Financial regulators will soon be hiring white-hat hackers to pressure-test the cybersecurity defences of banks and other financial services institutions by mimicking the tactics, techniques and procedures (TTPs) used by real-world adversaries.

The newly released Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework has been created in hopes of helping financial-services firms identify potential weaknesses before they are affected by malicious attacks that could destabilise Australia’s financial system.

It has been prepared by the Council of Financial Regulators (CFR) – an umbrella group whose membership includes APRA, ASIC, the Treasury, and the Reserve Bank of Australia – and draws on real-world TTPs to evaluate how well organisations might withstand a flurry of targeted cyber attacks over a long period of time.

“Real-life adversaries such as state-sponsored attackers are neither constrained by scope nor time,” the report’s authors note, adding that the CORIE exercises “mimic adversaries through fewer traditional testing restrictions and longer time duration to fully exploit opportunities”.

The exercises – which are designed to run across three phases lasting up to six months – simulate the advanced persistent threat (APT) techniques that many attackers use to quietly prod company defences until something gives.

Once successful, attackers often slip, unseen, onto the victim network to collect data and compromise systems for what is often months.

Highly targeted

Financial-services firms are consistently among the most attacked targets in Australian business, with recent Office of the Australian Information Commissioner (OAIC) figures finding that finance companies accounted for 14 per cent of all reported data breaches in the first half of this year.

Aiming to proactively identify “systemic weaknesses” amongst financial-services firms, the cyber exercises will leverage a number of penetration-testing styles including Red Team (where white-hat hackers attack a target to expose its weaknesses); Purple Exercise, where attackers and defenders work together to expose weaknesses; and Gold Team table-top exercises, which evaluate company executives’ incident response management processes.

The guidelines lean heavily on threat intelligence and expect that red-teaming exercises will be conducted by outside contractors – who will be managed by CORIE Team Coordinators described only as “a small number of trusted personnel within the cyber security teams of the CFR members”.

Data from CORIE exercises will be aggregated, analysed, and used to better understand the exposure of key financial-services organisations.

Protecting critical financial infrastructure

The CORIE guidelines emerge as the federal government ramps up its attention to the financial-services industry as an element of Australia’s critical infrastructure, which has been supported by a new 2020 Cyber Security Strategy and $1.35b in cybersecurity investments this year.

The Department of Home Affairs-led Critical Infrastructure Centre recently concluded a consultation process around an exposure draft of the Security Legislation Amendment (Critical Infrastructure) Bill.

As initially proposed, the legislation would mandate protective and reporting activities forcing critical infrastructure operators to meet sector-specific requirements, maintain extensive risk-management programs, and report cyber incidents to ensure transparency.

“The increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences to our economy, security and sovereignty,” Minister for Home Affairs Peter Dutton said last month in releasing an exposure draft that drew more than 125 submissions from a range of industries.

“Industry will be important to the success of these reforms.”

The reform process should include rationalisation and clarification of responsibilities to avoid increasing compliance costs on businesses, Australian Financial Markets Association (AFMA) senior director of policy Damian Jeffree warned in a submission that called out the current “jumble of regulators using widely variant regulatory approaches”.