Tried, Tested and Proven

CBESTcrest star

Portcullis is able to undertake CBEST tests for the financial service industry

Portcullis is proud to have worked with CREST, the Bank of England, Her Majesty’s Treasury and the Financial Conduct Authority to develop the new CBEST penetration testing standard. This standard has been formed to address the needs of major financial institutions that require more stringent security testing than can be delivered through traditional assurance services. As such, CBEST currently represents the top tier of services within the penetration testing industry, sitting above the normal CHECK and CREST IT Health Check Services.

The key benefits of CBEST are:

  • An agreed approach to testing high value systems. Historically the fear of system downtime made it challenging to test critical systems, which is counter productive because these systems are considered to be essential for a reason and, as such, are likely to be targeted. Under the scheme there are provisions to better balance operational and security risks in order to facilitate testing.
  • A move to break the constraints of typical assurance projects, which are often focused around particular systems rather than specific threats. By taking a more scenario based approach to testing, the aim is to replicate real-world attacks in order to better understand the current security posture relative to sophisticated, persistent threats.
  • To ensure that the right types of scenarios are reviewed. Membership of this standard provides access to current intelligence regarding the latest attacks, to ensure that testing matches the current threat landscape.


Real World Attacks, with focused outcomes…

The world of security assessments has changed. Portcullis’ penetration testing services are primarily adaptations of real-world attack techniques. When these were originally introduced in the 1990s, they focused on flaws in designs, poor practice and technical vulnerabilities. Today the threat landscape looks very different and attacks have evolved as attackers have increasingly recognised that people are often the weakest links in an organisation’s security. This shift means that, rather than probe the perimeters and systems, initial efforts are focused on the users in order to gain a foothold.

As these threats to organisations grow, become more prevalent and more sophisticated, it has become imperative that organisations have a sound understanding of how effective their defences truly are.

Portcullis offers a red-team testing service called RedIntel which provides cyber-attack scenarios using real-world tactics, techniques and procedures. RedIntel utilises threat intelligence to gain an understanding of the actual threats, techniques and campaigns used against specific organisations or business sectors to create a bespoke, targeted attack scenario. This scenario is then executed in order to test the effectiveness of technical defences, response procedures and staff awareness.

The Portcullis RedIntel Team has developed an extensive arsenal of attack tools for use in red team attacks. These are designed to both mimic real-world cyber-attackers and to ensure extensive testing of organisations response capabilities and standards of preparation.

Portcullis’ RedIntel Service has also achieved CREST Simulated Target Attack & Response (STAR) certification in order to deliver testing services to the CBEST standard.