Testing the effectiveness of defences with a real-world attack simulation
Aware of his responsibility under the Financial Conduct Authority’s Senior Managers and Certification Regime (SM&CR) to protect against data security breaches, the CEO of an international trading organisation commissioned Redscan’s Red Team ethical hackers to perform a real-world attack simulation.
The three-month long, covert and exhaustive exercise revealed significant and fundamental information security risks. With this insight, the organisation was able to subsequently prioritise security projects and improve board-level confidence in its ability to avert and detect breaches.
- High risk of cyber-attacks
- Poor visibility of security effectiveness
- Director liability for security breaches
The CEO and board of directors were fully aware of the damage a cyber-attack could inflict on both the organisation’s operations and reputation. Like most senior executives in their position, however, they felt that, although significant cyber security investments had been made, they still had no real visibility of the effectiveness of these defences and how their organisation would respond to a real-world attack.
Legislation from the Financial Conduct Authority (FCA) makes senior managers personally accountable for ensuring that regulatory requirements pertaining to IT security are met in full. With this also in mind, the CEO and board of directors decided to engage Redscan’s Red Team to test the effectiveness of the company’s cyber security controls and its ability to both detect and respond to malicious behaviour.
- Modern adversarial tactics
- All IT defences tested
- Real-world conditions
For this engagement, Redscan’s Red Team utilised modern adversarial tactics to emulate advanced threat actor activities within the organisation’s network environment. The project involved testing all facets of the financial company’s IT defences.
To ensure the engagement was conducted as realistically as possible, Redscan received no internal information or access to the client’s business. All knowledge was obtained leveraging open source threat intelligence gathering techniques to identify valuable information that was available within the public domain. The engagement was also carried out over a period of three months to ensure it replicated the stealthy approach adopted by real-world attackers.