UK Only

Please note that CBEST tests are specifically relevant to financial services organizations who are regulated by the Bank of England in the United Kingdom. However, if your organization is interested in engaging a similar test outside of this regulatory framework, please contact us for more details.

CBEST Security Testing

GDS is a member of the CREST panel of vendors able to deliver CBEST intelligence-led penetration testing for Financial Services organizations in line with the requirements of the Bank of England.

Overview

CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threat actors, assessed by the UK Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions.

CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks on critical systems and essential services. CBEST provides an holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test which will be less time constrained than traditional penetration testing.

Approach

CBEST tests emulate real-world attacks through risk managed, open scope testing - allowing simulation of real world attacks that are not constrained by a requirement to target a single IT system. All CBEST tests should progress through the following steps in order. The activities performed and the amount of time spent on each step will vary depending on the nature of the test. This will be defined by the scope and agreed prior to testing, and should include considerations of the target organization’s industry and likely threat actors. Given the nature of a CBEST test and the critical nature of the systems and environments being tested, detailed risk assessment and risk management activities are also included. As part of a CBEST activity, the following methodology will be adopted for the execution:

  • Reconnaissance — Background information is gathered on and from the target organization. An example of this is obtaining public information from the Internet about the target organization, establishing the potential attack surface of the target or identifying possible target user information. Under CBEST this will be conducted by approved cyber threat intelligence providers.

  • Staging — Based on the information gathered from reconnaissance activities, staging platforms will be implemented to emulate that of the agreed threat actors. This platform will be used as a base from which further simulated attacks against the target organization are to be launched.
  • Exploitation — Using tactics, techniques and procedures similar to those of the agreed threat actors, identified vulnerabilities will be exploited to gain unauthorized access to the target. This will be performed to the level agreed in the scoping study and in line with the results of the risk assessment.
  • Control and Movement — Once a successful compromise has been performed, attempts to move from initial compromised systems to further vulnerable or high value systems will be made. For example, this may consist of “hopping” between internal systems, continually reusing any increased access obtained, in order to eventually compromise agreed target systems.
  • Actions On Target — Gaining further access on compromised systems and acquiring access to previously agreed target information and data. Again this phase will be performed based on the agreed scope and risk assessment, and approved by the target organization.
  • Persistence and Egress — Mimicking the activities of an advanced attacker, persistent access to the network will be secured and simulated exfiltration of staged data will be performed. Staged data will be created in line with the risk assessment and approved by the target organization before any action is taken.

CBEST tests are to generally be performed without the widespread knowledge of the target organization’s IT security or response capability. A key part of the test is to assess how effectively the target is able to detect and respond to simulated attacks.

Additional Resources

Additional details about CBEST can be found below:

If you would like to learn more about our CBEST services, please email us, or call us on 0845-643-9220.