Cyber-attacks against Australian financial institutions are constantly rising in frequency and sophistication. A successful attack would likely result in financial and reputational damage and a worst-case scenario would impact the stability of Australian financial markets and systems. As such, cyber risk is continuously classified as a top risk for Australian financial institutions as well as being a key risk on the Council of Financial Regulators (CFR) risk register.
To ensure readiness and resilience against such cyber-attacks, the Cyber Operational Resilience Intel-led Exercises (CORIE) framework was released by the CFR. It aims to manage and mitigate the risk by testing and demonstrating the cyber resilience of institutions within the Australian financial services industry by utilising targeted threat intelligence to build goal-focused Red Team scenarios. Several overseas banks and financial institutions have already formed similar schemes to determine their maturity and readiness for cyber-attacks, including CBEST, Threat Intelligence-Based Ethical Red-Teaming (TIBER), intelligence-led Cyber Attack Simulation (iCAST), and the Adversarial Attack Simulation Exercise (AASE).
To ensure comprehensive coverage and to achieve its objectives, the CORIE pilot program consists of the following exercises:
- Threat Intelligence
- Adversary Attack Simulation (Red Team)
- Replay Adversary Attack Simulation (Purple Exercise)
- Table Top Crisis Simulation (Gold Team Exercise).
As the Red Team is the only exercise that requires an external provider, this article will primarily focus on this aspect and by extension the Testing Phase of CORIE.
The framework was created with the intent to use objective-based Red Team scenarios, and to simulate realistic adversary tactics, techniques and procedures (TTPs) while measuring a financial institution’s capability to detect and respond to real-world attacks. This would ensure that financial institutions utilise a proactive approach against the constantly changing and evolving landscape of real-life cyber-attacks, such as those launched by state-sponsored attackers.
To accurately mimic attackers that are not restricted by either time or scope, CORIE exercises are meant to complement traditional security assessments, such as penetration and vulnerability assessments, by introducing a framework with fewer restrictions and longer time durations to comprehensively cover and exploit any vulnerabilities and explore other potential attack vectors.
The exercises must be conducted by independent providers to offer an unbiased perspective, followed by a report on completion which is presented to the CFR highlighting any vulnerabilities and weaknesses that may present a risk to Australian financial institutions.
Red Teams and CORIE
As mentioned, the objective of the CORIE pilot program is to assess the resilience of financial institutions against cyber-attacks while providing data of systematic weaknesses and remediation steps to applicable Australian Regulators and financial institutions.
The Red Team or Adversary Attack Simulation Exercise should specifically assess the end-to-end-maturity of cyber defences as it relates to people, processes and technology within a financial institution. A financial institution’s capability to prevent, detect and respond to cyber-attacks should also be evaluated.
The timeframe for a Threat Intelligence-Led Adversary Attack Simulation should last between 22 and 32 weeks, based on a risk assessment conducted by the financial institution, with the simulation consisting of the following six (6) stages performed across three (3) phases:
Engagement and scoping
Provider requirements and the Test Phase
Unlike the Purple and Gold Exercise that can be done by an external provider or an internal resource, the Red Team exercise can only be completed by an external provider. Providers must meet minimum standards and may participate in the pilot program as Threat Intelligence and/or Red Team provider.
The task of a Threat Intelligence provider is to gather intelligence on adversaries that are targeting Australian financial institutions. As such, when engaged by a financial institution, the Threat Intelligence provider must ensure that it can identify primary adversaries and their modus operandi. All threat intelligence must be gathered in a legal and ethical manner. The Threat Intelligence team should consist of at least one Threat Intelligence Lead and one Threat Intelligence Analyst.
The Red Team should be capable of performing management, OSINT, reconnaissance, surveillance, cyber-attack simulation, social engineering, physical breach and reporting during the engagement. At a minimum the Red Team should consist of a Red Team Lead, a Red Team Specialist, and an Exploit Development Specialist. The Red Team Specialist can also fill the role of Exploit Development Specialist.
CORIE Testing Phase outcomes
At the conclusion of the Testing Phase the results are evaluated in the Closure Phase. As part of the Purple Exercise, a Replay Adversary Attack Simulation is conducted. This simulation is used to ensure the target institution’s defences are improved through systematically replaying simulated adversary TTPs in addition to exchanging knowledge between the offensive and defensive teams.
Finally, the Table Top Crisis Simulation (Gold Team Exercise) is used to assess the financial institution’s executives on security incident management and/or crisis management response and processes.
As targeted cyber-attacks against financial institutions are more prevalent than ever, the importance of comprehensive security testing also increases. The CORIE framework offers an end-to-end methodology that mimics adversary TTPs while ensuring that teams performing assessments meet the highest standards.
The Triskele Labs Red Team is fully certified to perform CORIE engagements, threat intelligence inclusive, with diverse specialties and plenty of financial sector experience.