A dedicated Government Security Red Team is to assess departmental defences with exercises in which experts conduct digital and in-person reconnaissance and attempt to exploit vulnerabilities found.
Common in the worlds of cybersecurity and defence, the role of red teams is to better understand the effectiveness of an organisation’s defences by mimicking attackers or other hostile actors. Red-teaming exercises can often involve not just cyber penetration testing to analyse the security of IT systems – but also social engineering and in-person spying to ascertain possible means of gaining access, as well as the testing of physical security measures, such as locks and gates.
The Cabinet Office-based Government Security Red Team – known as GSRT or OPEN WATER – has just signed a six-month £150,000 deal with specialist supplier Cerastes, which will support the provision of “physical penetration exercises” targeted at three Whitehall departments.
These exercises will involve a process of collecting open-source intelligence (OSINT) and conducting in-person reconnaissance on each of the trio of target organisations – the identity of which has not been specified.
The aims of this information-gathering include “identifying vulnerabilities and exploitable information and/or pattern of life” details.
This intelligence will then be used in “attempting to gain access based on the findings of OSINT and reconnaissance”.
“If access is successfully gained, then [the supplier will be] executing the scenarios as agreed between GSRT and target department and, in addition, looking for other opportunities for compromise which may not have been previously identified and to be agreed between the supplier, the GSRT and the department as the testing progresses,” according to commercial documents.
Cerastes will be expected to provide Cabinet Office security officials with a “detailed report including and consolidating all findings from the OSINT, reconnaissance and penetration phases as well as including recommendations for remedial actions to be considered for implementation by the department”.
The findings of these reports will also be presented to range of senior managers and security professionals at the departments targeted by the exercises. The security-testing initiative is intended to support the work of the ongoing National Cyber Security Programme, which is charged with overseeing the delivery of the UK-wide cyber strategy published by the government in early 2022.
It is not known which departments may be targeted by the hostile reconnaissance, how they might be chosen, or the extent to which they may be forewarned about what is to happen – although the text of the contract suggests that the GSRT will reach some kind of agreement with the agencies in question concerning the proposed testing “scenario”.
In response to a request from CSW's sister title PublicTechnology for these details and any other available information on this initiative, the Cabinet Office indicated that it did not comment on security matters.
'Influenced and disrupted'
After its initial six-month term, “approval is being awaited” for a potential six-month extension to the department’s contract with Cerastes. This would be worth a further £150,000 to the central London-based outfit.
Staff provided by the company to fulfil the Cabinet Office engagement will earn £940 for a day for team-leader duties, £740 for work as an reconnaissance or testing operative, and £475 for researchers. All prices exclude VAT.
The deal, which covers the provision of the covers the provision of Cerastes’ "Hostile Perspective Security – Red Teaming and physical penetration testing" service offering, was awarded via the now-defunct G-Cloud 12 framework.
According its listing on the government’s online Digital Marketplace, the service purchased by the Cabinet Office provides customers with the ability to “accurately replicate any chosen threat's planning and reconnaissance process, allowing the vulnerabilities seen from this hostile perspective to be identified, and where along their attack planning pathway your threats can be influenced and disrupted”.
Threat scenarios can be created to a bespoke script to best suit the buyer’s needs, following which Cerastes can offer vulnerability assessment of the online and physical world, and “intelligence-led testing” of security measures and processes, the firm’s listing added. The security company can also provide organisations with training to boost awareness of hostile actors and their methods.
Procurement records indicate that that company has won one previous public-sector deal: a £600,000 contract awarded in 2020 to provide the Home Office with support for its red-teaming activities over a period of almost three years.
Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared