Meticulous, intelligence-driven planning rooted in organisational context is crucial for impactful red team testing. Taking the time for dedicated planning and evaluation ahead of red team exercises will result in more valuable results and a better testing experience for both customers and vendors.

What to do: 

• Do utilise multiple sources to inform scenario design, including:  
  • Realistic threat and open-source intelligence from multiple sources 
  • Business needs, strengths, weaknesses, challenges, and organizational structure 
  • Input from key stakeholders, users, owners, and consumers of the services and businesses you will test 
• Do engage CISOs, and system and process owners well before testing starts to ensure operational integrity 
• Do allow at least three months for thorough planning and stakeholder alignment 
• Do make sure your business security capability meets the maturity level where red teaming is beneficial 
• Do tailor scenarios to specific regulatory frameworks and legal requirements for data security (e.g., CBEST for finance) 
• Do document clear objectives and success criteria before execution; make sure they are grounded in reality  

What not to do: 

• Don’t rely solely on generic, off-the-shelf scenarios that are not mapped to your business 
• Don’t ignore industry-specific threats, compliance requirements, and intelligence data 
• Don’t rush the planning phases, leading to poorly defined scope and outcomes 
• Don’t red team before you are ready; have a detection alerting and response capability that requires evaluation 
• Don’t skip securing executive buy-in and necessary resources and staff cooperation 
• Don’t overlook the need for well-defined rules of engagement, communications, and escalation processes 

Introduction

Conducting a red team exercise has significant benefits to enhance your organisation’s security resilience, if planned and executed well. However, given its advanced nature, it isn’t always the most valuable type of test to enhance resilience, and getting to the point of being able to get the most value from one, is a challenge.

Without the right elements in place, nothing is learned, and you end up with the best parts whizzing above the proverbial head of the organisation.

This analogy works almost all the time, except when you are legally required to red team, and scaling up quickly becomes a big undertaking. In this case, consider an intermediary service, like scenario-based testing, that tests against specific NIST pillars, and provides insights that go beyond normal pentesting.

Many of you are considering whether now is the right time for a red team exercise, or you’re seeking a red team experience as part of a larger move toward compliance, such as the Digital Operational Resilience Act (DORA). This article will help you get the right processes and capabilities in place so you can prove and validate any assumptions around your security capability through real-world testing – that’s what a red team should help you do.

The planning and evaluation that goes into red teaming can make or break the quality of test outcomes, which is why we’re exploring foundational planning and radical realism so you can gain the most value from any red team exercise.

Is Red Teaming Right for My Business?

Ask yourself: Is red teaming the most valuable type of security test for your business right now? Red teaming is an incredibly impactful way to enhance your security against real-world risks, but it can also be too advanced for some organisations, especially if they have novice asset visibility, managed security, or detective controls.

If your IT and security fundamentals are in flux, and you don’t yet have a capability to respond to a real-world event (managed or in-house), then a red team test may not provide the most value.

Consider this analogy: You’re a new boxer, about to start sparring and practicing ‘the real fight,’ but it turns out your opponent is a class or two above, and has a large, shiny, golden belt. This is clearly an unmatched fight that will result in injury, and not a great deal of practical lessons. You’ll walk away having tried your best, but ultimately not learning how to progressively build your skills.

This is why we aim to calibrate red teaming to your organisation, its strengths and weaknesses, because without the right level of challenge, nobody learns or grows.

Bringing it back to red teaming, getting the level of challenge right takes planning, so it can prepare your team for the scenarios that are most likely to face your business, and validate the threats you may face. To get the most value and education from red teaming, you need to have security protocols in place, tailored to your system, and functioning correctly.

Consider Scenario-Based Testing as an Alternative to Red Teaming

A different type of test that provides significant insights with more control than red teaming is scenario-based testing, which is more focused on a specific set of circumstances. Scenario-based testing allows you to explore ‘what if’ scenarios much like a red team, but it doesn’t have to be the full organisational scope.

At NetSPI, we perform scenario-based testing aligned to concepts around NIST: identify, detect, protect, respond and recover. Think of it as a practical test to answer ‘can my business detect an active threat in ‘x’ set of systems,’ or ‘if we have an active breach what can we see? Are our thresholds for response where they need to be?’.

With scenario-based testing, we help you turn these conceptual tests into specific test cases and scenarios. This blends the focus of a pentest with the business impact of a red team in a more cost-effective and manageable way. Depending on your current security stance, a focused test such as this can produce more helpful results and be a better use of resources, time, and money.  

