Cyber Threat Intelligence

Where CBEST Engagements Often Fall Short

November 11, 2025 No comments yet

CBEST is intended to provide financial organisations with a realistic understanding of how a capable adversary might attempt to compromise critical functions. When executed well, it supports meaningful conversations about operational resilience, defensive prioritisation, and real-world exposure, not hypothetical attack paths.

In practice, the value of a CBEST engagement is heavily influenced by how accurately the threat model aligns to the organisation’s real-world exposure. When this alignment is weak, the exercise may be technically thorough but less effective in shaping defensive priorities.

The issue rarely lies in the technical execution of the red team.(But sure can) However it tends to begin earlier, in the threat intelligence and scoping phase.

This phase determines:

  • Which adversaries are relevant
  • What those adversaries typically seek to achieve
  • How they are likely to approach intrusion
  • Which parts of the organisation represent meaningful value

If this alignment is weak, the engagement may be technically sound but strategically directionless. The result is a test that appears thorough on paper but does not reflect how risk actually materialises in that organisation.

Where Misalignment Begins

In practice, threat modelling is often influenced by the following things

  • Preconceptions about “high sophistication” attackers
  • Pressure to demonstrate rigour to regulators or boards
  • Availability of widely documented threat actor profiles
  • Limited organisational clarity about core business value

These factors can lead to adversary selection that is thematically impressive but operationally unrealistic, and that’s definitely not the end goal here!

For example, selecting a state-linked threat actor because they are well-known does not guarantee the scenario reflects the organisation’s actual threat exposure. Many state-aligned actors pursue objectives that may have little strategic relevance to certain financial entities, while financially motivated groups with well-defined intrusion patterns may represent a far more realistic threat. The consequence of this is an engagement optimised for narrative rather than realism. So in other words, the organisation really does’t benefit.

Realistic threat modelling begins with business value, a credible CBEST starts not with the threat actor but incorporate the following;

  1. What the organisation does
  2. How it creates, stores, or moves value
  3. Which systems and processes underpin that value
  4. Where trust boundaries and dependencies sit

Once these are understood, the threat landscape becomes structured rather than assumed.

This shifts the question from:

“Who are the most advanced attackers?”

to

“Which adversaries have the intent, access opportunities, and operational style relevant to how this organisation operates and where it is exposed?”

This is where scenario realism is determined.

Common Patterns in Misaligned CBEST Scenarios

PatternResult
Adversary selected for brand recognition rather than relevanceScenario demonstrates capability, but not likely exposure
Scope influenced by internal expectation rather than risk realityFindings feel disconnected from operational priorities
Intelligence summarised rather than analysedEngagement lacks strategic context
Actor tradecraft mapped mechanically to MITRE Scenario becomes procedural rather than behavioural

The impact is subtle but significant:

  • The red team may execute effectively
  • The report may be detailed
  • Controls may be improved

Yet the organisation may not come away with a clearer view of how it is actually targeted in the real world, and that’s the whole point.

Let me try and generalise, during one engagement the initial scoping centred on a well-known state-linked actor. The rationale for this was based on perceived sector strategic importance. However, when business value and operational dependencies were further analysed it became clear that the organisations most critical exposure was through third party operational IT services and that the most active (and more importantly relevant) adversaries in that access layer were financially motivated intrusion groups. It was very clear, their intrusion patterns did not match the tactics of the originally selected state actor.


The scenario shifted to reflect likely access, likely motivation, and likely progression which resulted in the findings being more sharper, practical and more aligned to real defensive decision making. This is how it should have been from the start.

So how can we think about strengthening the Intelligence Phase

The intelligence phase benefits from a structured approach, I think we can all agree on that.

StepDescriptionPurpose
Define Priority Intelligence Requirements Clarify what the organisation needs to understand about itself and its exposure. Prevents assumptions from shaping the scenario.
Assess sector-specific intrusion patternsReview how adversaries have actually targeted similar organisations.Grounds adversary choice in reality.
Map adversary motivation to business valueEvaluate why an attacker would care and what they would seek(often overlooked)Ensures scenario aligns with plausible objectives.
Analyse feasible access pathsUnderstand realistic initial intrusion optionsAvoids overly theatrical scenario entry points
Validate the model with internal stakeholders without diluting itEnsure shared understanding of realismAligns buy-in without reducing integrity

This does not expand engagement scope at all, it does however focus it on the right things.

A Practical Lens for Scenario Realism

A useful working question is:

“If this adversary were targeting this organisation today, what is the simplest, lowest-risk path they would take?”

This anchors threat intelligence in operational behaviour, not theoretical capability!

Most real-world adversaries are lazy and human:

  • They prefer reuse over custom tooling
  • They like to leverage trusted access and supplier ecosystems
  • Move gradually to maintain operational security
  • Pursue objectives that align with resource efficiency

When these factors are reflected in the threat model, the scenario becomes:

  • Less dramatic
  • More grounded
  • More useful

Because it mirrors how compromise typically unfolds in practice not some theoretical mystical magical made up nonsense.

Here are some Key Takeaways

  • The value of a CBEST engagement is determined primarily in the intelligence and scoping phase
  • Selecting adversaries based on relevance, not reputation, is critical
  • Realistic modelling begins with business value and sector exposure, not ATT&CK tables
  • Precision in scenario alignment leads to findings that can influence defensive strategy
  • Red team execution is only as meaningful as the threat model it is based on

ThreatInsights focuses on improving the relevance and realism of the threat intelligence that informs security testing and defensive planning.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts

Dark Web

Tracking Dark-Web Infrastructure

November 3, 2025 No comments yet

Disclaimer – I am not endorsing you do this or am in anyway liable for how you use this information or script. Check your laws and practice good OPSEC. You are responsible for your actions. Looking for weaknesses over TOR is very much different than over the Clearnet. The way in which TOR works allows […]

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by