Skip to main content
Custom print
Download Original PDF

Appendix A – Requirements for Red Teaming Provider

No: 56224/67 Date(g): 13/5/2019 | Date(h): 9/9/1440 Status: In-Force

Effective from 2019-05-13 - May 12 2019
To view other versions open the versions tab on the right

The following requirements should be considered when selecting and procuring a Red Teaming Provider. 
 
Proven Red Teaming Experience and References
1.The Red Teaming Provider should be able to show evidence of a solid reputation, history and business / professional ethics (e.g. a good business history, good feedback from both clients and providers, a reliable financial record and a strong history of performance);
 
2.The number of credentials and references (i.e. large organizations) of successfully executed red teaming tests;
 
3.The Red Teaming Provider should be able to show independent feedback on the quality of work performed and conduct of staff involved (internal accreditation);
 
4.The Red Teaming Provider should be able to provide (anonymized) reports of earlier tests, preferably in the same or similar field of work and similar tests;
 
5.The Red Teaming Provider should be able to demonstrate exploits or vulnerabilities found in other similar environments;
 
6.The Red Teaming Provider should demonstrate and proof the certification and experience of the staff involved in the red teaming test(s) - see table below for more details;
 
7.The Red Teaming Provider should have taken part in specialized industry events (such as those run by BlackHat or RSA Conference etc.) - this is optional but should be considered as an additional reference and experience.
 
Clearly defined and proven Red Teaming approach and methodology, process, governance, quality assurance and risk management
1.The Red Teaming Provider should have a clearly defined process in place for red teaming tests and the related operations; these should describe the activities regarding: the preparation, scenario development, execution and lessons learned phases activities and requirements;
 
2.Key element in Red Teaming Provider's approach should be the learning experience for the Blue Team and feedback session to improve the knowledge of the involved staff and departments and to mature the cyber security detection, response and recover processes and control measures and where required the prevention measures (e.g. security hardening);
 
3.The Red Teaming Provider should be able to assist in creating and maintaining a knowledge base so that known weaknesses and lessons learned can be shared and improved within the Financial Sector;
 
4.The Red Teaming Provider should have a verifiable quality assurance and escalation structure in place for their red teaming operations;
 
5.All activities from the Red Teaming Provider should be reproducible (e.g. logging all activities);
 
6.The Red Teaming Provider should adhere to a formal code of conduct overseen by an internal/external party;
 
7.The Red Teaming Provider should be able to proof that it provides high quality services, including the methodologies, tools, techniques and sources of information that will be used as part of the red teaming and testing process;
 
8.The Red Teaming Provider should be able to proof that results of tests are generated, reported, stored, communicated and destroyed in a way that does not put a Member Organization at risk;
 
9.The Red Teaming Provider should ensure that no data leakage occurs from the testers laptops and systems and that all data obtained is securely stored during and securely destroyed after the engagement;
 
10.Any (agreed) data exfiltration by the Red Teaming provider should be restricted to the extent just required to prove the attack scenario. This data should only be stored in encrypted format and locally (not at cloud providers).
 
11.The Red Teaming Provider should assure the privacy of the staff within the Member Organization;
 
12.The Red Teaming Provider should be able to provide a written assurance that the activities and risks associated with the red teaming test and that confidential information will be adequately addressed and performed in line with the security and compliance requirements of the Member Organization;
 
13.A Letter of Authorization including non-disclosure terms should be mutually agreed between the Red Teaming Provider and the White Team to ensure that potential liability or legal issues are covered.

The Red Teaming Provider should consider the one or more of the following suggested certifications for its managers and testers, which will participate in the red teaming exercise. Verification of the certification of the staff and level of practical experience is key when selecting or procuring the Red Teaming Provider.
 
Recommended Certification(s) for the Red Teaming Provider’s Staff
RoleInstituteCertification
ManagersISACA
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Cybersecurity Nexus (CSX)
(ISC)2
  • Certified Information Systems Security Professional (CISSP)
  • Systems Security Certified Practitioner (SSCP)
CREST
  • CREST Certified Simulated Attack Manager (CCSAM)
  • CREST Certified Threat Intelligence Manager (CC TIM) – Optional
TestersSAN Institute – GIAC
  • GIAC Penetration Tester (GPEN)
  • GIAC Web Application Penetration Tester (GWART)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Offensive Security
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Wireless Professional (OSWP)
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Exploitation Expert (OSEE)
  • Offensive Security Web Expert (OSWE)
CREST
  • CREST Certified Simulated Attack Specialist (CCSAS)
  • CREST Registered Threat Intelligence Analyst (CRTIA) - Optional