Awarded to Nettitude Limited

Start date: Wednesday 15 April 2020
Value: £150,000
Company size: SME
Cabinet Office

Provide a red team for an exercise

24 Incomplete applications

24 SME, 0 large

21 Completed applications

12 SME, 9 large

Important dates

Published
Friday 26 February 2021
Deadline for asking questions
Friday 5 March 2021 at 11:59pm GMT
Closing date for applications
Friday 12 March 2021 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Summary of the work
We are building a mock sensitive workload in a real public cloud environment to better understand securing such systems. We require a strong 'red team' to simulate an advanced and motivated adversary attempting to compromise the confidentiality, availability and integrity of the environment.
Latest start date
Thursday 15 April 2021
Expected contract length
3 months
Location
No specific location, for example they can work remotely
Organisation the work is for
Cabinet Office
Budget range
Our budget range is £100k - £150k. We expect to pay for a bundle of professional services on a "not to exceed" basis. This could be based on monthly timesheet reporting or a blended team rate.

About the work

Why the work is being done
Government has a strong interest in using hyper-scale cloud environments effectively to operate its digital services. In this exercise, the Government Security Group within the Cabinet Office is running a hypothesis-driven simulation to learn more about how to operate public cloud environments with sensitive workloads.

You will work with a 'build’ team who will create an AWS environment against which security hypotheses can be designed and tested. You will form the ‘break’ team of the exercise, to create a credible threat tree and to test those assumptions and controls. We would like your activities to commence by 1 April and take roughly three months to complete the exercise.

The approach of the assessment will be highly collaborative, with co-created learning outcomes forming the primary engagement deliverables. The engagement will demonstrate preference for actionable recommendations over formal artefacts or documentation, and be flexibly informed by findings and discussions during the course of the engagement.
Problem to be solved
Public cloud environments are necessarily internet-connected and also vulnerable to compromise of administrator and developer credentials and end user devices. As far as possible, we would like to prototype and demonstrate tactics and controls to prevent, mitigate or discover attacks to the confidentiality, integrity and availability of a system in a public cloud, including via admins, developers and development pipelines.

Because we are interested in the characteristics of sensitive government workloads, we are assuming (and wish you to simulate) competent, motivated and patient adversaries.
Who the users are and what they need to do
As a technical architect, I need to safely define and configure cloud-based IaaS and SaaS services so that I can deliver digital service capability safely and efficiently.

As a service owner in government, I need to understand the security characteristics of my system so that I can understand how to operate and protect it.

As a security monitoring team, I need access to logs and events so that I can protectively monitor a digital application.

As a DevOps team, I need scripts that can completely define a cloud-based service so that I can statically inspect, deploy and monitor my system.

As a software developer, I need a development environment and pipeline which allows me to do my job and protects a sensitive workload.

As a system administrator, I need to operate public services cost-effectively, taking advantage of commercial IaaS, PaaS and SaaS offerings so that I can deliver defensible services to my users with good value for money.
Early market engagement
Early market engagement
We have discussed this exercise informally with a number of stakeholders in and out of government. The main theme to emerge is the need for close collaboration between the 'build' and 'break' teams of the exercise to jointly define and scope the security controls being tested. We have also heard a strong preference to engage with other stakeholders in government who have indicated a willingness to observe and contribute to the exercise.
Any work that’s already been done
We have not carried out a formal Discovery, but have engaged widely with stakeholders in the Ministry of Defence, the National Cyber Security Centre and other units of the Cabinet Office to define and scope this exercise.

Of course, we assume that you are aware of NCSC Cloud Security Principles and other standards for operating safely in the public cloud.
Existing team
You will work with two teams:

- The Government Security Group Capabilities Team, a group of six people who will control the project and observe the results;

- A build team of three people who will develop the cloud environment and implement the security controls that you and others recommend.

We would like you to sign a letter of cooperation with the supplier of the build team.
Current phase
Discovery

Work setup

Address where the work will take place
We expect you to work remotely for this engagement. The Cabinet Office is located in London.
Working arrangements
We would like you to participate in initial scoping workshops. Following this, the 'build' team will build out more of the public cloud environment. You will then undertake a red team engagement attempting to exploit vulnerabilities in the public cloud-based system. We anticipate several rounds of this engagement, alternating red team and build team activities as we make changes based on your recommendations.

