After a successful pilot in 2020, the Australian Council of Financial Regulators (CFR) released Cyber Operational Resilience Intelligence-led Exercises (CORIE) 2.0 in July 2022.
There are four member agencies of the Council of Financial Regulators (CFR). Each has different responsibilities in the Australian financial system.
- Australian Prudential Regulation Authority
- Australian Securities and Investments Commission
- Reserve Bank of Australia
- The Treasury
Why was the framework developed and who must participate?
CORIE was developed to analyse aggregated cyber resilience to advanced and persistent threats and determine the risk related to the Australian Financial Market infrastructure, which is directly linked to economic stability.
The CFR invites financial institutions (FIs) in rounds to participate in the exercises detailed in the framework, working closely with the CFR’s appointed coordinators.
However, CORIE also provides a framework for FIs to best assess their cyber resilience level where it matters most. This is accomplished by targeting the organisation's most critical business services.
As such, it is commonly used by FIs to align similar exercises to those detailed within CORIE, often as a financial regulator requirement. For example, APRA CPG 234 refers to more advanced techniques commonly referred to as "red team" tests.
How do these exercises differ from our current penetration testing and red teaming programmes?
The primary difference with CORIE is that threat intelligence is employed to understand the adversarial landscape, and more specifically adversaries with the greatest capability, motivation, and intent to target an FI’s most critical business services.
Those threats are further researched by cyber security experts like NCC Group's Attack Simulation team before emulating their modus operandi to exercise and assess the FI.
The expectation is that the threat intelligence is applied across the cyber resilience exercises detailed within the framework. Each of the three exercises is focused on assessing cyber resilience in a different way:
Exercise 1 - Adversary Attack Simulation (Red Teaming)
This exercise will simulate the threat actor as identified in the threat intelligence. The exercise is conducted in secrecy without informing the FI’s defensive team.
Like most red team exercises it will assess relevant attacks across the FI’s technology, but also people and processes. The other key difference is the framework uses “Concessions” to ensure the overall attack scenario is simulated, versus just trying to gain a foothold on the network.
Concessions allow the Red Team to move to the next flag after a period if not achieved. But it works the other way as well, allowing the FI a Concession to de-risk a dangerous action- like simulating a fraudulent transaction on a non-production system.
The primary value of this exercise is assessing and improving the organisation’s prevention, detection, and response capability against its greatest threats.
Exercise 2 - Replay Attack Simulation (Purple Teaming)
The Replay Attack Simulation systematically steps through a simulated adversary’s tactics, techniques, and procedures whilst working closely with the FI’s defensive team.
This exercise is typically shorter than an Adversary Attack Simulation, but Concessions are used in a similar fashion.
The primary value comes from the Red Team working closely with the defensive team to identify vulnerabilities and improve the time and quality of detection. The exchange of knowledge between the two teams is highly beneficial but means that response actions cannot be truly assessed.
Exercise 3 - Table Top Crisis Simulation (Gold Teaming)
The Table Top Crisis Simulation will again use threat intelligence to define the greatest threat scenario to simulate. However, this time the FI’s different teams, i.e., responders, crisis management, and C-Suite / Board will participate in an interactive tabletop attack to experience and improve how they would respond to the threat.
The primary value of this exercise includes:
- Gaining crucial experience by working through the mock incident.
- Identifying gaps in the incident response plan and playbooks.
- Understanding the dynamics of roles and responsibilities allocated within the teams.
With these three exercises, CORIE is a uniquely Australian approach to operational resilience compared to similar frameworks abroad.
NCC Group is a trusted provider for CORIE compliance and has supported with the framework's creation.
NCC Group has unique experience delivering all the CORIE exercises, both regulator-invited and for those financial institutions aligning to the framework. Reach out now to get more insight into the framework or our expertise in delivering these exercises.