Testing the effectiveness of defences with a real-world attack simulation
Aware of his responsibility under the Financial Conduct Authority's Senior Managers and Certification Regime (SM&CR) to protect against data security breaches, the CEO of an international trading organisation commissioned Redscan’s Red Team ethical hackers to perform a real-world attack simulation.
The three-month long, covert and exhaustive exercise revealed significant and fundamental information security risks. With this insight, the organisation was able to subsequently prioritise security projects and improve board-level confidence in its ability to avert and detect breaches.
The CEO and board of directors were fully aware of the damage a cyber-attack could inflict to both the organisation’s operations and reputation. Like most senior executives in their position, however, they felt that, although significant cyber security investments had been made, they still had no real visibility of the effectiveness of these defences and how their organisation would respond to a real-world attack.
Legislation from the Financial Conduct Authority (FCA) makes senior managers personally accountable for ensuring that regulatory requirements pertaining to IT security are met in full. With this also in mind, the CEO and board of directors decided to engage Redscan’s Red Team to test the effectiveness of the company’s cyber security controls and its ability to both detect and respond to malicious behaviour.
For this engagement, Redscan’s Red Team utilised modern adversarial tactics to emulate advanced threat actor activities within the organisation’s network environment. The project involved testing all facets of the financial company’s IT defences.
To ensure the engagement was conducted as realistically as possible, Redscan received no internal information or access to the client’s business. All knowledge was obtained leveraging open source threat intelligence gathering techniques to identify valuable information that was available within the public domain. The engagement was also carried out over a period of three months to ensure it replicated the stealthy approach adopted by real-world attackers.
At the end of the agreed simulated attack period, Redscan’s Red Team delivered a comprehensive report for the CEO and board of directors, highlighting all of the information security issues detected and ranking them according to the level of risk to the business.
In each case, the Red Team provided clear guidance on how to mitigate the risk, recommending specific solutions, policies or training courses as appropriate. Consequently, the business is now putting in place new measures to better protect its data, employees and customers.
Identified: phishing exposure
Our Red Team identified a particular exposure to phishing attacks, which could be used to acquire remote log-in credentials for IT systems and access to client transactional data
Identified: access permission failures
Failures in the company’s access permissions were identified, which could be exploited to disrupt multi-million dollar trading transactions
Identified: IDS configuration issues
Configuration issues in intrusion detection systems and a large number of false alerts meant that the company was unable to detect Redscan’s deliberately “noisy” attempts to break-in
Identified: training failures
Weak passwords used by many employees, demonstrating gaps in user education and training
Identified: inadequate incident response
Inadequate responses to suspicious incidents
Identified: lack of monitoring
No active monitoring of the internal network, so once the Red Team had successfully infiltrated there was no likelihood of discovery
The CEO and board members now have a far more enlightened view of cyber security weaknesses across the business and can better meet their information security obligations. They can provide documentary evidence that information security is of high priority; that they are aware of the risks; and that they are taking the appropriate action to mitigate them.
High value service
In reviewing the findings of the Red Team, the company was quick to recognise the high-value delivered by the engagement. It is less likely to face the potentially huge cost of remedying a major security breach and can also avoid fines and penalties from the FCA.
What our customers say
“Redscan has given us a third party stamp of approval for our IT security and the reassurance to know we are as secure as possible.”
IT Manager, WMBA
"Redscan gave us the professional service and quick turnaround that we needed to meet our tight deadlines."
IT Manager, WMBA
"Our partnership with Redscan has been one of the most successful that we have ever undertaken"
IT Director, ICG
"Should I need any security testing again in the future, Redscan would be my first port of call!"
Project Analyst/Developer, STM Life
“We’ve established a successful partnership with Redscan – their market leading cyber security offering is strong and we’ve won some exciting projects together”