This opportunity is closed for applications

The deadline was Wednesday 29 July 2020
Richmond upon Thames College

red team assessment

14 Incomplete applications

9 SME, 5 large

17 Completed applications

13 SME, 4 large

Important dates

Published
Wednesday 15 July 2020
Deadline for asking questions
Wednesday 22 July 2020 at 11:59pm GMT
Closing date for applications
Wednesday 29 July 2020 at 11:59pm GMT

Overview

Summary of the work
RuTC requires a “Red team” exercise using appropriate tactics, techniques and procedures to emulate a real-world threat with the goal of training our (Blue) team and measuring the effectiveness of the people, processes, and technology used to defend our IT environment.
Latest start date
Thursday 1 October 2020
Expected contract length
Maximum 3 months
Location
London
Organisation the work is for
Richmond upon Thames College
Budget range
Maximum £30,000 GBP inc VAT

About the work

Why the work is being done
RuTC requires a “Red team” exercise using appropriate tactics, techniques and procedures to emulate a real-world threat with the goal of training our (Blue) team and measuring the effectiveness of the people, processes, and technology used to defend our IT environment.

This work should be completed before the end of October 2020 - and sooner if possible.
Problem to be solved
We anticipate use of the latest tactics used by real world threat actors to aid with the successful delivery of the services which we have split into a 3-stage scenario approach, to help us gain clarity on the current security risks associated with the areas reviewed.

Bidders are required to detail their approach, tools, tactics and procedures regarding the execution of the three scenarios below:
• Scenario 1: Assumed compromise
• Scenario 2: Virtual Desktop Infrastructure (VDI) breakout
• Scenario 3: Ransomware

Bidders should advise the steps that they intend to take for each scenario. For example:
• Testing
• Execution
• Assessment
• Reporting

Deliverables
1) Report to include sufficient technical detail to enable defence against the threat types addressed, and an assessment of the effectiveness of existing measures against penetration.
2) Workshop at the end of the assessment to achieve effective knowledge transfer.

Response Format:

Scenario 1: Assumed compromise..........Days
Scenario 2: Virtual Desktop Infrastructure (VDI) breakout..........Days
Scenario 3: Ransomware..........Days
Detection and response workshop..........Days
Reporting..........Days
Total Days................
Total fees inc VAT £......................

Bidders are welcome to submit further information to supplement the above table, particularly explaining how the services will be provided and any options available to RuTC.
Who the users are and what they need to do
As a Further Education College IT Department, we need to ensure that all networks and systems are secure from attack in order to protect data and ultimately the data subjects.

We can provide a standard-build computer and dedicated user account to assist with the 'assumed compromise' scenario.
Early market engagement
Any work that’s already been done
Existing team
The College has a small dedicated IT team with a mixture of skills and abilities.
Current phase
Not started

Work setup

Address where the work will take place
Twickenham, Middlesex, for the workshop element
Remote working is envisaged for the most part
Working arrangements
We are open to suggestions on appropriate methods of working to complete this work.
Security clearance
Bidders should provide details of their security credentials and the standards to be employed in this work

Additional information

Additional terms and conditions
The basis of the price shall be fixed and inclusive of all costs for the contract term. Proposed prices should remain valid for 90 days from the date of the submission.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate considerable recent experience in delivering the defined requirements
  • Demonstrate ability to deliver within the timescales
  • Produce a report which is useful to management and engineers alike
  • Keep all data 100% safe
  • Maintain confidentiality throughout so as not to compromise outcomes
  • Provide two relevant references to confirm the above
Nice-to-have skills and experience
Demonstrate experience with Further Education Colleges or similar

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Approach and methodology
  • How the proposed solution meets the goal as described
  • Risk Management approach
  • Value for Money
Cultural fit criteria
  • Place a strong value on learning
  • Demonstrate Integrity
  • Work with us as a team
  • Aspire to excellence
  • Demonstrate respect for others
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
Evaluation weighting

