We’ve officially made it past the halfway point of our CISO’s guide to red teaming series! So far, we’ve explored the role of red teaming in cybersecurity strategies, using red team outcomes for executive decision making, and how red teaming engagements go beyond technical vulnerabilities.
For the second half of the series, we’re looking at red teaming specifically in three different industries. This is because no two organizations are identical in their risk profiles. An effective red team engagement must be contextualized to the industry and threat landscape of the target organization. A bank, a hospital network, and a cloud software company each have different crown jewels and face adversaries with different motives. Having a tailored threat-informed approach ensures red team exercises simulate the attacks that matter most for that business. By understanding these sector-specific scenarios, a CISO can set red team goals that meaningfully challenge an organization’s defenses and validate its readiness against the threats it is most likely to face in reality.
Banks, financial institutions, and insurers operate in a high-stakes threat environment. They are targeted by the full spectrum of adversaries, from nation-state APT groups to organized crime, due to the direct monetization potential and geopolitical impact of disrupting finance. Nation-state actors target banks to spy on or manipulate financial systems. (For example, groups like Lazarus Group, which is linked to North Korea or Russia’s APT29, have been known to target the SWIFT network, banking infrastructure, and cryptocurrency platforms.) Their goals might include economic espionage, sanctions evasion, or destabilization of a country’s financial sector. Meanwhile, cybercrime syndicates and ransomware gangs view financial institutions as jackpot targets: they carry out ATM “jackpotting” heists, fraudulent wire transfers, or ransomware attacks to extort multimillion-dollar ransoms. Groups like FIN7 and Clop are examples of financially motivated actors that have breached banks and payment processors. There’s also the persistent threat of insider collusion and fraud. Organized criminal rings have at times planted insiders or bribed staff to assist in account takeovers, the misuse of privileged access, or the siphoning of sensitive data. Hacktivists are less common in this space but might still target financial firms due to political or social issues (for instance, attacking an investment bank for its role in funding controversial projects). In summary, the financial sector faces well-resourced adversaries who are after money, sensitive financial data, or even systemic disruption, making it one of the most heavily targeted and regulated sectors.
Given this threat landscape, a CISO in finance will direct red team exercises toward the scenarios that pose existential or significant business risk. Typical objectives include simulating attacks on high-value payment systems and transactions, such as trying to gain access to SWIFT terminals, core banking applications, trading systems, or internal fund transfer APIs. A red team might simulate an advanced attacker (e.g., an APT or well-funded criminal gang) whose goal is to fraudulently transfer funds or manipulate financial data. This tests whether the bank’s segmentation, privileged access controls, and monitoring around those crown jewels are effective. Another key objective is simulating a ransomware attack to test both preventive controls and crisis response. For example, can a red team infiltrate the network, escalate privileges, and trigger a (simulated) ransomware deployment, and if so, does the institution’s incident response team activate disaster recovery (DR) plans effectively? This kind of scenario validates whether backup systems are protected (e.g., can attackers reach backup repositories?) and whether an organization has “kill-switch” procedures to isolate systems at the first sign of widespread encryption.
Financial sector red teams also often test insider threat scenarios and physical security. For instance, one exercise might involve a red team member with covert physical access (maybe by tailgating into a data center or trading floor) to see if they can plug in a rogue device or access an unattended workstation, reflecting the risk of a malicious insider or intruder. This checks physical defenses and staff vigilance.
The testing of a blue team’s effectiveness is frequently built into finance-sector engagements due to regulatory frameworks; under CBEST/TIBER-EU, a red team assessment explicitly evaluates how well an institution’s detection and response (often the SOC) performs under a nation-state-grade attack simulation. Thus, a red team might operate quietly for weeks to see if a bank’s threat hunting or SOC analysts catch on to their presence, as required by these standards.
Other objectives could include supply chain compromise simulations (e.g., attempts to breach a financial organization via a simulated third party like an investment law firm or an HR outsourcing provider), since threat intel suggests attackers often target less secure partners to ultimately get to a bank. In summary, the red team’s role in finance is to continually probe institutions’ most critical systems and processes (payments, trading, customer data, etc.) against the tactics of top adversaries. These exercises help validate stringent controls and often provide assurance to regulators and boards that firms can withstand the kind of advanced attacks seen in headlines. It’s worth noting that financial services remain among the most targeted sectors globally. Mandiant’s threat report noted that 17% of its incident response investigations in 2023 involved financial services (the highest of any sector). This reality is why finance CISOs leave little to chance: red teaming is embraced as an essential practice, not just for compliance but for survival in a hostile threat landscape.
Tune in next week, where we’ll break down red teaming for healthcare and pharmaceuticals.