FIs Need Qualified Guidance in Adversarial Attack Simulation Exercises

By: Benjamin Harris, Technical Director at MWR InfoSecurity, an F-Secure company

Since the beginning of time, criminals have looked to subvert process and systems to profit. In a world where reliance is increasingly placed on information technology systems to perform daily activities, criminals have adapted to utilising, manipulating, and ultimately abusing these very same systems to profit from crime. Today, cybercriminals are operating on unprecedented scales targeting organisations of all sizes, with varying motivations and objectives. 

As these criminals have increased their focus on cybercrime, financial institutions have increasingly become targets of major cyberattacks around the world. From state-sponsored adversaries attempting significant thefts from central banks (US$81 million from Bangladesh Bank) in 2016, to numerous complex and aggressive attacks on various global banks, the threat landscape continues to evolve in both sophistication and audacity. 

The Asia-Pacific region has not been spared from this threat, with the high-profile heists of Sonali Bank and Tien Phong Bank. 

The uptick in aggression and sophistication demonstrates that adversaries are evolving and refining their tactics, techniques and procedures to keep up with the advances and evolutions of organisational defence. Similarly, as adversaries evolve, organisations must continue to continuously evolve their cybersecurity discipline to ensure they are resilient to the changing threats. 

Going beyond penetration testing

Penetration testing remains an important element for organisations to uncover vulnerabilities and weaknesses in their systems. Historically, organisations haven invested significantly in well-resourced security programmes, aimed at preventing breaches by identifying weaknesses in assets, and subsequently remediating. 

As the threat landscape has evolved and organisations have accepted that a breach of some sort is inevitable, organisations have identified and accepted the need to detect and respond accordingly to sophisticated and well-resourced adversaries once a breach has been successful. This capability to detect and respond is increasingly being recognised as being as important as preventing adversaries, when considering organisational resilience. 

While penetration testing remains a function of many strong cybersecurity programmes, discrete and silo-ed activities fail to address a question which requires a more comprehensive answer: “How vulnerable are the organisations business processes and key assets to a sophisticated and motivated adversary?” 

To combat these threats, financial institutions are looking at more innovative and comprehensive ways to stress, and enhance their organisation’s defensive capabilities – including through the usage of adversarial simulations, or ‘Red Teaming’. 

Adversarial simulation exercises take a holistic approach, when compared to traditional penetration testing exercises. Where penetration testing focuses on validating technical controls or identifying technical weaknesses in specific assets, adversary simulation exercises place emphasis on the target organisation’s ability to prevent, detect and respond to adversaries targeting critical functions, across multiple technical and non-technical domains. These assessments look to stress the defensive capabilities of an organisation, with the view to ultimately identifying areas for enhancement and strengthening within these capabilities. 

Guidelines Formed by Consultation with ABS

The Association of Banks in Singapore (ABS) has been encouraging banks and other financial institutions to carry out adversarial attack simulation exercises. Toward this end, the ABS recently published a set of guidelines for the financial industry in Singapore. 

As we saw in 2017 with ‘Exercise Raffles’, Singapore is no stranger to executing simulations in light of the evolving threat landscape. Such simulations are aimed at ensuring business continuity, should a terrorist and/or cyber-attack occur. 

The guidelines – known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines – provide financial institutions (FIs) with best practice and guidance on planning and conducting Red Teaming exercises to stress and enhance their organisational resilience.

Such guidelines are designed to provide organisations with a framework and approach for stressing organisational resilience: This is achieved through simulating and replicating the sophistication and aggressiveness of real-world adversaries – utilizing similar tactics, techniques and procedures (TTPs).  

This holistic approach to ensuring the resilience of organisations and their critical functions follows in the footsteps, and builds upon a number of similar successful frameworks utilised by financial institutions in other regions – the Bank of England’s CBEST scheme, the De Nederlandsche Bank’s TIBER scheme and the Hong Kong Monetary Authority’s iCAST scheme.  

In the course of consultation with ABS, MWR InfoSecurity shared insights from our experience of running successful exercises and our views on how these exercises can be conducted to yield the most value to strengthen organisations’ resilience. We were also able to share insights from our involvement with similar exercises globally, including similar regulator-led exercises. 

The guidelines follow a general pattern of increased awareness with regards to cyber security across financial organisations, highlighting the significant evolution of the threat landscape and the evolution of approaches needed to counter this change. 

As said by ABS Director Mrs Ong-Ang Ai Boon: “Cybersecurity attacks against financial institutions are evolving in scope, complexity and sophistication. FIs are already deploying layers of defensive measures, solutions and controls to reduce their exposure to attacks and improve their response readiness.” 

Adversary simulations driven by goals or objectives 

Adversary simulations are driven by goals or objectives, typically representing the real objectives and motivations of real-world adversaries. 

Where adversaries are motivated by financial gain – they may target international payment networks to perform unauthorised fund transfers into a network of controlled accounts. By simulating adversaries of similar motivations, organisational capabilities designed to prevent and detect an adversary looking to transfer such funds, are stressed to ensure effectiveness. 

Where historically technology has been heavily utilised to provide organisational defence, this ever-evolving threat requires cohesive defences spanning people, process and technology. Increasingly however, defence requires personnel within organisations driving investigative technology to hold an in-depth understanding of how sophisticated adversaries operate. Specifically, the tactics, techniques and procedures utilised, coupled with extensive experience in defending organisations against live attacks. These efforts are concurrently emphasising the importance of forming specialised incident response teams, operating in parallel with detection teams. 

When performing exercises of this nature, provider capability and understanding of the threat landscape is of utmost importance. Providers who possess holistic understandings of cyber security – both from an offensive and defensive perspective, and have demonstrated success in enhancing capabilities previously – are increasingly being requested to provide strategic and tactical leadership on how to analyse and respond to this threat. 

MAS logoAs the consortium overseeing the promotion of interests of the banking community at large in Singapore, ABS should be lauded for its competency and foresight in establishing the necessary guidelines for Adversarial Attack Simulation Exercises.

In the words of Monetary Authority of Singapore’s Chief Cybersecurity Officer Tan Yeow: “The Adversarial Attack Simulation Exercises closely mimic the modus operandi of cyber criminals in targeting the actual operating environments of financial institutions. This makes it an effective way of assessing the cyber resilience of financial institutions.” 

Certainly, these guidelines will further contribute to the enhancement of security and operational integrity of the financial sector in Singapore, cementing Singapore’s position as a leading financial hub. 

Note: Benjamin Harris is Technical Director at MWR InfoSecurity, an F-Secure company