Technical competence

30%

Cultural fit

10%

Price

60%

Questions asked by suppliers

1. Digital Marketplace limits responses to 100 words for each question and does not allow attachments.
Is there a way to submit additional detail to this tender?
If further information is required, this can be submitted in an email to ian.rule@rutc.ac.uk, to be sent at the time of bid submission. Emailed submissions should not exceed 4 pages of 11-point type, and must adhere to the spirit of good procurement practice. This email address is not to be used for any other purpose.
2. Is it intended that the requirements be met by an individual, or a team?
We are open to approaches from individuals or teams, but suspect that the requirements around security credentials, track record and the nature of the work itself, would tend to indicate a team/corporate approach
3. Can you confirm the VDI version in use?
We use VMWare - further details can be provided at a later stage if required
4. Do you require actual attacks or is it a 100% desktop exercise?
We anticipate this being a simulated attack with activity being triggered such that the 'blue' team can have the opportunity to respond and that response be assessed as part of the exercise. Of course, any activity needs to be carefully managed and fully restored afterwards.
5. Do you require a phishing attack and for an empty payload to be launched?
Scenario 1 commences from the presumption that a user has succumbed to a phishing attack and the account/machine is therefore compromised already. We will provide a staff machine and dummy staff account for you to use for this purpose.
6. a. Is the priority on simulating TTPs of current threat actors or is there an end goal in place such as sensitive financial data, research material?
b. If the latter, could you please provide further information on the end goals and size of estate.
It is the former - we want to test the resilience of our systems and preparedness of our team. Clearly some data will be more sensitive than others but we are not targeting any particular material.
7. Scenario 3 – Ransomware: Please can you provide more information on the end goal of this scenario and the risk appetite as there are different methods ways this can be completed depending on the end goal.
The end goal is to establish whether a threat actor could effectively launch a ransomware attack. This must be done safely and any actual damage must be capable of swift rectification.
8. Post-test training:
a. Would you like dedicated practical technical training on the TTPs or a wash up meeting and higher level overview of successful techniques?
We anticipate an element of training for the team, as part of a workshop which could be over a number of days, to establish improvements in team processes and procedures, and detection capability. Assuming compromise was achieved, showing the Blue team how that was done and how it can be prevented in future.
9. Is the penetration test / exercise to take place on the customers network or a separate test LAN?
This will be on the live network
10. The requirements outlined in "Problem to be solved" suggests, "Bidders are welcome to submit further information to supplement the above table" outlining our approach to the required scenarios, timescales and pricing.
This information is usually provided during the Phase 2 stage of a DOS bid.
Can you please confirm if you require additional/supplementary information to be provided to address our approach, tools, tactics and procedures (inc. timescales and pricing) for the 3 scenarios; in addition to the 7 specific "essential skills/nice to have" questions?
We are not seeking any particular detail at this stage - this can be picked up following shortlisting if necessary. All we require at this stage is sufficient context for the quotation being provided, to establish some comparability on likely effectiveness and value for money
11. Security Clearances: You have stated that "Bidders should provide details of their security credentials and the standards to be employed in this work"
Would you like this information provided within our "Essential/nice to have" answers, or should we provide details of this within a supplementary document?
Please provide this within the bid answers if possible. If further detail is required, this can be submitted as indicated in the answers above.
12. Are suppliers required to emulate a specific threat actor?
Do RuTC believe/know they are being targeted by a specific region of the world?
Will there be a white team to assist with the facilitation of activities? (Eg: Internal set-up for initial access)
Confirm the VDI breakout is simulated? Will a test environment be provided for the VDI breakout?
Are there any devices out of scope?
What defines an 'end game' for each scenario?
Are Social Engineering techniques within scope?
Will there be interaction with the Blue team or an RuTC administrative arm prior to the commencement of key phases?
I am not an expert and do not necessarily understand all of your questions. This is a general test, there are no specific threats in mind. We will provide some assistance with setup. All will be on the live environment - see questions above. Social Engineering techniques would be within scope. Happy to discuss interaction with Blue team, that may be helpful.
13. Is this a notation attack or record of activity surrounding an installed-to-device simulated attack?
Will e-mails be provided or is this a Black Hat assessment?
Once a server is compromised, can the supplier adjust security configuration to enable more efficient, further access for simulated malware?
Will this be a notation attack or record of activity surrounding an installed-to-device simulated attack?
Can suppliers install software on to compromised devices?
Are there any sensitive or proprietary devices/systems that may fall over if attacked?
Are there any key devices that we need to inform prior to the commencement of an attack?
I am not an expert and do not necessarily understand all of your questions. Please make assumptions where necessary and we can discuss after shortlisting if need be. We will provide you with a user account and email address. Settings can be altered and software installed but all activity must be recorded and operated safely, and rectified quickly afterwards. We will advise if some devices need to be protected.