Red Team Exercise Helps International Trade Organization Comply with FCA Cyber Security Mandates

Aware of his responsibility under the Financial Conduct Authority’s Senior Managers and Certification Regime to protect against data security breaches, the CEO of an international trading organization commissioned Kroll’s CREST-certified penetration testers to perform a real-world attack simulation.

The three-month-long, covert and exhaustive exercise revealed significant and fundamental information security risks. With this insight, the organization was able to prioritize security projects and improve board-level confidence in its ability to avert and detect breaches.

The Challenge

The CEO and board of directors were fully aware of the damage a cyberattack could inflict on the organization's operations and reputation. Like most senior executives in their position, however, they felt that, although significant cyber security investments had been made, they still had no real visibility of the effectiveness of these defences and how their organization would respond to a real-world attack.

Legislation from the Financial Conduct Authority (FCA) makes senior managers personally accountable for ensuring that regulatory requirements pertaining to IT security are met in full. With this also in mind, the CEO and board of directors decided to engage Kroll to test the effectiveness of the company’s cyber security controls and its ability to both detect and respond to malicious behaviour.

Kroll's Solution

For this engagement, Kroll’s experts used modern adversarial tactics to emulate advanced threat actor activities within the organization's network environment. The project involved testing all facets of the financial company’s IT defences.

To ensure the engagement was conducted as realistically as possible, Kroll received no internal information or access to the client’s business. All knowledge was obtained leveraging open-source threat intelligence gathering techniques to identify valuable information that was available within the public domain. The engagement was also carried out over a period of three months to ensure it replicated the stealthy approach adopted by real-world attackers.

The Impact

Comprehensive Reporting

At the end of the agreed simulated attack period, Kroll’s experts delivered a comprehensive report for the CEO and board of directors, highlighting the information security issues detected and ranking them according to the level of risk to the business.

Remediation Guidance

In each case, the Kroll team provided clear guidance on how to mitigate the risk, recommending specific solutions, policies or training courses as appropriate. Consequently, the business is now putting in place new measures to better protect its data, employees and customers.

Identified: Phishing Exposure

Kroll’s experts identified a particular exposure to phishing attacks, which could be used to acquire remote login credentials for IT systems and access to client transactional data.

Identified: Access Permission Failures

Kroll identified failures in the company’s access permissions, which could be exploited to disrupt multi-million-dollar trading transactions.

Identified: IDS Configuration Issues

Configuration issues in intrusion detection systems and a large number of false alerts meant that the company was unable to detect Kroll’s deliberately “noisy” attempts to break in.

Identified: Training Failures

Many employees were using weak passwords, demonstrating gaps in user education and training.

Identified: Lack of Monitoring

With no active monitoring of the internal network, once Kroll had successfully infiltrated there was no likelihood of discovery.

Identified: Inadequate Incident Response

Kroll found that the company’s responses to suspicious incidents were inadequate and engaged the firm’s information security and executive leadership in an incident response tabletop exercise to fine-tune their incident response plan.

High-value Service

In reviewing Kroll’s findings, the company was quick to recognize the high value delivered by the engagement. It is less likely to face the potentially huge cost of remedying a major security breach and can also avoid fines and penalties from the FCA.

Improved Awareness

The CEO and board members now have a far more enlightened view of cyber security weaknesses across the business and can better meet their information security obligations. They can provide documentary evidence that information security is of high priority, that they are aware of the risks, and that they are taking the appropriate action to mitigate them.

Learn more about Kroll Penetration Testing and red teaming services.