Cookie Notice

We use cookies to analyse site traffic and optimise your browsing experience. Accepting necessary cookies is required to provide you with a minimum level of service. Read Cookie Statement

Get In Touch
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy
Experiencing a breach? Get emergency incident response assistance.

Overview

Testing the effectiveness of defences with a real-world attack simulation

Aware of his responsibility under the Financial Conduct Authority’s Senior Managers and Certification Regime (SM&CR) to protect against data security breaches, the CEO of an international trading organisation commissioned Redscan’s Red Team ethical hackers to perform a real-world attack simulation.

The three-month long, covert and exhaustive exercise revealed significant and fundamental information security risks. With this insight, the organisation was able to subsequently prioritise security projects and improve board-level confidence in its ability to avert and detect breaches.

Case Study
Industry
Finance
HQ
UK

The Challenge

Summary

  • High risk of cyber-attacks
  • Poor visibility of security effectiveness
  • Director liability for security breaches

The CEO and board of directors were fully aware of the damage a cyber-attack could inflict on both the organisation’s operations and reputation. Like most senior executives in their position, however, they felt that, although significant cyber security investments had been made, they still had no real visibility of the effectiveness of these defences and how their organisation would respond to a real-world attack.

Legislation from the Financial Conduct Authority (FCA) makes senior managers personally accountable for ensuring that regulatory requirements pertaining to IT security are met in full. With this also in mind, the CEO and board of directors decided to engage Redscan’s Red Team to test the effectiveness of the company’s cyber security controls and its ability to both detect and respond to malicious behaviour.

The Solution

Summary

  • Modern adversarial tactics
  • All IT defences tested
  • Real-world conditions

For this engagement, Redscan’s Red Team utilised modern adversarial tactics to emulate advanced threat actor activities within the organisation’s network environment. The project involved testing all facets of the financial company’s IT defences.

To ensure the engagement was conducted as realistically as possible, Redscan received no internal information or access to the client’s business. All knowledge was obtained leveraging open source threat intelligence gathering techniques to identify valuable information that was available within the public domain. The engagement was also carried out over a period of three months to ensure it replicated the stealthy approach adopted by real-world attackers.

The Benefits

Comprehensive reporting
At the end of the agreed simulated attack period, Redscan’s Red Team delivered a comprehensive report for the CEO and board of directors, highlighting all of the information security issues detected and ranking them according to the level of risk to the business.
Remediation guidance
In each case, the Red Team provided clear guidance on how to mitigate the risk, recommending specific solutions, policies or training courses as appropriate. Consequently, the business is now putting in place new measures to better protect its data, employees and customers.
Identified: phishing exposure
Our Red Team identified a particular exposure to phishing attacks, which could be used to acquire remote log-in credentials for IT systems and access to client transactional data.
Identified: access permission failures
Failures in the company’s access permissions were identified, which could be exploited to disrupt multi-million dollar trading transactions.
Identified: IDS configuration issues
Configuration issues in intrusion detection systems and a large number of false alerts meant that the company was unable to detect Redscan’s deliberately “noisy” attempts to break in.
Identified: training failures
Weak passwords were being used by many employees, demonstrating gaps in user education and training.
High value service
In reviewing the findings of the Red Team, the company was quick to recognise the high value delivered by the engagement. It is less likely to face the potentially huge cost of remedying a major security breach and can also avoid fines and penalties from the FCA.
Identified: lack of monitoring
With no active monitoring of the internal network, once the Red Team had successfully infiltrated there was no likelihood of discovery.
Improved awareness
The CEO and board members now have a far more enlightened view of cyber security weaknesses across the business and can better meet their information security obligations. They can provide documentary evidence that information security is of high priority; that they are aware of the risks; and that they are taking the appropriate action to mitigate them.
Identified: inadequate incident response
Inadequate responses to suspicious incidents.