The OSFI’s Intelligence-Led Cyber Resilience Testing (I-CRT) Framework – What You Need to Know

What is an ICR-T Assessment?

In April 2023, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s agency responsible for regulating financial institutions, released their Intelligence-led Cyber Resilience Testing Framework (I-CRT)¹. Canada’s I-CRT framework is based on similar intelligence-led frameworks which have been used in other countries, such as the Bank of England’s CBEST framework² and the European Union’s TIBER-EU³. At its core, an I-CRT assessment is composed of four phases: an initiation phase, a threat intelligence phase, execution of the red team and a final closure and remediation phase.

Figure 1: Stages of an I-CRT Assessment

Who Needs to Perform an I-CRT Assessment?

The I-CRT framework defines that Canadian Systemically Important Banks (SIBs) and Internationally Active Insurance Groups (IAIGs) must conduct I-CRT assessment on a three-year cycle, but may also be required to perform them in response to major cyber incidents or threats. Other federally regulated financial institutions may request an I-CRT assessment through OSFI.

How is it Different Than a Penetration Test or Traditional Red Team?

Traditional penetration testing usually focuses on discovering as many vulnerabilities and misconfigurations as possible. To make it easier to get complete coverage, this is normally done overtly with cooperation from the system’s owners and with security controls disabled while executing the test cases. This methodology leads to the best coverage of the technical vulnerabilities, but leaves a gap in assessing the people, processes and security controls that form part of the bigger picture of a holistic cybersecurity program.

Red teaming aims to fill this gap by opting for an objective-based approach instead of focusing specifically on technical vulnerabilities. A red team is typically done covertly, to better assess the detection and response processes of the defenders, and focuses on emulating real attacker’s tactics, techniques and procedures (TTPs). These TTPs are organized according to a standard framework, most commonly MITRE ATT&CK⁴ , to evaluate the effectiveness of technical controls, people, processes and procedures in response to a realistic cyberattack.

An intelligence-led red team, such as I-CRT, takes a red team engagement to the next level by adding an intelligence-driven phase that feeds the red team with the most up-to-date TTPs used by threat actors who are targeting your company or industry. This assures that the red team performs an accurate emulation of these specific adversaries and the precise TTPs that they are most likely to use against you, instead of relying on a more generic adversary model which may have gaps in coverage of techniques used by a more focused attacker.

How to Plan for an I-CRT Assessment

When planning for an I-CRT assessment, you’ll need to select third-party providers for both the threat intelligence team and red team. These teams are required to have independence from each other. While I-CRT doesn’t mandate that these two components are provided by different vendors, if they are provided by the same vendor, then compensating controls must be in place to ensure their independence (i.e., no information shared between the teams other than what is strictly required).

When selecting a threat intelligence provider, it is important that the selected provider has the capabilities required to provide up-to-date research on the most recent activities of threat actors who have been targeting Canadian financial institutions. Being able to provide up to date, accurate and complete intelligence for the threat report is a key differentiator. This implies that the threat intelligence provider not only has access to a wide variety of sources (and are not just restricted to open-source collections), but also has access to certain closed sources (which could vary from criminal forums to industry intelligence sharing groups). This information should also be supplemented with active intelligence gathering capabilities, which could include activities such as regular forensic analysis of captured threat actor tools as well as tracking and correlating attacker’s infrastructure.

The red team, on the other hand, will be required to execute the engagement based on the intelligence report produced by the threat intelligence provider. Because they will be required to emulate an advanced threat actor using the most up-to-date TTPs, the red team may be required to modify or adapt their tools and procedures to match what was discovered by the intelligence team and shouldn’t just use their standard red team tools. Therefore, it is important that the red team has some level of organic R&D capabilities and a high degree of adaptability to ensure that they can emulate the threat intelligence plan to the required fidelity.

How Kroll Can Help

Although the I-CRT assessment model is new to Canada, Kroll’s global red team has years of experience in performing intelligence-led red team assessments using CBEST and TIBER-EU frameworks. Our red team is driven by a dedicated R&D team, which ensures our TTPs can be customized to fully emulate advanced threat actors. Additionally, Kroll’s Cyber Threat Intelligence team draws on the thousands of incident response actions that Kroll conducts annually, ensuring a near real-time view of threat actors’ latest campaigns. In either role, Kroll is ready to help with performing an I-CRT or other intelligence-led assessment.

Sources
¹OSFI I-CRT Framework [https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/osfis-intelligence-led-cyber-resilience-testing-crt-framework]
²CBEST framework [https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide]
³TIBER-EU framework [https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf]
⁴MITRE ATT&CK Framework [https://attack.mitre.org/]