In the dawn of 2021, the world keeps fighting COVID-19, a pandemic that led to the emersion of resilience as a focal term in the public dialogue. In terms of resilience, 2020 has also been a year of greater adoption of TIBER-EU, a framework developed to test and eventually improve the resilience of the European financial sector against cyber attacks.

What is TIBER-EU

TIBER-EU is the European framework for threat intelligence-based ethical red-teaming. It is an EU-wide guide on how authorities, entities, threat intelligence and red-team providers should cooperate on a controlled cyber test that will eventually allow the tested organization to develop a stronger security posture.

TIBER-EU tests mimic the modus operandi of real threat actors, based on tailored-made threat intelligence. The attack simulation aims at testing the critical functions of an organization and its underlying systems, including its people, processes and technologies.

With the goal of reaching a higher level of cyber maturity, a TIBER-EU test intends to uncover the strength and weaknesses of the Critical Financial Institution (CFI) being in scope of the test.

The TIBER-EU framework is currently being implemented in several EU countries such as Belgium, Denmark, Italy and Netherlands, to name a few, while others are expected to follow.

The TIBER-EU Framework Process

There are 3 major phases in the TIBER framework process. In the preparation phase, the White Team (WT) initiates the scoping activities, the vendor procurement, the risk management activities and develops the test project plan. In the test phase, the Threat Intelligence provider (TI) procures a targeted threat intelligence report and the suggested test scenarios. In its turn, the Red Team (RT) develops and executes an attack plan. The TIBER process ends with the post-test activities which include reports deliveries, a test replay between the Blue Team (BT) and the RT, as well as the identification of remediation actions.

TIBER is nothing like the last Red team exercise you run. It requires lots of planning, communication, alignment, milestones and deliverables.

The White Team

The White Team (WT) has a key role as the facilitator of the test. The team is responsible for the planning and management of the test. According to TIBER-EU, the composition of the team comes at the very first steps of the TIBER process. Nevertheless, you might find yourself making amendments to the WT till right before the test execution. Reason is there are many unknowns by the time you are asked to put the team together.

The Scoping phase comes after the WT has been established. It is unrealistic to allocate/onboard Subject Matter Experts (SME) that early. Wait until the scope of your TIBER exercise is set. Remember both a business SME and technical SME is of great value to your project.

While putting together your WT, you need to abide by the confidentiality requirements of the project. The question that arises here is how to communicate your need for resources allocation without telling too much? You may use a short cover story through which you justify the resource allocation request without sharing too much as to what the real intention is. Before you do that, make sure that this approach does not collide with your organization’s culture. In addition, make sure you align with senior management on this approach.

The WT is a cell of trusted employees tasked to carry out the test in an timely and orderly manner. The number of the WT members needs to be as small as possible. Here is some advice as to what to consider:

  • You want to have a profile that understands and can manage risks
  • You want to have a profile that likely has tested the systems in scope and is aware of security control deficiencies
  • You want SME to support with critical information collection and critical decision making. Both business SME and technical SME is of value
  • You want to have members who can act as the WT proxies within the organization for critical information gathering, protecting at the same time the project confidentiality
  • Last but not least you likely want to have members in the WT that will assist with the leg up implementation before or during  the execution of the TIBER test.

The next post will focus on lessons-learned and advice to the White Teams, relating to the Procurement, Risk Management and Scoping activities of a TIBER-EU test.