The Association of Banks in Singapore (ABS) has developed a set of cyber security assessment guidelines for the financial sector in Singapore, with the support of MAS.
The ‘Adversarial Attack Simulation Exercises (AASE) Guidelines’, or ‘Red Teaming’ guidelines provide financial institutions (FIs) with best practices and guidance on planning and conducting Red Teaming exercises to enhance their security testing.
Red Teaming, in cyber-speak, refers to hiring a team of ethical hackers to take an adversarial approach simulating cyber attacks like a real-world attacker, in order to challenge an organisation’s systems and improve their effectiveness.
The AASE is designed to test the robustness of FIs’ cyber defences through a simulated cyber-attack using tactics, techniques and procedures that are commonly employed by threat actors. The exercise is conducted in the FI’s actual operating environment, allowing FIs to identify gaps in their people, processes and technologies via a safe and controlled manner.
One significant feature of AASE is the use of cyber threat intelligence to design realistic exercise scenarios that mirror actual threat actors and their actions to uncover vulnerabilities that may impact the FIs’ critical functions.
By simulating realistic attacks during the exercise and taking into consideration the relevant threat landscape and potential adversaries, defensive teams (ie the ‘Blue’ team) are also able to gain experience and hone their skills and confidence.
ABS director Mrs Ong–Ang Ai Boon said, “Cyber security attacks against financial institutions are evolving in scope, complexity and sophistication. FIs are already deploying layers of defensive 2 measures, solutions and controls to reduce their exposure to attacks and improve their response readiness.
“We hope that the AASE guidelines will complement the FIs’ existing cybersecurity testing programmes and further strengthen their ability to assess the effectiveness of their cybersecurity measures to detect and respond to very sophisticated incidents.”
MAS chief cyber security officer Tan Yeow Seng said, “The AASE closely mimic the modus operandi of cyber criminals in targeting the actual operating environments of financial institutions. This makes it an effective way of assessing the cyber resilience of financial institutions. MAS welcomes the close partnership with the industry to co-create these guidelines to enhance the robustness of cybersecurity standards in the financial sector.”