Starting with basics like pentesting, and then working your way up to scenario-based testing, and eventually red teaming will help your team systematically grow their skill sets.

Embrace Realism When Planning for Red Teaming

Being realistic about your organisation’s security maturity and your team’s mindset of continuous improvement through blue and red team testing will bring the most beneficial enhancements to your security.

On the practitioner side at NetSPI, we engage in extensive preliminary planning to ensure the success of our red team engagements. These tests are highly involved, and we always want to be realistic about the level of effort that goes into a red team versus a quarterly or annual pentest for example.

Red teaming has a greater level of tactical and cultural components, such as ensuring you’re landing in environments that reflect the organization as realistically as possible, and working internally to get the right executive buy-in both from a timing and funding standpoint.

For instance, if someone delivers a red team from a fresh user account, without all of the long-standing hygiene issues your organisation may face, have you really validated something that reflects reality?

Now is the time to critically think about whether your company is ready for red teaming. You don’t need to face this decision alone. Contact NetSPI’s security experts for guidance on the most valuable security test for where you stand today.

Defining Clear Rules and Objectives of Red Team Exercises

Red team testing is quite involved and requires clear, comprehensive, and proactive communication well before the test starts to avoid common blockers. 

A few discussion points to align with your vendor include: 

1. Engagment Basis: Give ample room for planning because a rushed test is a poor test. Make sure you fully know why you are doing it. Pro tip: Yearly compliance isn’t the answer to this question, and neither is running the test at the same time each year. 
2. Objectives: Don’t just default to ‘highest privilege possible.’ Think about what matters to your business and how you want to assess it. 
3. Isolation: Make sure those who know about the test can protect its integrity. If the security team knows a red team is coming, it will always alter their behaviour. How do you know if you face a real risk if red teams cannot expose this safely? 
4. Data Security: Make sure your provider complies with the laws and regulations you do, such as the General Data Protection Regulation (GDPR), or DORA guidelines on supply chain. Remember, your pentest and red team providers hold your most precious data, and they’re a supplier as much as your SaaS, SIEM, SOAR, or managed service providers. 

Why Data Security?

Data security is a growing concern because of the increased attention on supply chain risk. Any red team vendor should be able to speak clearly to their data processing protocols and whether they follow standard compliance policies.

At NetSPI, we’ve seen an increase in customer requests regarding vendor due diligence for secure data management. We’re ahead of the trend in this regard, because we’ve taken steps to address the real risk of the supply chain today. Ultimately, a red team is also a supplier, and our security is a key consideration for companies seeking quality red team services.

Plan for Appropriate Red Team Testing Lead Times

Bringing more transparency into adequate lead times benefits both red team testers like NetSPI and our customers.

The assumption tends to be that red teams are ready to go at a moment’s notice and require little setup. But the reality is that the logistics and organization on both sides of an engagement typically require at least a month to plan correctly.  

The level of care and attention that goes into creating a realistic attack scenario is far greater than red teams typically talk about. As a CISO, security manager, or blue team practitioner, clearly outlining the preparation required for red team testing will lead to a more efficient process and improved testing outcomes. 

Business Considerations before Red Team Testing 

Red teaming is a delicate balance of preparation and secrecy.

All too often, we encounter blue teams that know when a red team exercise is happening because their company’s budget renews annually, so they can anticipate which quarter of the year they need to be on guard.  

Timely involvement of the right people is key to protecting the operational integrity of red teaming. Executive buy-in and stakeholder awareness are essential to minimise the potential risk to a business during a red team test. Equipping your red team vendor with a thorough understanding of your market, organisation, how it operates, and what its security concerns might be, is critical to designing the right type of scenario. 

Today, we’re seeing red teaming expand into sectors such as energy, healthcare, and manufacturing. With more critical industries relying on red teaming, practicing safe and appropriate use of force from a red team perspective is essential. Having open, honest conversations early on about a company’s known weaknesses and scoping bounds is an important part of forward planning in this process. 

Ready for Red Teaming? Contact NetSPI

Red teaming is an involved testing type that brings highly beneficial insights into your company’s ability to detect and respond to the most realistic attack scenarios. Taking the time for proper planning and evaluation ahead of red team engagements will result in the most valuable outcomes and a strong working partnership between you and the red team testers. 

Whether you’re ready for the next challenge, or you’re working on compliance with industry regulations, NetSPI is ready to guide the most impactful next step for your security. Contact us for a consultation with our security experts. 

The post Part 1: Ready for Red Teaming? Intelligence-Driven Planning for Effective Scenarios  appeared first on NetSPI.

