Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Red teaming

Using penetration testing to achieve different assurance outcomes

Penetration testing can be used in many different ways to meet different goals, and there are several different types of penetration test.  We’re always trying to understand our customer’s goals so that we can make sure we’re applying the right methodology to your penetration test to achieve the outcomes you want.

Read more
  • Detect and respond
  • Red teaming

Using Red Teaming to validate the performance of an outsourced managed service provider

Red teaming can provide assurance within a wide range of business scenarios.  One interesting scenario we explored recently with a customer, a firm within the education sector, involved a situation where they had outsourced detection of security incidents to an external MSSP.  As a result of a governance audit, our customer needed to determine whether the detective and corrective capabilities of the managed security services and associated internal technical controls functioned as expected across several lesser-seen compromise scenarios.

Read more
  • Attack surface discovery
  • Red teaming

Shadow IT and Technical Debt: The Adversary's Allies

Shadow IT increases your business' security risks and is invisible to you. It might not be covered on your asset lists, because your asset management lists are incomplete. It might have no assigned owner, either because it doesn't fit neatly into any business unit, or isn't related to any current operational priorities but hasn't been fully decommissioned yet. It might have been installed outside of usual processes, either without authorisation or because usual processes were overridden.

Read more
  • News
  • Red teaming

Cyberis Becomes CBEST Approved

Cyberis has announced that it is now an approved Penetration Testing provider under the Bank of England (BoE)'s CBEST scheme. CBEST is a framework run by the Bank of England through the industry body CREST that delivers controlled, bespoke, intelligence-led cyber security tests, to increase the resiliency of financial services organisations against cyber attacks. Regulators such as the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), have integrated the CBEST security assessment framework into their supervisory strategies.

Read more
  • Red teaming

The human cost of social engineering

In the security industry, we will often talk about people being the weak link. We spend our time outlining the ways that people will fail, or be fooled, or will be tricked. Of course it’s important that we, and our customers, understand the fallibility of people in any security assumptions we make. On the other hand, we also have a moral and ethical obligation to look after the very people we are targeting, and to avoid causing undue distress. “Social engineering” is a bloodless, sterile term. We call it “social engineering” because it covers a lot of different bases, and it sounds more professional than the alternative – “lying to people”, “abusing trust”, “betraying relationships”. These are tactics that adversaries use mercilessly and without consideration for the impact on the victims. If we are to accurately simulate the attack chain and the activities of adversaries, then we need to adopt these tactics as well.

Read more
  • News
  • Red teaming

Cyberis Achieves CREST STAR-FS Accreditation

Cyberis has become one of the first cyber security companies to receive accreditation for the CREST STAR-FS framework to deliver intelligence-led penetration testing for the financial sector. The Simulated Target Attack and Response (STAR) scheme has been developed by CREST to meet the needs of Regulators to better understand the current cyber security posture of regulated financial services companies and identify where improvements in security arrangements need to be applied.

Read more
  • Red teaming
  • Tools and techniques

Attacking Big Business

Reputational filtering typically blocks websites known to be malicious, performs antivirus scanning of all traffic, and crucially for us in respect to performing a simulated attack, warns end-users when visiting "non-categorised" sites. Any URLs and domains used as part of an attack now require user interaction in a web browser. This effectively rules out using newly stood up infrastructure both at the delivery and exfiltration stages of an attack, as these activities are performed without the victim's knowledge. The only options left to the attacker would be to "build" reputation over time, or alternatively, cheat the system.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis