Provide a red team for an exercise

Description

Summary of the work We are building a mock sensitive workload in a real public cloud environment to better understand securing such systems. We require a strong 'red team' to simulate an advanced and motivated adversary attempting to compromise the confidentiality, availability and integrity of the environment. Expected Contract Length 3 months Latest start date Thursday 15 April 2021 Budget Range Our budget range is £100k - £150k. We expect to pay for a bundle of professional services on a "not to exceed" basis. This could be based on monthly timesheet reporting or a blended team rate. Why the Work is Being Done Government has a strong interest in using hyper-scale cloud environments effectively to operate its digital services. In this exercise, the Government Security Group within the Cabinet Office is running a hypothesis-driven simulation to learn more about how to operate public cloud environments with sensitive workloads. You will work with a 'build’ team who will create an AWS environment against which security hypotheses can be designed and tested. You will form the ‘break’ team of the exercise, to create a credible threat tree and to test those assumptions and controls. We would like your activities to commence by 1 April and take roughly three months to complete the exercise. The approach of the assessment will be highly collaborative, with co-created learning outcomes forming the primary engagement deliverables. The engagement will demonstrate preference for actionable recommendations over formal artefacts or documentation, and be flexibly informed by findings and discussions during the course of the engagement. Problem to Be Solved Public cloud environments are necessarily internet-connected and also vulnerable to compromise of administrator and developer credentials and end user devices. As far as possible, we would like to prototype and demonstrate tactics and controls to prevent, mitigate or discover attacks to the confidentiality, integrity and availability of a system in a public cloud, including via admins, developers and development pipelines. Because we are interested in the characteristics of sensitive government workloads, we are assuming (and wish you to simulate) competent, motivated and patient adversaries. Who Are the Users As a technical architect, I need to safely define and configure cloud-based IaaS and SaaS services so that I can deliver digital service capability safely and efficiently. As a service owner in government, I need to understand the security characteristics of my system so that I can understand how to operate and protect it. As a security monitoring team, I need access to logs and events so that I can protectively monitor a digital application. As a DevOps team, I need scripts that can completely define a cloud-based service so that I can statically inspect, deploy and monitor my system. As a software developer, I need a development environment and pipeline which allows me to do my job and protects a sensitive workload. As a system administrator, I need to operate public services cost-effectively, taking advantage of commercial IaaS, PaaS and SaaS offerings so that I can deliver defensible services to my users with good value for money. Early Market Engagement Early market engagement We have discussed this exercise informally with a number of stakeholders in and out of government. The main theme to emerge is the need for close collaboration between the 'build' and 'break' teams of the exercise to jointly define and scope the security controls being tested. We have also heard a strong preference to engage with other stakeholders in government who have indicated a willingness to observe and contribute to the exercise. Work Already Done We have not carried out a formal Discovery, but have engaged widely with stakeholders in the Ministry of Defence, the National Cyber Security Centre and other units of the Cabinet Office to define and scope this exercise. Of course, we assume that you are aware of NCSC Cloud Security Principles and other standards for operating safely in the public cloud. Existing Team You will work with two teams: - The Government Security Group Capabilities Team, a group of six people who will control the project and observe the results; - A build team of three people who will develop the cloud environment and implement the security controls that you and others recommend. We would like you to sign a letter of cooperation with the supplier of the build team. Current Phase Discovery Skills & Experience • Provide a cyber "red team" capable of simulating an advanced persistent threat • Have experience evaluating the security characteristics of public cloud environments, including administration and code development pipelines and endpoints • Provide clear, actionable recommendations for remediation of identified vulnerabilities Nice to Haves Have the ability to simulate nation-state level advanced persistent threats Work Location We expect you to work remotely for this engagement. The Cabinet Office is located in London. Working Arrangments We would like you to participate in initial scoping workshops. Following this, the 'build' team will build out more of the public cloud environment. You will then undertake a red team engagement attempting to exploit vulnerabilities in the public cloud-based system. We anticipate several rounds of this engagement, alternating