At its essence, DORA introduces a comprehensive testing framework centered around TIBER-EU testing, complemented by disclosure and intelligence sharing policies that aim to instill resilience and robustness in digital operations among financial entities. Its impact extends beyond traditional financial institutions, encompassing a broader scope of businesses that were not previously held to such stringent standards. As the compliance deadline of 17 January 2025 approaches, larger organisations are poised to lead the charge in adopting these standards.

While many companies are already proactively engaging in preparatory measures, expert guidance can streamline the compliance journey, offering clarity on regulatory requirements and expediting initiatives such as threat-led penetration testing and red teaming. By partnering with NetSPI to leverage our specialized assistance, entities can navigate the complexities of DORA with ease, ensuring timely and effective adherence to these new regulatory mandates.

Timeline of Digital Operational Resilience Act (DORA) 

• 28 November 2022: The European Parliament approved The Digital Operational Resilience Act
• 17 January 2024: European Supervisory Authorities published the first set of final draft technical standards under DORA 
• 17 January 2025: DORA goes into effect with flexibility for companies to meet the compliance standards
• Early 2025: Compliance with DORA will be mandatory for all companies affected 

We tapped into NetSPI’s Director, Services – EMEA, Giles Inkson, to better understand DORA and its implications for the financial services industry.  

1. What is DORA? What does it cover and what does it aim to achieve?

DORA is a framework enabling enterprise-wide resiliency, built on behaviours, processes, policies, and governance necessary for enabling that, both for monetary authorities within European nation states and organisations that enforce fiscal policy. It aims to establish frameworks and processes on how to conduct Information and Communications Technology (ICT) risk management across technology assets and key business services underpinning financial sector organisations, subject to audit.  

Aspects of this include:  

• Reporting of ICT-related incidents voluntarily, including service interruptions related to cybersecurity incidents and beyond such as general resiliency or failures of technology. It encourages reporting on operational failures and the company’s response to return to services.
• It ensures sound measures for managing ICT third-party risks, including supply chain attacks. These encompass various suppliers such as managed ICT providers, IT hardware suppliers, consultancy services, and others that contribute to the organization’s ICT capability or service provision. The framework establishes processes to control and mitigate the impact of these risks wherever feasible.
• It also covers major incidents in payment processing and cybersecurity, critical in safeguarding nations against hybrid warfare threats. Maintaining these components is a significant step toward safety across the European Union and globally. 

The DORA framework aims to delegate significant responsibility to the nation state or its respective monetary authorities, aiming for consistent application across Europe and globally to enhance resilience and maturity in the financial sector. The goal is to ensure a consistent approach across the entire financial sector, benefitting both the sector itself and nations that engage with it. 

2. Why is DORA needed? Do other regulatory frameworks address similar issues, and how does DORA complement or enhance these frameworks? 

DORA is needed because it mandates TIBER-EU as part of its operational resiliency testing. TIBER-EU testing is also known as a threat-led red team, or a threat-led penetration test, to identify realistic threats across the system and focus on critical services that keep businesses running.  

TIBER-EU has a number of standards in place for how to conduct this type of testing. It involves using realistic threats to build scenarios to test against that organisation, drill down as though they were real-world threats, and follow through a defined process end to end. This involves collaboration between threat intelligence, penetration testing providers, regulatory authorities, and the organisation itself.  

While these tests have been around for a while, they are being updated as part of DORA. Legislature that’s being folded into the existing TIBER-EU frameworks will mandate this type of testing at least once every three years with the regulator involved. On the remaining two of those three years, a more self-guided version may be implemented, requiring less involvement from regulatory or monetary authorities. This allows for a more autonomous approach, although tighter controls can still be maintained during those years if necessary. Threat-led penetration testing and intelligence are central to the advancement of business resilience in the financial sector worldwide. 

These standards are similar to others that have existed before, with more nations and regions adopting similar frameworks because they are proven to enhance business resilience. One of the first types of these testing standards was CBEST, which is from the Bank of England and the Prudential Regulation Authority (PRA). CBEST follows a similar standard with a slightly different set of accreditation processes. Additional examples include Cyber Operational Resilience Intelligence-led Exercises (CORIE) in Australia, and intelligence-led Cyber Attack Simulation Testing (iCAST) in Hong Kong. Other nations are following suit rapidly. 

3. Who does DORA impact? Do all financial services businesses fall under the remit of DORA?

These standards primarily apply to the finance sector due to its critical role in maintaining economic and governmental stability for nation states. Therefore, they are highly significant, given the high stakes involved. 

