Regulatory Compliance Testing Services

Created by the Bank of England and supported by CREST, CBEST testing assessments make significant use of Cyber Threat Intelligence, deliver sophisticated Red Team style assessments and provide incident response maturity assessments.

CBEST engagements are unique when compared to many other types of assessments because they can only be instigated by the Bank of England. The Bank of England is involved in the scoping of the assessments and determines which types of assets and systems comprise the test scope. The threat intelligence used to determine the testing approaches is augmented by GCHQ.

CBEST requires organisations to commission a threat intelligence gathering exercise by a CBEST-approved threat intelligence provider. This exercise:

• Reviews geopolitical threats
• Reviews tactics, techniques and procedures (TTPs) of threat actors known to be targeting similar types of organisations.
• Reviews open-source intelligence relating to your organisation.
• Gathers and reviews closed-source intelligence relevant to your organisation.
• Creates a series of scenarios that reflect real-world threats.
• Includes TTPs to be simulated, goals to be executed and targets to be pursued.

LRQA is one of only a handful of CBEST-approved service providers to be accredited by both CREST and the Bank of England as CBEST Penetration Testing providers and CBEST Threat Intelligence providers. We have extensive experience with CBEST testing and a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications.

We have also developed our state-of-the-art custom tooling to mimic sophisticated threat actors that are known to be prevalent within the financial services sector. This toolset is unique within the industry and is one of the reasons why LRQA’s team has been highly successful in supporting organisations’ intelligence-led assurance strategies.

STAR-FS assessments are similar to CBEST engagements as they both leverage the concepts of Red Teaming and utilise threat intelligence to simulate the tactics, techniques and procedures of threat actors against financial institutions. However, STAR-FS assessments are designed to allow for a lighter or optional involvement of the Regulator.

STAR-FS requires organisations to commission Threat Intelligence Services from a STAR-FS-approved Threat Intelligence provider. Several threat scenarios are defined and then utilised by an Intelligence-led Penetration Testing team to simulate real-world attacks.

STAR-FS engagements must be structured in four main components:

Initiation: to define the scope and select the providers for the subsequent components. LRQA will ensure a dedicated project manager oversees every part of the engagement and a full RACI model will be put in place for all stakeholders. Communications, escalations, risk management and debriefs/reporting needs will be fully discussed and agreed upon.

Threat intelligence exercise: to develop threat scenarios and agree on a plan to be handed over to the penetration testing service provider. The experience gathered on CBEST engagements allows us to identify real-world scenarios to help organisations identify and understand where gaps are.

Penetration testing: Our threat intelligence-led Penetration Testing services are delivered with the support of state-of-the-art custom tooling to simulate sophisticated threat actors that are known to be prevalent within the Financial Services Sector.

Reporting: Our reports have been designed to inform both senior stakeholders and technical teams within engineering, operations and the detect and response functions. Remediation guidance, regulator debriefs and executive debriefs are delivered with pragmatic advice in a collaborative and supportive manner.

LRQA is accredited by CREST to deliver Threat Intelligence Led Penetration Testing for Financial Services under the STAR-FS scheme. We have a full team of CBEST-certified individuals who hold CREST CCSAS, CCSAM and CCTIM certifications. When we engage in threat intelligence-led services, we can deliver a true reflection of the types of TTPs that threat groups are known to be leveraging.

iCAST is an intelligence-led framework, introduced by the Hong Kong Monetary Authority (HKMA). It is an innovative regulatory requirement that does not just rely on a strategy that is focused on Penetration Testing alone. The focus of the iCast framework is to deliver a threat intelligence-based scenario test, with the testing element focusing on Red Teaming. 

Threat Intelligence phase

This includes reviewing open-source intelligence relating to an organisation, defining scenarios that reflect real work attack vectors, reviewing TTPs of likely threat actors and providing a list of actionable intelligence to confirm the right approach for the Red Team phase.

Reviewing and defining phase

We help you define the likely scenarios for the Red Teaming phase. The iCAST framework encourages organisations to define a list of key assets that are trying to protect and use the output of the threat intelligence to define what tactics and approaches should be used to carry out the attack phase of the assessment. During this phase, we will launch various attacks such as phishing or insider threats to mimic real work threat actors.

Attack replay phase

We work closely with your Blue Team and re-create some of the scenarios to see how the defensive layer of your organisation was able to react to the testing phase.

The right approach to information security is critical to achieving GDPR compliance. For many organisations, this requires a significant revision of their security strategy and tactics as GDPR requires you to implement a risk-based framework. This framework includes the correct governance structure, policies and operational practices in addition to monitoring, detection and incident response.

LRQA can help you with GDPR compliance by providing:

• Gap assessments against the GDPR standards for information security and incident response practices, to produce a roadmap to compliance.
• Monitoring services to support the information security and incident response aspects of GDPR.

Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is a framework launched by the European Central Bank (ECB) to deliver a controlled, bespoke, intelligence-led Red Team test of your critical live production systems.

LRQA provide all elements of the Threat Intelligence and Red Team testing requirements. Our cyber security threat intelligence capabilities allow us to execute broad, intelligence-based targeting exercises, of the kind typically undertaken by real-world threat actors as they prepare for their attack.

Our objective is to draw a picture of the target organisation, through the lens of an attacker. This approach allows us to design and deliver testing scenarios for a TIBER test. Our experts not only shape the tests through the production of the key TIBER intelligence documents but also provide added value to your organisation by reducing uncertainty while aiding in identifying threats and opportunities that will reduce the risk of a real attack.

Canada’s Office of the Superintendent of Financial Institutions (OSFI) created the Intelligence-led Cyber Resilience Testing (I-CRT) framework to simulate relevant real-world threats. The framework assesses cyber resilience, using independent suppliers, to help systemically important and internationally active insurance groups identify areas where they could be vulnerable to cyber-attacks.

Our I-CRT service has been developed to provide insight and assurance through the simulation of real-world threat actors using known TTPs to assess and enhance your organisation’s security posture.

I-CRT requires organisations to commission a Threat Intelligence Service Provider to conduct a threat intelligence gathering exercise. We are an approved Threat Intelligence provider across regulatory frameworks and can deliver the following:

• Intelligence on geo-political threats known to be operating in the sector and sub-sector
• TTPs of threat actors known to be targeting similar types of organisations
• Open Source Intelligence (OSINT) relating to your organisation
• Closed source intelligence relevant to your organisation