Follow Us

Follow us on Twitter  Follow us on LinkedIn

15 November 2019

BIS: Varying shades of red: how red team testing frameworks can enhance the cyber resilience of financial institutions

The paper aims to facilitate deeper understanding by financial sector authorities on different existing approaches that authorities have pursued in establishing red team testing frameworks. Red team tests are useful to identify potential weaknesses in financial institutions' cyber protection.

The paper describes key components of a red team testing framework, compares existing frameworks, outlines the benefits and challenges of such frameworks, and highlights potential crossborder issues relating to red team testing.

In general, a red team test can be divided into four phases: reconnaissance; getting into the institution; getting through its systems; and getting out with the captured “flags” as defined in the scenarios. Red teams can use either a methodology with a clear sequence of events in a cyber attack life cycle, or one that focuses on techniques from the different tactics deployed by threat actors and jumps from one point in the attack life cycle to another depending on the situation. In terms of scope, a red team test typically covers the entire financial institution involving different teams, potentially including external threat intelligence3 and test providers. The test is conducted without the knowledge of those responsible for protecting the institutions from cyber attacks. Most of the surveyed jurisdictions have established red team testing frameworks with a number of common elements. The frameworks generally involve the following steps: defining the scope and risk management controls for the test; procuring threat intelligence and red team providers; gathering threat intelligence; conducting the actual test; analysing the test outcomes; putting in place a remediation plan; and sharing the lessons learned with stakeholders. The frameworks apply typically to large or critical financial institutions, but authorities may have discretion to include other financial institutions. The frameworks, however, differ in terms of whether threat intelligence and red team test providers must be external to the financial institution, accredited and formally assessed. An effective red team test is characterised by both firms and authorities being open about the results, learning from the weaknesses exposed and taking appropriate remedial actions. Unlike other risk assessment exercises, a successful red team test is not determined by whether a firm “passes” or “fails” the test. To truly benefit from red team testing, focusing on implementation of remediation measures after the test provides more value than just focusing on the test outcomes as evidence of weaknesses in the institution’s cyber practices.

Full press release on BIS

Full paper on BIS

© BIS - Bank for International Settlements

< Next Previous >
 Hover over the blue highlighted text to view the acronym meaning
Hover over these icons for more information

Add new comment