Twenty key types of businesses fall under the financial services umbrella. These include:  

• Financial services and insurance lenders
• FinTech 
• Trading venues
• Trading platforms
• Financial system providers 
• Crowdfunding providers
• Cryptocurrency providers in varying forms 
• Financial sector supply chains or ICT providers
• Investment firms
• Payment providers 
• Credit rating agencies  

See Article 2, Scope for a complete list. 

4. What are the key requirements for compliance with DORA? 

Compliance with DORA is all about showcasing the evidence, the audit trail, and demonstrating its consistency, validity, and authenticity during testing. Areas of validation include:

• Evidence of your efforts for effective ICT risk management and operational resiliency, including documenting ICT-related incidents, particularly major ones pertaining to payments or cybersecurity.
• Reporting process, its execution, and the location of any incidents. Ensure the presence of policies and processes, along with their rigorous testing prior to any incident. This validation should extend to your adherence to regulations set forth by your monetary authority or national regulator.
• Demonstrate proficiency in digital operations resiliency testing, such as red teaming or threat-led pentesting akin to TIBER-EU. 
• Intelligence sharing is also a must. Being aware of threats and preventing breaches through regular sharing with the monetary authority is indicative of effective operations.
• Demonstrate that you’ve got measures for managing IT third-party risks and downstream supply chain. 
• Define reporting notification requirements so after reasonable processes have been conducted to identify, contain, or eradicate threats, then you should notify your relevant monetary authority. 

5. What are the reporting and notification requirements under DORA? What are the consequences if a business doesn’t comply with DORA by 17th January 2025?  

Some tests are conducted annually, requiring evidence of regular compliance within that timeframe. Ideally, teams will prepare for this in advance to ensure that testing is completed before the deadline, thus enabling them to address any inquiries promptly. It’s advisable to have robust platforms, protocols, and processes established beforehand to mitigate potential issues. Failure to meet these standards may result in being subjected to special measures where monetary authorities monitor closely. Penalties for noncompliance can be severe, amounting to 1% of daily global turnover, collected over a six-month period, with the possibility of an annual penalty of up to 2% of global turnover. Continued noncompliance, may result in special measures and oversight of the organisation, and could even lead to the revocation of operating privileges in that region, representing a worst-case scenario. 

6. How does DORA contribute to enhancing the stability and security of the digital economy? 

Essentially, it safeguards everyone involved, from individuals with bank accounts to businesses issuing wages. It ensures the monetary stability of the nation and secures government transactions, including payments to suppliers or employees and international transactions. Essentially, it serves as the lifeblood of the European economy, ensuring its vitality and resilience.  

The goal is to develop the capacity to identify, respond to, and effectively counter threats to operational resilience. These threats may stem from various sources, including threat actors, technological glitches, process failures, or environmental disasters like earthquakes. The aim is to ensure preparedness for potential challenges, thereby preserving the functionality of our economies for as long as possible or facilitating a swift return to normalcy in the event of disruption. 

7. What are some potential challenges or criticisms associated with DORA’s implementation? 

Because the scope of DORA is so broad, businesses may struggle to prepare adequately and might rely on poor advice or organisational structures or misinterpret DORA’s values or guidance. This could result in a patchy implementation with numerous organisations believing they are compliant when they are not ready. 

One of the significant challenges lies in collaborating with trusted parties, vendors, and organisations to ensure alignment with existing efforts rather than embarking on entirely new initiatives. Many organisations, including those not accustomed to such tests, requirements, policies, or frameworks, may find themselves unprepared for DORA’s operational methods, leading to initial difficulties in adaptation. Moreover, the shift from traditional approaches like red teaming or penetration testing to threat-led methodologies can be quite stark, requiring a pragmatic and realistic approach that may come as a shock to some. 

8. Why should businesses partner with NetSPI to ensure they comply with DORA? 

NetSPI’s intelligence-led proactive security team is experienced across regulatory frameworks and has delivered upon the TIBER framework and CBEST-level standards since its inception. We have contributed to the development of the standards and the working groups that have gone in to create the frameworks themselves and have the unique ability to draw on operational experience across domains that other proactive security companies cannot. We use best-in-class operators that exceed the requirements others may only meet, and our genuine, multiple-person operative capabilities drive testing that is second to none. 

We exist to secure the most trusted brands on Earth, bringing more clarity, speed, and scale to your compliance with DORA and other frameworks. Reach out to start a conversation today.

The post Q&A with Giles Inkson: A Guide to Digital Operational Resilience Act (DORA) appeared first on NetSPI.

