The best defence is a good offence | Cyber Risk | Deloitte Netherlands


The best defence is a good offence

Utilising threat intelligence based ethical red teaming (TIBER) to simulate your adversary

Cyber threat intelligence is processed information about the intent, opportunity, and capability of malicious actors. When mapped to an organisation’s business objectives and fused into traditional red teaming and ethical hacking, cyber threat intelligence greatly increases the effectiveness of these exercises.

By Gert-Jan Bruggink | March 20, 2019

Cyber threat intelligence

Cyber threat intelligence provides accurate and timely intelligence products that enables informed decisions to prioritise objectives and remediation efforts. It is now possible to simulate adversaries in realistic scenarios, combining research on what is happening right now with offensive creativity and cyber defence enablement. Based on these growing use cases, we anticipate continued adoption of cyber threat intelligence in multiple security services and drive business leaders to make informed decisions.

Applying cyber threat intelligence to red teaming and ethical hacking

When executed properly, red teaming can use cyber threat intelligence to emulate the tactics, techniques, and procedures (TTPs) of threat actors that are most likely to target a particular organisation. This enables them to make more effective and real-time risk-based decision making.

Recently Deloitte member firm have observed a shift in their clients’ thinking. Most frequent questions are: What adversaries are most likely to attack us? Have you discovered any significant security events in our industry? Are other industries observing similar intrusions? What will happen to us if we imitate these attacks in our environment?

Simply identifying security problems and explaining their significance is no longer sufficient. In order to ensure organisations are protecting themselves sufficiently, various regulatory frameworks have been developed with the aim of enhancing organisations’ ability to deliver controlled and adaptable intelligence-led cyber security tests that replicate the malicious behaviours of sophisticated threat actors which pose a threat to critical business assets. Some examples are European Central Bank’s and DNB Netherlands TIBER (Threat Intelligence Based Ethical Red Teaming) and Bank of England’s CBEST

Optimising Red Teaming activities with cyber threat intelligence

The overall purpose of intelligence-led exercises is to imitate attacker TTPs of real-world adversaries. Exercises are intended to test whether an organisation’s existing defensive measures and control systems are effective. They also test the maturity of response and remediation capabilities in light of an actual attack.
In order to determine whether to employ the concept of intelligence-led exercises, three questions come into play:

  1. Do we want to simulate actual adversaries or not?
    When preparing your next red teaming or ethical hacking exercise, make an informed decision on adopting the intelligence-led approach. Typically, when determining the scope, contractual considerations, roles and responsibilities, as well as threat intelligence and red teaming procurement, it is relatively easy to incorporate adversary simulation exercises into agreements.

    The added value of an adversary simulation with the intelligence-led approach, implicates test scenarios based on real events and known facts, and aims at challenging the red team. Non-intelligence-led exercises rely on very specifically derived and targeted scenarios that tend to fit strengths of a particular red team.
  2. Do we want to develop our threat scenarios more efficiently?
    Cyber threat intelligence speeds up identification of people, processes and technologies targeted by adversaries and assists with attack planning saving clients time. This results in development of realistic scenarios that can be carried out by the red team. 
  3. Do we want to report to our stakeholders on how would real-world adversaries target us and how far they could go?
    Evaluation of an intelligence-led exercise includes a replay of the scenarios between offensive and defensive teams and sometimes even executive teams. Defensive capabilities are assessed and applicable remediation activities are performed, in order to build more resilient and robust cyber defences. 

Why it is important to utilise relevant frameworks

Various standards have been issued over the years, to establish adequate cyber security baselines. However, little guidance has been available to organisations on how to effectively test business resilience to cyber threats. As a result, central banks and regulators have established new frameworks, such as TIBER  and CBEST, to build this resilience thinking into business critical systems. 

Using these frameworks to conduct cyber threat intelligence gathering and red teaming operations brings multiple benefits, including:

  • Access to consistent and advanced cyber threat intelligence, ethically and legally sourced;
  • Confidence of protection of information;
  • Realistic penetration tests that replicate sophisticated and topical attack campaigns;
  • Confidence in the methodology and processes utilised by the organisations conducting sophisticated, organised and sensitive tests;
  • Standard key performance indicators (KPIs) can be used to accurately assess the maturity of the organisation’s ability to protect from, detect, and respond to cyber attacks;
  • Utilisation of overlapping reference frameworks, such as MITRE ATT&CK, accommodate handover to defensive teams.
  • Finally; this approach is not catered towards the financial sector in particular. The frameworks are considered to be industry agnostic, allowing for adoption by various other industries. 

More information

Feel free to contact Gert-Jan Bruggink via the contact details below.

Did you find this useful?