be used during the assessment.
Execution: In this stage, the actual penetration testing activities are carried out according to the predefined test plan. The PTSP simulates cyber-attacks based on the validated threat scenarios identified in the Threat Intelligence Phase. The PTSP conducts a series of controlled tests and attempts to exploit vulnerabilities within the organization’s critical systems and services to assess the effectiveness of existing security controls.
Assessment: Following the execution of the penetration tests, the Assessment involves analyzing the results and findings obtained during the testing. The PTSP evaluates the effectiveness of the organization’s cybersecurity controls, identifies vulnerabilities, and reports on successful exploit attempts. The results are compiled into a comprehensive assessment report that includes details of vulnerabilities discovered, their potential impact, and recommendations for remediation.
Review: The final stage involves reviewing the findings and assessment report. The CG and relevant stakeholders examine the assessment report provided by the PTSP, validate the identified vulnerabilities, and assess the overall cybersecurity posture of the organization. This phase may also involve discussions on remediation strategies, lessons learned, and actions to enhance the organization’s security posture based on the assessment results.
Phase 4: Closure/Remediation Phase
After completing the assessment activities, the providers deliver reports detailing findings, vulnerabilities, and recommendations for enhancing cyber resilience. The results are shared with the regulator, typically the Bank of England or other relevant financial regulatory body, to demonstrate compliance and address any regulatory concerns. Following the assessment, the firm undertakes remediation efforts, addressing identified vulnerabilities and enhancing its cyber resilience based on the findings and recommendations.
Remediation: After the assessment and identification of vulnerabilities in the Penetration Testing Phase, the organization initiates the remediation process. This phase involves addressing and fixing the identified vulnerabilities and weaknesses in the systems and processes. The organization’s security team, in collaboration with relevant stakeholders, prioritizes the remediation of vulnerabilities based on their severity and potential impact on critical systems.
Debrief: This involves conducting detailed discussions and knowledge-sharing sessions among the Control Group (CG), Threat Intelligence Service Provider (TISP), Penetration Test Service Provider (PTSP), and other stakeholders. This phase focuses on sharing insights, observations, and lessons learned from the assessment. It includes reviewing the assessment report, discussing findings, identifying root causes of vulnerabilities, and strategizing for improvements in the cybersecurity posture.
Supervision: During this stage, there is ongoing oversight and monitoring to ensure the effective implementation of remediation measures. The CG oversees and supervises the progress of the organization’s remediation efforts. It involves tracking the status of vulnerability remediation, ensuring that corrective actions are properly implemented, and verifying that the identified vulnerabilities are adequately addressed.
Analysis: In the final phase, a comprehensive analysis of the overall CBEST assessment is conducted. The organization evaluates the effectiveness of the entire CBEST process, including the Threat Intelligence and Penetration Testing Phases, and the subsequent remediation efforts. The analysis aims to assess the impact of the assessment on improving the organization’s cybersecurity resilience, identifying areas for further enhancement, and refining future assessment strategies.
Adopting CBEST as part of an organization’s security assessment strategy offers a framework for evaluating and improving its security posture. Through a collaborative approach involving various stakeholders, CBEST meticulously analyzes an organization’s systems, processes, and defenses, pinpointing potential vulnerabilities for targeted remediation. By leveraging the expertise of both internal and external teams and adhering to a structured assessment methodology, CBEST facilitates the identification of weaknesses, providing a comprehensive view of security risks. This comprehensive evaluation not only aids in the immediate mitigation of vulnerabilities but also acts as a catalyst for continuous improvement, increasing the overall cybersecurity resilience of the organization.