NCC Group welcomes expansion of Australia’s Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework

Following a successful pilot in 2021, Australia’s Council of Financial Regulators (CFR) has announced the expansion of its Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework.

Having supported with the creation of the original CORIE framework and pilot launch in 2021, Tim Dillon, our Director of Professional Services in the Asia Pacific region, has been acknowledged for his contribution and shares his reaction to the updated framework.

We congratulate the CFR and team on their hard work to complete a successful pilot and improve the framework in 2022.

The Australian framework is increasingly important to Australia in this period of increased geopolitical tension and persistent risk from transnational organised crime.

The framework has been developed to analyse aggregated cyber resilience to advance and persistent threats and determine the risk related to the Australian Financial Market infrastructure, that is directly linked to economic stability.

CORIE provides a framework for financial institution’s (FI’s) to best assess their cyber resilience level where it matters most. Based on the targeting of an FI’s most critical business functions, Threat Intelligence is used to understand the adversaries with the greatest capability, motivation, and intent to target a particular FI. The tactics and techniques used by these adversaries are then emulated, enabling the FI to understand where their weakness are, based on current, real-world threats.

We have consistently advocated for the incorporation of intelligence-led attack simulations within testing frameworks and welcome this robust approach to operational resilience which is important for any sector vulnerable to cyber threats, especially critical infrastructure.

Having the privilege to consult on the framework since its infancy in 2020, I am honoured by the CFR acknowledging our contribution to CORIE in its most recent program guide.

A uniquely Australian approach to operational resilience

CORIE has been three years in the making, and in that time, we’ve witnessed a greater global move towards cyber resilience frameworks.

With cyber risk repeatedly topping the list of top risks within the Australian financial system, the CFR devised the cyber security working group that would eventually be responsible for CORIE in 2019.

Given the catastrophic consequences targeted attacks on financial institutions could have on wider society, we are witnessing regulators across the globe push for greater operational resilience at this level; from the Bank of England’s CBEST scheme to the EU-wide TIBER framework, there is increasing long-term integration of cyber resilience within financial infrastructures worldwide.

True cyber resilience requires organisations, and its people, to adapt to the ever-evolving threat landscape in a proactive rather than reactive manner. The use of threat intelligence and attack simulation exercises does exactly this. CORIE will enable FIs to test the full extent of their defence and response abilities, in a manner that closely mimics what a real life attack would look and feel like. The three exercises in CORIE complement more traditional security testing methods, such as vulnerability assessments and penetration tests, to provide a more holistic security testing regime.

Further, as CORIE will provide reliable information to relevant Australian regulators that can be used to determine the risks to areas supported by FMIs, such as transactions, the framework will safeguard the country’s economic stability. By mandating operational resilience on the part of FIs, Australian authorities are helping to keep wider society safe from malicious attacks that might impact their personal information.

So, I welcome the expansion of CORIE and recommend other sectors consider aligning to the guide and exercises within to ensure operational resilience.

How will CORIE be used in practice?

As per the CFR’s most recent program guide, CORIE’s objectives are as follows:

• Provide data and information to inform relevant Australian regulators of systemic weaknesses that may present a risk to the integrity of the Australian financial markets and financial system
• Assess financial institutions’ resilience to known adversaries
• Provide the relevant regulator and financial institution with a plan of remediation to address any identified weaknesses

The core elements of the framework will require FIs to:

• Identify critical business services
• Collect, analyse and use threat intelligence specific to these services to build a test plan
• Share intelligence with relevant parties to enrich assurance activity
• Use adversarial simulations to examine the capability to prevent, detect and respond threats

We also advocate CORIE’s tabletop crisis simulations, alongside attack simulations, to prepare executive teams for time critical decisions they may face, and committees of the requirements and expectations for timely and effective external communications.

For a more detailed breakdown of the framework, you can read the CFR’s program guide here.

As a trusted provider of the framework, NCC Group will continue to deliver all of the mandated exercises within, including: Adversary Attack Simulation (Red Teaming), Replay (Purple Teaming) and Tabletop Crisis Simulation (Gold Teaming).