March, 2024

Last week, the Bank of England announced the introduction of a new regulatory framework, STAR-FS, to support the financial sector in its cyber resilience operations.

Over 4 years ago, I talked about why I think well-defined frameworks are a benefit for our industry, as they provide clear and structured guidance to both buyers and practitioners. This is particularly applicable to the subject of red teaming, where the question of “what is a red team?” seems to be irrefutably nuanced still to this day. As such, it is important that there are clear guidelines about what is expected when we’re red teaming infrastructure that ultimately underpins the financial markets.

STAR-FS builds on the success of the Bank of England’s well-established CBEST framework by widening the scope of cyber resilience exercises to incorporate other institutions such as banks, building societies, insurers and other FCA regulated organisations.

Approach

The published implementation guide documents four key phases to a STAR-FS exercise:

• The Initiation: the scoping process defined by the financial institution’s control group;
• The Threat Intelligence Phase: the development of realistic threat scenarios to inform the penetration testing phase;
• The Penetration Testing Phase: simulation of each of the threat scenarios through the execution of a red team operation;
• Closure: SOC accreditation aligned to CREST’s SOC maturity models, and reflection on the exercise to assess the Detection and Response capabilities of the firm.

As an established and long-standing CBEST and STAR-FS provider, MDSec is well-positioned to support firms looking to perform cyber resilience exercises such as STAR-FS and having performed the pilot for the scheme.

"MDSec provided ClearBank a consistent, pragmatic and threat intelligence led approach while we piloted the StarFS Assessment. The findings provided by MDSec enabled us to fine tune our defences and drive security change within the organisation. MDSec provided support throughout the engagement, from the organisation of the test to the board/regulator closure meetings."

– Tom Knowles, Head of Security Operations, ClearBank

The Benefits

With the vast selection of vendors on offer in the offensive security space, it can be challenging for any organisation to procure a security assessment, particularly in a space where the nomenclature is so loosely defined such as red teaming.

Some of the key benefits of engaging with organisations accredited against known and documented frameworks include:

• A consistent methodology and approach is used to implement the engagement, this is typically also publicly published. This level of transparency provides buyers with confidence in what they are purchasing and ultimately avoids needing to second guess if they’re purchasing the red team they were looking for.
• The use of consistent deliverables ensures that formal reports, which often have visibility at the highest levels of management, have the required content and meet the minimum standards of the framework.
• In order to be accredited to provide services under the framework, vendors will typically need to provide certified staff with a minimum amount of experience, ensuring that buyers can be confident in the resources used to deliver their projects; this is of particular importance when considering the systemic criticality of the financial markets. In the case of STAR-FS, resources required to deliver engagements must hold the CREST Simulated Attack Manager and Specialist certifications, in addition to holding a minimum of 2250 hours financial services testing experience, corroborated with three references from the financial services sector.

To find out more about the STAR-FS framework, the implementation guide is available for review at the Bank of England’s website.