We expect you to be working remotely and to engage with our team regularly via videoconference, text-based chat and email.
Security clearance
Team members should have SC clearances or higher.

Additional information

Additional terms and conditions
We will be asking you to sign a non disclosure agreement if you undertake this work.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Provide a cyber "red team" capable of simulating an advanced persistent threat
  • Have experience evaluating the security characteristics of public cloud environments, including administration and code development pipelines and endpoints
  • Provide clear, actionable recommendations for remediation of identified vulnerabilities
Nice-to-have skills and experience
Have the ability to simulate nation-state level advanced persistent threats

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Cybersecurity capability of the team
  • Methodology for evaluating security vulnerabilities of public cloud environments
  • Agility of the team and approach
  • Relevant cyber certifications of of the supplier and team
Cultural fit criteria
  • Work as a team with our organisation and the 'build' partner on the engagement
  • Be transparent and collaborative when making decisions
  • Share knowledge and experience with other team members, including the 'build' partner
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Value actionable learning as an end in itself
Payment approach
Capped time and materials
Additional assessment methods
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

1. Questions about security clearance levels:

We have the capabilities, certification and experience to do this but will have trouble in putting together a full SC cleared red team. We will sign the NDA. Would that suffice?

We currently don’t have SC clearance. Will the SC clearance application be expedited by the CCS if we provide a winning bid?

In terms of clearances, will you accept SC equivalent from a FVEYs (Five Eyes (UK/US/CAN/AUS/NZ) partner?
SC level will not be required in advance of commencing the exercise. Cabinet Office is willing to sponsor any needed clearances once the supplier is under contract.
2. Question about the build team:

The ‘build’ team: Will there be three people on the Cabinet Office side?
The build team will consist of approximately three people fielded by the Cabinet Office, yes. You are not asked to bid on this.
3. Questions about the target environment:

Could you advise the types of applications within the target infrastructure.
Would it be correct to assume the emphasis is at the application layer as opposed to network?
We will simulate components found in typical workflows. There will be a case management component, web form-based interfaces, an administrator web-based application, repositories for holding data and files, etc. We will use commodity IaaS services running our own code and also use some SaaS components for common applications like mail, casework and directory services. We will simulate publishing and consuming APIs.
It is fair to say that we are putting emphasis on the application and management layers, but network vulnerabilities, especially in the configuration of the virtual private networks and the connections between components are definitely fair game.
4. Questions about the public cloud:

What is the cloud environment?

Will this be a mixed environment or single OS environment? If so what will be the deployed OS?
The cloud environment will be AWS.
We would expect to deploy a mix of operating systems; mostly likely Linux and possibly Windows servers, and probably Windows and MacOS developer and administrator workstations. Depending on how we set up the simulation, we might model the developer and administration workstations using virtual desktops.
5. Question about the team:

How many person hours will be needed for this exercise? How many red team members do you think will be needed?
It is up to the supplier to put in a fair bid for red team members. We were assuming a small team of around three people would be sufficient, but we will consider reasonable propositions from you.
6. Questions about code and deployment:

For the code development pipelines, will there be a full CD/CI pipeline?

Will it be an automated build and test pipeline?

What source code will be stored in the version control system?
In line with good industry practice, we would expect to deploy a complete continuous development and integration pipeline, as automated as possible. We are quite interested in the supply chain attacks possible on this pipeline.

We would store all code needed to build the infrastructure itself, as well as the application code that will run in the environment for all IaaS and PaaS components that we use. Configuration for SaaS components should also be stored where possible.
7. Question about simulated users:

Will there be simulated or actual users of this cloud infrastructure and code development pipeline?
We will have actual users of the code development pipeline; the “blue team” will be using this to make changes to the applications and infrastructure in the environment. We will be weaker on simulation of actual end users of the environment; we may try to script some typical user interactions, but this can be difficult and time consuming, and we’re not sure yet on the level of fidelity that we will reach.
8. Question about specific attacks:

Are there any specific attacks and/or nation state ATP’s you would like simulated?
There are not specific attacks that we are expecting you to carry out; we are assuming motivated attackers interested in compromising our environment for reasons of either espionage or disruption. Given the nature of the exercise, we are particularly interested in developing reusable patterns for the secure administration and of and deployment to public cloud infrastructures.