The UK regulator has recently introduced the STAR-FS intelligence-led penetration testing scheme. While the STAR scheme has existed for some time, only recently have firms been given accreditation for the extension to financial services. As a CBEST accredited company with extensive experience in threat intelligence for these schemes, Orpheus was perfectly placed for our accreditation for STAR-FS.
STAR-FS is designed as an intelligence-led penetration test that is not led by the regulator. As a result, they are quicker and less costly than the CBEST scheme that is required for the financial services companies most critical to the UK infrastructure. Less involvement does not indicate less interest however. When conducted by accredited suppliers, the findings can be presented back to the regulator if required. Undertaking a STAR-FS, either voluntarily or by request, is an indication of maturity in the cyber resilience of a company and can provide several useful benefits.
One of the first steps in a STAR-FS is to identify the Critical Business Services – things that the firm does – and the Key Systems – the technologies that enable these -. Sometimes referred to as the “crown jewels” this is an important step in any intelligence-led security testing exercise.
The accredited threat intelligence provider will then conduct a Threat Assessment to identify which threat actors may be interested in the in-scope Critical Business Services and Key Systems. They will combine this with research into the firm’s potential attack surface, producing a targeting report. Starting any cyber security programme with threat intelligence is a sensible way to allocate resources and develop priorities. These reports will have benefits to the organisation in addition to the STAR-FS assessment.
These two deliverables and an assessment of likely threat actor goals are then combined to produce the scenarios, which detail feasible and testable attack paths that can then be used as a plan by the penetration testing team in the next phase of the STAR-FS engagement. The group will agree compromise actions that would demonstrate that a threat actor could compromise the Critical Business Systems, though stopping short of actually compromising the live systems.
Understanding of which threat actors are relevant also comes with knowledge of their goals. Linking this with the attack surface against Critical Business Systems the threat intelligence provider and penetration test provider can now decide what will be considered as compromise actions. These compromise actions, or flags to be captured, will be the success indicators for the penetration test. This information is combined to create scenarios the penetration testing company will work against.
An intelligence-led penetration test has significant advantages over a standard penetration test and it is why the regulators have developed these schemes. The intelligence provided and scenarios that are developed make the testing more realistic than a generic penetration test. It is more likely to uncover issues that are critical to improving a firm’s cyber resilience than narrower compliance-based or application-focused tests.
Outside of regulatory compliance, these steps will provide useful information for the organisation to use in its cyber security strategy. An understanding of who might attack you, how and for what purpose has many benefits when allocating resources and developing mitigation strategies. Discovering if these attacks would be successful allows organisations to close any vulnerabilities that have been uncovered or address any control gaps.
The regulatory benefits can not be overstated. While still in its early stages, the regulator is clear on their expectations for financial service companies to take cyber resilience seriously. In developing the scheme they are also clear on what they consider best practice and a requirement for firms in this industry. An appropriately developed test can be used to report back to the regulator if required.
To find out more about STAR-FS and Orpheus as an accredited supplier, please get in touch.