red team and build team activities as we make changes based on your recommendations. We expect you to be working remotely and to engage with our team regularly via videoconference, text-based chat and email. Security Clearance Team members should have SC clearances or higher. Additional T&Cs We will be asking you to sign a non disclosure agreement if you undertake this work. No. of Suppliers to Evaluate 5 Proposal Criteria • Cybersecurity capability of the team • Methodology for evaluating security vulnerabilities of public cloud environments • Agility of the team and approach • Relevant cyber certifications of of the supplier and team Cultural Fit Criteria • Work as a team with our organisation and the 'build' partner on the engagement • Be transparent and collaborative when making decisions • Share knowledge and experience with other team members, including the 'build' partner • Have a no-blame culture and encourage people to learn from their mistakes • Value actionable learning as an end in itself Payment Approach Capped time and materials Evaluation Weighting Technical competence 60% Cultural fit 20% Price 20% Questions from Suppliers 1. Questions about security clearance levels:We have the capabilities, certification and experience to do this but will have trouble in putting together a full SC cleared red team. We will sign the NDA. Would that suffice?We currently don’t have SC clearance. Will the SC clearance application be expedited by the CCS if we provide a winning bid?In terms of clearances, will you accept SC equivalent from a FVEYs (Five Eyes (UK/US/CAN/AUS/NZ) partner? SC level will not be required in advance of commencing the exercise. Cabinet Office is willing to sponsor any needed clearances once the supplier is under contract. 2. Question about the build team:The ‘build’ team: Will there be three people on the Cabinet Office side? The build team will consist of approximately three people fielded by the Cabinet Office, yes. You are not asked to bid on this. 3. Questions about the target environment:Could you advise the types of applications within the target infrastructure.Would it be correct to assume the emphasis is at the application layer as opposed to network? We will simulate components found in typical workflows. There will be a case management component, web form-based interfaces, an administrator web-based application, repositories for holding data and files, etc. We will use commodity IaaS services running our own code and also use some SaaS components for common applications like mail, casework and directory services. We will simulate publishing and consuming APIs. It is fair to say that we are putting emphasis on the application and management layers, but network vulnerabilities, especially in the configuration of the virtual private networks and the connections between components are definitely fair game. 4. Questions about the public cloud: What is the cloud environment?Will this be a mixed environment or single OS environment? If so what will be the deployed OS? The cloud environment will be AWS.We would expect to deploy a mix of operating systems; mostly likely Linux and possibly Windows servers, and probably Windows and MacOS developer and administrator workstations. Depending on how we set up the simulation, we might model the developer and administration workstations using virtual desktops. 5. Question about the team: How many person hours will be needed for this exercise? How many red team members do you think will be needed? It is up to the supplier to put in a fair bid for red team members. We were assuming a small team of around three people would be sufficient, but we will consider reasonable propositions from you. 6. Questions about code and deployment: For the code development pipelines, will there be a full CD/CI pipeline?Will it be an automated build and test pipeline?What source code will be stored in the version control system? In line with good industry practice, we would expect to deploy a complete continuous development and integration pipeline, as automated as possible. We are quite interested in the supply chain attacks possible on this pipeline.We would store all code needed to build the infrastructure itself, as well as the application code that will run in the environment for all IaaS and PaaS components that we use. Configuration for SaaS components should also be stored where possible. 7. Question about simulated users:Will there be simulated or actual users of this cloud infrastructure and code development pipeline? We will have actual users of the code development pipeline; the “blue team” will be using this to make changes to the applications and infrastructure in the environment. We will be weaker on simulation of actual end users of the environment; we may try to script some typical user interactions, but this can be difficult and time consuming, and we’re not sure yet on the level of fidelity that we will reach. 8. Question about specific attacks:Are there any specific attacks and/or nation state ATP’s you would like simulated? There are not specific attacks that we are expecting you to carry out; we are assuming motivated attackers interested in compromising our environment for reasons of either espionage or disruption. Given the nature of the exercise, we are particularly interested in developing reusable patterns for the secure administration and of and deployment to public cloud infrastructures.