What are Red-Team exercises under the CBK Guidance notes on Cybersecurity?

Kenya’s cyberspace is under constant attack. During the period April – June 2021, the Kenya Computer Incident Response Team – Coordination Centre (KE-CIRT/CC) detected 38,776,699 cyber threat events. This was a 37.27% increase from the 28,247,819 threat events detected in the previous period, January – March 2021.¹ Cyber threat actors continued to target banking and financial services using malicious software that was used to spread spam emails embedded with malicious links and attachments. These were used to infect users’ systems and inject key-loggers that enabled the threat actors to steal banking credentials.² The escalation in cyberthreats against financial institutions can be proactively combated and mitigated through regular deployment of red-team activities.

The Central Bank of Kenya (CBK) has been cognizant of the increasingly precarious cyber environment. It issued a Guidance Note on Cybersecurity for the Kenyan banking sector in August 2017. The Guidance Note sets the minimum standards that banking institutions should adopt to develop effective cybersecurity governance and risk management frameworks.³ It outlines 4 thematic areas of cybersecurity management critical to ensuring the safety and stability of the Kenyan banking sector-

1. Governance involvement in cybersecurity – Generally outlines the responsibilities of the Board of Directors, Strategic Senior management and Chief Information Security Officer (CISO) in relation to cyber risks.

2. Outsourcing considerations – Banks should ensure, prior to outsourcing tasks, that third-parties comply with legal and regulatory frameworks as well as the international best practices on cyber security.

3. Training and awareness programs and activities – Financial institutions institutions should provide IT security awareness training programmes to all employees. This includes technical training for cybersecurity specialists within the institution as well as cybersecurity awareness and information to the institution’s customers, clients, suppliers, partners, outsourced service providers and other third parties who have links to the bank’s IT infrastructure.

4. Regular Independent Assessment and Testing – Defines the roles and responsibilities of the internal audit and risk management function of bank institutions. Banking institutions should engage external consultants with sufficient cybersecurity expertise to assist in understanding their cyber threat landscape. The institutions should carry out an independent cyber threat test at least once a year.⁴ Specified under the tasks of the risk management function is the need to conduct red team exercises.

What is a Red Team Exercise?

The Guidance Note defines a red team exercise as an all-out attempt to gain access to a system by any means necessary, and usually includes cyber penetration testing, physical breach, testing all phone lines for modem access, testing all wireless and systems present for potential wireless access, and also testing employees through several scripted social engineering and phishing tests. These are real life exercises carried out by a team of external professionals that are hired to test the physical, cyber security, and social defenses of particular systems.⁵

An intelligence-led red team test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities.⁶ Aspects of red team tests include:

• Application penetration testing — aiming to identify application layer flaws such as Cross-Site Request Forgery, Injection Flaws, Weak Session Management, and many more.

• Network penetration testing — aiming to identify the network and system-level flaws including misconfigurations, wireless network vulnerabilities, rogue services, and more.

• Physical penetration testing — understanding the strength and effectiveness of physical security controls through real-life exploitation.

• Social engineering — aiming to exploit weaknesses in people and human nature, testing human susceptibility to deceitful persuasion and manipulation through email phishing, phone and text message, and physical and onsite pretexting.

• All of the above — Red teaming is a full-scope, multi-layered attack simulation designed to measure how well your people, networks, applications, and physical security controls can withstand an attack from a real-life adversary.

All Red team activities are defined by the agreed scope between the hackers and the bank, and a contract has to be in place between the parties. The scope may specify that only certain attack methodologies should be utilised during the assessment or can limit the scope of attacks to specified bank systems and infrastructures. The Guidance note seemingly excludes unsolicited ethical hacking due to the potential to detrimentally overwhelm the banks computer systems. This can unnecessarily redirect banks resources to mitigating cyber threats emanating from both ethical and malicious hackers.

Red Team -Blue Team approach –

Red teams simulate attacks against Blue teams to test the effectiveness of the network’s security. These Red and Blue team exercises provide a holistic security solution ensuring strong defenses while keeping in view evolving threats.⁷

A Blue team is defined as the group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks:

1. over a significant period of time;

2. in a representative operational context (e.g., as part of an operational exercise); or

3. according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).⁸

The Guidance Note does not explicitly require institutions to adopt a complementary Red team-Blue team approach, however, Red team assessments provide a more objective reflection of a banking institution’s security posture when accompanied with the activities of a blue team. The Blue team will optimise the institution’s defence mechanisms in anticipation of a simulated attack from the Red team, consequently providing the institution with an impartial reflection of its ability to manage and mitigate an all-out cyber offensive on its physical and virtual assets.

Common Blue team activities:⁹

• Performing DNS (Domain Name System) research;

• Conducting digital analysis to create a baseline of network activity and more easily spot unusual or suspicious activity;

• Reviewing, configuring and monitoring security software throughout the environment

• Ensuring perimeter security methods, such as firewalls, antivirus and anti-malware software, are properly configured and up-to-date;

• Employing least-privilege access, which means that the organization grants the lowest level of access possible to each user or device to help limit lateral movement across the network in the event of a breach; and

• Leveraging microsegmentation, a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network.

Conclusion

Increased utilisation of red team exercises as envisioned under the CBK Guidance Note on Cybersecurity will mitigate the number and severity of cyber attacks experienced by institutions operating within the Kenyan Banking sector. The multi-faceted nature of red-team assessments will better equip institutions to protect, detect and respond effectively to the increasingly menacing and tumultuous financial cyber environment.