Test execution and Leg-Ups

In the Test Phase, the execution of the RT Plan occurs. The plan itself should accommodate for situation where certain planned actions cannot be performed, or in other words these actions need to be assisted by the WT. In the TIBER-EU context such an assisted action to the RT is referred to as leg-up.

Leg-ups need to be associated to each of the RT Plan scenarios. Leg-ups need to be thought-through, specific and agreed upon with the WT. In its turn, the WT should plan carefully for leg-ups execution so that the test is neither delayed nor disclosed to the organization.

As unforeseen events, such as service or security incidents, may be inevitable during test execution, the WT should plan for these unforeseen events in the overall project plan and more specifically in the RT Test plan. Failing to do so, might incur delays and subsequently increase the project cost. Giving a reasonable buffer time, whenever possible, for each of the scenario execution will prove a wise decision when unexpected events force the WT to pause the test temporary.

The WT  Success Criteria

To identify meaningful success criteria, you may revisit the WT’s mission statement. The TIBER WT is responsible for the overall planning and management of the test, in accordance with the TIBER-EU Framework. The White Team must ensure that the TIBER-EU test is conducted in a controlled manner, with appropriate risk management controls in place, while maximizing the learning experience for the entity.

Minimize risks, maximize learnings
Success Criteria

The set of responsibilities of the White Team indicate also what constitute success.

  • First, you want all activities the WT undertakes or oversees to bear the appropriate level of risk
  • Then, you want to facilitate the simulation of the identified threat actors as realistically as possible
  • Last, you want to do that in an orderly and timely manner

In short, minimize risk, maximize learnings.

The appropriate level of risk is very dependent on the CFI to be tested. It has to do with the organization's risk appetite. Being overly risk-averse might deprive you from getting important lessons. On the contrary, not being risk aware can create unpleasant incidents that will affect the orderly test execution. The level of ambition a WT has depends on the profile of the entity to be tested but also its cyber maturity. Be realistic with the goals you set.

The final notes

Ensure a resilient setup whenever possible. A TIBER project will run for about a year during which changes to the WT, TI and RT might happen. Introduce deputy lead roles for a smooth test execution.

Keep notes! It will prove the right decision when you reach the Closure phase and you will need to deliver the WT Report, the Remediation Plan and other important deliverables.

Moreover, have a communications plan ready. Remember you want to facilitate the test without creating confusion and protecting its confidentiality at the same time.

Overall advice to White Teams

Being the WT, you will need to be in control of escalations. Ensure the WT has a way to monitor critical processes, such Incident Management, Security Incident Management or Crisis Management processes, that are likely to be triggered because of the test.

In addition, make space for the unexpected. In a tight RT Test Plan, a slight delay may jeopardize the timely execution of the test and incur financial impact.

Last but not least, aim at being in control of the test while executed,  by employing regular briefing calls with the RT Lead, establishing a secure chat channel and having a good grasp of the imminent test activities. Access to an up-to-date Inventory of Assets / CMDB is strongly encouraged.