TBEST takes the CBEST testing methodology, which we cover in another blog post, and brings it to the telecommunications industry.
TBEST is overseen by the communications services regulator OFCOM.
A development of Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST), a framework for cybersecurity testing developed for the financial industry by the Council of Registered Ethical Security Testers (CREST) and adopted by the Bank of England in 2014, TBEST is a modern cyber resilience testing methodology and framework designed for telecommunications companies.
TBEST sits alongside CBEST (financial industry) and GBEST (government) in CREST’s BEST testing framework series.
In practice, a TBEST test is a controlled process in which telecom companies evaluate their defences against a number of prescribed scenarios, i.e., attacks. These scenarios are based on real-world threat intelligence.
Here’s a high-level overview of TBEST testing.
TBEST Testing Is (Mostly) Voluntary
While public telecom providers in the UK must undergo security testing, telecom operators are not required to undergo TBEST testing specifically.
However, TBEST may still be mandatory in certain circumstances. On its website, OFCOM states that:
“where appropriate, we may exercise our statutory powers to require a provider to undergo testing, either like TBEST or some other type of testing.”
By this, they mean that a telecoms operator could be required by OFCOM to undergo a TBEST test if OFCOM decided that doing so was in the best interest of the telecoms industry. This typically occurs when a firm’s critical business systems, networks, and functions are so interconnected that they can impact the resilience of the entire industry.
We predict that this arrangement is likely to change in the future. As OFCOM looks to tighten telecoms cybersecurity, TBEST may become less optional. It may be worthwhile for telecom providers to undertake voluntary TBEST testing as soon as possible.
TBEST Testing Is Threat-Led
A TBEST test will have two core operational components: threat intelligence and penetration testing.
TBEST threat intelligence
Threat intelligence provides an understanding of a telecom firm’s threat landscape, identifying likely threat actors and the tactics, techniques, and procedures they may use.
The role of threat intelligence is to make sure that TBEST testing is a realistic and up-to-date reproduction of the threat types that the telecom industry stakeholders face. Threats could come from well-resourced nation-states, profit-driven threat groups, and individual actors.
Because telecom providers are targets for some of the world's most dangerous threat groups, TBEST testing needs to be able to perform highly advanced attacks against critically important systems.
Threat intelligence typically encompasses MITRE ATT&CK tactics, techniques, and procedures (TTPs) employed by threat actors, as well as threat actor profiles and potential threat level scoring. It will also include a realistic reconnaissance of the firm being tested to determine potential external vulnerabilities or exploitation pathways.
The result of the threat intelligence work phase will be threat scenarios (i.e., potential attacks and their outcomes), which will be used to develop a TBEST penetration test plan. This plan will explain how the scenarios can be executed in the company being tested.
TBEST penetration testing
TBEST penetration testing is, like CBEST, practically more similar to broad-scope red teaming than penetration testing (which is typically more narrow in scope and shorter in duration).
During the testing phase of a TBEST engagement, a testing provider (a company like SECFORCE) will replicate the scenarios outlined during the threat intelligence phase. This means attacking the firm being tested using the same or similar TTPs they would face from a real threat actor.
The testing provider will conduct a realistic test while minimising the potential risk to the company being tested.
Therefore, it is essential that the chosen penetration testing provider has in-depth technical expertise in telecom networks, core systems, and operational technology, with the ability to simulate advanced threat actor techniques that could target network functions and critical services in a controlled and safe manner.
A red team with deep knowledge of a telecom firm’s network protocols, monitoring tools, and administration technologies ensures that risks are properly understood and operational integrity is maintained throughout testing.
Most employees, except for some senior management stakeholders, within a company being tested will not be aware that testing is taking place. To reduce the risk of services being impacted during a test, guardrails will be agreed upon beforehand, where attacks must stop.
After testing, the output will be a penetration test report that will be shared with the firm being tested and OFCOM.
TBEST Outcomes
The eventual outcome of a TBEST test is that, after an organisation has been tested, a remediation plan for any identified weaknesses will be created and shared with OFCOM.
Then, a supervised implementation of that plan will take place.
SECFORCE Is a TBEST Partner
SECFORCE is a CREST-approved provider of TBEST threat intelligence and testing services. Our team has hundreds of years of combined experience performing advanced testing in regulated industries, including telecoms.
Contact us to learn more.
