The Challenge
The CEO and board of directors were fully aware of the damage a cyberattack could inflict on the organization's operations and reputation. Like most senior executives in their position, however, they felt that, although significant cyber security investments had been made, they still had no real visibility of the effectiveness of these defences and how their organization would respond to a real-world attack.
Legislation from the Financial Conduct Authority (FCA) makes senior managers personally accountable for ensuring that regulatory requirements pertaining to IT security are met in full. With this also in mind, the CEO and board of directors decided to engage Kroll to test the effectiveness of the company’s cyber security controls and its ability to both detect and respond to malicious behaviour.
Kroll's Solution
For this engagement, Kroll’s experts used modern adversarial tactics to emulate advanced threat actor activities within the organization's network environment. The project involved testing all facets of the financial company’s IT defences.
To ensure the engagement was conducted as realistically as possible, Kroll received no internal information or access to the client’s business. All knowledge was obtained leveraging open-source threat intelligence gathering techniques to identify valuable information that was available within the public domain. The engagement was also carried out over a period of three months to ensure it replicated the stealthy approach adopted by real-world attackers.
The Impact
Comprehensive Reporting
At the end of the agreed simulated attack period, Kroll’s experts delivered a comprehensive report for the CEO and board of directors, highlighting the information security issues detected and ranking them according to the level of risk to the business.
Remediation Guidance
In each case, the Kroll team provided clear guidance on how to mitigate the risk, recommending specific solutions, policies or training courses as appropriate. Consequently, the business is now putting in place new measures to better protect its data, employees and customers.
Identified: Phishing Exposure
Kroll’s experts identified a particular exposure to phishing attacks, which could be used to acquire remote login credentials for IT systems and access to client transactional data.
Identified: Access Permission Failures
Kroll identified failures in the company’s access permissions, which could be exploited to disrupt multi-million-dollar trading transactions.
Identified: IDS Configuration Issues
Configuration issues in intrusion detection systems and a large number of false alerts meant that the company was unable to detect Kroll’s deliberately “noisy” attempts to break in.
Identified: Training Failures
Many employees were using weak passwords, demonstrating gaps in user education and training.
Identified: Lack of Monitoring
With no active monitoring of the internal network, once Kroll had successfully infiltrated there was no likelihood of discovery.
Identified: Inadequate Incident Response
Kroll found that the company’s responses to suspicious incidents were inadequate and engaged the firm’s information security and executive leadership in an incident response tabletop exercise to fine-tune their incident response plan.
High-value Service
In reviewing Kroll’s findings, the company was quick to recognize the high value delivered by the engagement. It is less likely to face the potentially huge cost of remedying a major security breach and can also avoid fines and penalties from the FCA.
Improved Awareness
The CEO and board members now have a far more enlightened view of cyber security weaknesses across the business and can better meet their information security obligations. They can provide documentary evidence that information security is of high priority, that they are aware of the risks, and that they are taking the appropriate action to mitigate them.
Learn more about Kroll Penetration Testing and red teaming services.
