On 21 January 2025, the Bank of England published a web page concerning the latest annual CBEST Thematic publication which presents insights derived from recent CBEST assessments conducted across firms and financial market infrastructures (FMIs).

Overview

CBEST is a threat-led penetration testing assessment framework that mirrors real-world attacks to enable firms and FMIs to identify, understand and remediate vulnerabilities in their cyber resilience. The publication does not introduce any new or additional regulatory expectations but rather articulates gaps observed in firms’ and FMIs’ cyber defences to ensure they have adequate resilience capabilities to prepare for, and respond to, cyber incidents that could cause operational disruption and impact financial stability.

Overall, the thematic publication mentions firms and FMIs should take a structured and proactive approach to address identified vulnerabilities, prioritise actions based on risk and assign clear responsibilities and timelines. The CBEST Implementation Guide provides guidance on remediation planning to mitigate risks. The thematic publication also includes for the first time commonly used tactics, techniques and procedures (TTPs) identified in its MITRE ATT&CK technique which also identify a list, albeit non-exhaustive, of non-linear or unpredictable techniques.

Technical observations of firms and FMIs’ weaknesses

The thematic publication aggregates its technical observations into five cyber security areas which identify the following firm or FMI weaknesses:

  • Infrastructure and Security: Firms or FMIs that did not maintain strong configuration practices or cryptographic protections for data-at-rest were exploited during CBESTs.
  • Identity management and access control: Weaknesses in the secure management and control of identities, authentication and access that were exploited during CBESTs included weak passwords, credentials and overly permissive access controls such as the lack of role-based access controls or inadequate restrictions on administrator and service accounts.
  • Detection and response: Firms or FMIs with insufficient detection capabilities such as poorly tuned monitoring or alerting for adverse incidents and ineffective network monitoring were vulnerable to attackers or less able to detect potential early-stage simulated cyber-attacks.
  • Network security: Weaknesses in security architecture such as firms or FMIs not maintaining effective network segmentation such as segmentation between critical assets increased the risk of unauthorised access to sensitive information and systems, and this were exploited during CBESTs.
  • Staff culture, awareness and training: A firm or FMI culture that exhibited weaknesses in its cyber resilience and were exploited during CBESTs included staff who were susceptible to social engineering tactics (such as phishing or indirectly through exposure of sensitive information), routinely storing credentials in unprotected facilities and having insecure protocols for helpdesks such as limited or no authentication of users during interactions with cyber attackers.

TIMA

Findings from the Threat Intelligence Maturity Assessment (TIMA), part of CBEST, showed that firms and FMIs demonstrated a range of maturities across cyber threat intelligence management domains. TIMA also noted that firms and FMIs experienced a disconnect between the intelligence produced and their actual business or operational needs which could potentially result in difficulties scaling or evolving threat intelligence programmes. Enhancing maturity in this area or assessing maturity by benchmarking themselves against industry peers can help strengthen a firm’s overall resilience.

In addition, the most common CBEST threat intelligence scenarios or threat actors identified included highly capable attackers and advanced persistent threats (APTs), third party and supply chain attacks, social engineering attacks and malicious insiders. Collectively, the thematic publication highlights that these factors emphasise the importance of firms and FMIs reinforcing their controls, enhancing visibility, and maintaining rigorous oversight to effectively manage these high-impact risks.