The Bank of England has formally launched CBEST, a new framework designed to help identify areas where the financial sector could be more vulnerable to sophisticated cyberattacks.
CBEST is part of the Bank of England's response to government recommendations to improve cyberattack response and prevention, the bank's executive director of resolution, Andrew Gracie, said in speech at the British Bankers' Association. "The idea of CBEST is to bring together the best available threat intelligence from government and accredited commercial data providers," tailor data to the business model and operations of individual firms, and deliver it in live tests within a controlled testing environment, Gracie explained.
CBEST uses the collective intelligence acquired from various databases to identify potential attackers to a particular financial institution; then replicates their techniques in order to test the extent to which they may be successful in penetrating existing defense systems. Upon completion of the test the financial institution's staff attend a workshop to discuss the findings. "The results should provide a direct readout on a firm's capability to withstand cyberattacks," Gracie said.
In addition it has developed new accreditation standards, the bank said, working with the Council for Registered Ethical Security Testers, a nonprofit that represents the technical information security industry, and Digital Shadows, a cyberintelligence company. The collaboration is the first to provide commercial cyber intelligence accreditation standards and enforceable codes of conduct.
CBEST documents support these standards. The framework offers financial institutions access to: Cyberthreat intelligence data that comply with certain ethical and legal standards; feedback from analysts who have a detailed understanding of the financial services sector; sophisticated tests that are based on current cyberthreat intelligence; performance indicators that assess a firm's ability to detect and respond to cyberattacks; and benchmark financial services industry information.
These features are designed to measure a firm's vulnerability using "real threat intelligence," the company said in a press release. In time CBEST is expected to help the industry at large broaden its understanding of cyberattacks, learn what sectors are more vulnerable and how effectively detect threats and recover.