Red leader standing by: “red hat” hackers testing your cyber resilience

In our November article ‘Ransom Attacks. Be Prepared’ we wrote on the importance of having your IT systems in the best shape reasonably possible to resist or identify at an early stage, a ransomware attack.

Further to this, on Tuesday this week the Council of Financial Regulators (CFR) released its Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework – click here to access a copy of the 67 page framework.

CORIE is a pilot program of exercises that aim to assess a financial institution’s (FI) cyber resilience. It has the following objectives:

• provide data and information to inform relevant Australian Regulators (such as the Australian Prudential Regulation Authority, Australian Securities Investments Commission, and Reserve Bank of Australia), of systemic weaknesses that may present a risk to the integrity of the Australian financial markets and financial system; and
• assess FI’s resilience to known adversaries targeting the FI.¹

The most interesting of the exercises is the Threat Intelligence-led Adversary Attack Simulation, otherwise known as the Red Team exercise.  Essentially, an independent Red Team Provider or ‘red hat hacker’ simulates a real life attack scenario by using a range of techniques such as phishing, spear phishing, or watering holes etc. to gain access to a FI’s internal network through their staff. Once access is gained, the Provider will attempt to compromise the system, most often by making payments etc.²

The Red Team Exercise comprises the following stages:

1. Preparation phase – engagement and scoping, and procurement;
2. Test phase - attack preparation (Threat intelligence) and attack execution (Red Team); and
3. Closure Phase – reporting and remediation planning, and replay attacks.³

As CORIE notes in its introduction:

Cyber operational resilience requires that people, processes and information systems adapt to the ever-evolving threat landscape. To maintain the ability of financial institutions to avoid significant financial loss and worst-case scenarios, cyber operational resilience must be proactive and not reactive.⁴

The results of the exercises will go into a report that will set out the systemic weaknesses in Australian FI’s cyber resilience, and areas that will require improvement.

Lavan comment

When it comes to a data breach, time is of the essence. No organisation is free from the risk of an attack - the CORIE framework emphasises that being reactive is no longer enough.

The consequences of an attack for an organisation can be significant – reputational loss and damage, mandatory data breach reporting obligations and a shut-down in normal business operations are only a fraction of the potential aftershocks of an attack.

In light of this, it is essential that your organisation is prepared for an attack, and has an appropriate and well considered action plan in place that employees are both aware of, and trained in. Being reactive is no longer enough, indeed, being proactive is the new minimum standard. Red Team Exercises can be valuable in testing your systems and plans and enabling you to address weaknesses.

If you have any questions in relation to this article, please do not hesitate to contact Iain Freeman or Lorraine Madden.