In navigating the intricate landscape of security testing regulations in global financial markets, businesses must adopt an enterprise-wide proactive and strategic approach to effectively manage and comply with these regulations. 

As these frameworks mature, and roll out globally across territories there are many ways organisations can prepare themselves now, and be ready for upcoming standards, such as the Digital Operations Resiliency Act (DORA). Here are the five areas businesses should consider to help navigate these frameworks and financial services regulations:

Treat threats proactively and embrace regulations to drive positive change

First and foremost, it is crucial for businesses to understand the significance of these regulations in enhancing cybersecurity resilience. Frameworks like CBEST, DORA, TIBER-EU, iCAST and CORIE are essential parts of strengthening defences against cyber threats inside and outside of regional boundaries. Each of these standards focuses on treating either critical business components (the parts that keep the business working), or the entire enterprise as their scope. Viewing compliance not just as a regulatory obligation, but as a critical component of a robust cybersecurity strategy, can help businesses prioritise their efforts and investments accordingly. If an organisation has red teamed before, they might be surprised at the pragmatic and impactful difference in approach, shifting their security mindset to a proactive one. 

Assess cybersecurity posture across the whole business

Businesses need to treat their organisations as a single organism. Many traditional red team or penetration testing methodologies only treat cybersecurity in isolation, and not as a part of the whole organisational risk. Financial institutions need to conduct regular intelligence-led penetration testing or red teaming, coupled with cybersecurity risk assessments and gap analyses across their entire business as part of a holistic suite of risk reduction. In doing so, valuable insights are gained into vulnerabilities, threats, process gaps, weak controls and areas of non-compliance within an organisation that other tests cannot expose. By understanding their strengths and weaknesses across cyber and operation resiliency, businesses can target areas of improvement and enhance their overall security posture.

Foster collaboration and a culture of cybersecurity awareness

Collaboration between IT, security teams, and senior leadership is paramount in effectively managing security testing regulations on the world stage. Regional coordination and clear communication on expectations and territorial differences can be complex to negotiate, without centralised administration. Therefore, establishing clear lines of communication and fostering a culture of cybersecurity awareness across all business units is critical. Reinforcing this with processes that encourage accountability throughout the organisation ensure that compliance efforts are aligned with business objectives and strategic priorities without siloing the efforts and investment.

Recognise the global impact of security testing frameworks

As cyber threats cross borders, financial institutions worldwide face similar risks and regulations across their operational sites. Compliance with these testing frameworks isn’t just about state-level or national rules; it’s about adopting global cybersecurity best practices and common standards throughout. With international financial systems interconnected, one institution’s security can impact the entire ecosystem, as does one regional branch or office of a global company. By adopting and aligning the needs of these frameworks, businesses enhance global financial system resilience and may also be combined into wider supersets of tests. Standardised frameworks like CBEST and TIBER and the upcoming DORA enforcement in January 2025, streamline compliance efforts and provide a consistent approach to cybersecurity testing worldwide and across entire businesses, and can reduce the need for repetitive testing.

Invest in broad and deep expertise

Investing in the expertise of accredited cybersecurity partners with global capability, will help financial institutions manage their global testing compliance needs. For example, many finance sector organisations operate legacy mainframes as a part of their critical services. While mainframe testing is a crucial aspect for cybersecurity resilience, it remains overlooked, even though it is a designated area for examination within testing frameworks.  This is because many businesses lack the technical expertise to conduct thorough mainframe testing in a safe and realistic manner. Organisations that can flexibly apply and call upon resources in specialist testing areas like mainframes and red teaming, present the most effective means of truly understanding the operational resiliency across their organisation. At NetSPI, we’re proud to have achieved CBEST accreditation which underscores our commitment to delivering high-value penetration testing and red teaming services. Working with experienced professionals especially across multiple disciplines, can provide valuable guidance and support in conducting comprehensive security assessments, interpreting regulatory requirements, and implementing effective cybersecurity measures across an organisation.

Ultimately, navigating security testing regulations across financial services demands a proactive and strategic stance. By adopting a proactive mindset towards compliance and cybersecurity, businesses can effectively mitigate risks, protect sensitive data, and maintain trust and confidence in the global financial markets. Ultimately, embracing these frameworks as opportunities to enhance cybersecurity resilience, can position businesses for long-term success in an increasingly digital world.

For more information on NetSPI’s proactive security capabilities, visit https://www.netspi.com/the-netspi-platform/.

The post Navigating Cybersecurity Regulations Across Financial Services appeared first on NetSPI.