3 June, 2020
Top 3 Red Teaming Frameworks (TIBER,AASE,CBEST)
Red team exercises focus on checking your internal team’s ability to respond as well as the resiliency of your IT systems against real-life cyber attacks. Though such exercises are simulated, they closely resemble how an actual cyber attack would look like. In the last article, we explained in detail about red team exercises and how they help in stepping up your organization’s incident response process. Continuing on the topic, we will be describing three popular red teaming frameworks in this article.
What is a red teaming framework?
Just like any other cybersecurity framework, red teaming frameworks prescribe a set of tried and tested standard processes and procedures that should be followed by organizations. A red teaming framework has the following components:
- Defining the scope of a red teaming exercise and risk tolerance level of the organization
- Gathering threat intelligence data
- Conducting red team exercises
- Analyzing results and preparing a remediation plan
- Presentation before the senior management/board
As we have seen so far, red teaming frameworks can be prescribed by a government/regulatory authority, a well-known industry standard, or a non-profit organization. Whether following a particular red teaming framework is mandatory depends on the industry an organization is working in and the authority that has prescribed the framework. Some of the well-known red teaming frameworks include:
- TIBER-EU (Threat Intelligence-Based Ethical Red Teaming Framework – European Union)
- UK’s CBEST
- Hongkong’s iCAST (Intelligence-led Cyber Attack Simulation Testing)
- Saudi Arabia’s FEER (Financial Entities Ethical Red Teaming)
- Singapore’s AASE (Adversarial Attack Simulation Exercises)
- NATO’s framework
- Mitre’s ATT&CK framework
In this article, we will be focusing on TIBER-EU, AASE, and CBEST.
Threat Intelligence-Based Ethical Red Teaming Framework (TIBER-EU)
De Nederlandsche Bank (DNB) implemented the TIBER-NL program in June 2016. In May 2018, the European Central Bank’s Governing Council decided to adopt this framework for financial institutions across the European Union as TIBER-EU. This framework helps an organization in assessing its protection, detection, and response capabilities. It mimics tactics, techniques, and procedures (TTPs) derived from threat intelligence (TI) feeds to simulate an attack on critical functions and underlying systems. Here, the underlying systems consist of people, processes, and technologies.
It aims to achieve the following core objectives:
- To enhance cyber resiliency of organizations, and specifically for those in the financial sector
- To standardize and harmonize how organizations perform red-teaming exercises across the EU with a degree of flexibility to incorporate business-specific requirements
- To provide guidance to authorize, establish, implement, and manage this form of testing either at national or European level
- To support cross-border and cross-jurisdictional TI-based red team testing for MNCs
- To enable oversight for authorities seeking to rely on each other’s assessments carried out using the framework
- To provide a standard for cross-authority and cross-border collaboration, result sharing, and analysis.
Adversarial Attack Simulation Exercise (AASE)
Issued in late 2018 by the Association of Banks in Singapore (ABS), AASE is designed to challenge cybersecurity defensive mechanisms implemented by financial institutions. Similar to TIBER-EU, this framework aims to target people, processes, and technology with a clear-cut intention to compromise an organization’s critical functions. It aims to complement other security practices of an organization as an organization’s cybersecurity maturity grows. The primary goal of red teaming exercises conducted under this framework is to detect potential weaknesses that might not have been identified through standard vulnerability assessment and penetration testing exercises. Some of the key features of AASE include:
- It provides an outline for activities to be conducted as per organizational maturity.
- It lays down how to exercise goals should be defined, secrecy should be maintained, and critical functions should be targeted.
- It suggests a four-phased methodology consisting of Planning, Attack Preparation, Attack Execution, and Exercise Closure phases.
CBEST promotes the TI-based penetration testing approach for replicating the actions of cyber attacks for compromising technology assets and critical functions of an organization. Collaboration, evidence, and improvement lie at the heart of the CBEST framework. Published in 2016 by the Bank of England in close association with CREST, this framework proposes a non-informed, outside-in, covert penetration test for financial institutions. Financial institutions establish a Control Group comprising of a select number of individuals, who are generally system owners of the systems under the scope of a CBEST exercise.
However, a financial institution cannot proceed with an exercise before all the required legal contracts are in place. Legal contracts are essential for a financial institution as well as red team security experts so that the provisions of the Computer Misuse Act are not violated.
Applicable laws and jurisdictional factors are driving factors in deciding a red teaming framework. However, as a decision-maker or a security professional, you should consider answering the following questions in order to adopt a particular red teaming framework:
- Is the framework within the scope of applicable laws?
- Is the framework capable of allowing a red team to prepare for and execute a realistic cyber-attack?
- Does the framework have a well-defined systematic procedure for facilitating a red team exercise?