Cybersecurity must be a top priority for companies in the financial sector, due to its criticality and the potential impact of security incidents, both for customers and the industry as a whole.

 

European organisations that fit that criteria can’t go without knowing the Threat Intelligence-based Ethical Red Teaming (TIBER-EU), a framework created by the European Central Bank (ECB) that defines how Red Team testing should be conducted.

 

Let’s go through the main aspects of this framework.

 

 

What is TIBER-EU?

Simply put, TIBER-EU provides guidelines on how to mimic real attackers’ techniques and procedures, on the basis of threat intelligence, in order to test and improve organisations’ cyber resilience. A well-performed Red Teaming test should reveal the strengths and weaknesses of an entity, leading to targeted and effective corrective measures.

 

TIBER-EU may be adopted at a national level, or by EU institutions and authorities. The participation of entities in the TIBER-EU testing process may be either voluntary or mandatory, depending on their size, complexity, and reach. Although it was developed with the financial sector in mind, this framework can also be applied to other sectors (e.g.: telecommunications), which makes it entity-agnostic and sector-agnostic.

 

 

Who is involved?

Implementing TIBER-EU is a multi-stakeholder process directly involving:

  • Entities required to undertake TIBER-EU tests
    Banks, credit rating agencies, stock exchanges, insurance companies, or any other critical financial service provider. 

  • Authorities responsible for overseeing the tests
    Central banks, supervisory authorities, intelligence agencies, relevant ministries, among others.

  • Threat Intelligence and Red Team services providers
    Independent third-party providers who actually conduct the tests.


6 core objectives

According to the ECB, TIBER-EU attempts to accomplish the following goals:

  1. Enhance the cyber resilience of entities, and of the financial sector as a whole.
  2. Standardise the way entities perform intelligence-led Red Teaming across the European Union (EU).
  3. Guide authorities on how they might establish, implement and manage Red Team testing at a national or European level.
  4. Support cross-border intelligence-led Red Team testing for multinational entities.
  5. Enable supervisory discussions where authorities seek to rely on each other’s assessments carried out using TIBER-EU.
  6. Create the protocol for cross-border collaboration, result sharing and analysis.

 

 

The TIBER-EU test process

The TIBER-EU framework includes three mandatory phases:

  1. Preparation
    It involves determining the teams and experts responsible for managing the test, defining the scope of the test, and choosing the Threat Intelligence and Red Team providers to perform the test.

  2. Testing
    It includes the threat intelligence analysis, subsequent Targeted Threat Intelligence Report (TTI Report) and the actual Red Team test.

  3. Closure
    It’s when the Red Team provider delivers a report containing all the findings and results, as well as recommendations for improvement. Then, it is the entity’s responsibility to work on a remediation plan.

 

Representation of the TIBER-EU process

European Central Bank’s representation of the TIBER-EU process

 

 

Risks of the TIBER-EU test

Given the criticality of the target systems and processes, there are certain risks involved in performing a TIBER-EU test, namely:

  • Denial of Service (DoS) incident
  • System crash or damage
  • Data loss or leak

That is why the TIBER-EU framework emphasises the need for a risk assessment prior to the test, accompanied by a strong risk management strategy throughout the whole process.

 

 

Which services does it apply to?

The TIBER-EU framework guides two of the most important cybersecurity services available for critical institutions, especially those in the financial sector:

  • Red Teaming
    A cybersecurity assessment in which an ethical hacking team simulates a complete attack against a company, by exploiting technical or human vulnerabilities that may grant access to specific assets or information. It aims to expose flaws in an organisation’s security strategy and to provide recommendations to improve it.

  • Threat-Led Penetration Testing (TLPT)
    A large-scale Red Team exercise, specifically designed for the financial sector, that simulates a comprehensive attack on an organisation’s assets, systems and processes, in order to identify and help fix security vulnerabilities. The goal is to improve the cyber resilience of critical financial entities, whose disruption might cause global systemic failure.

 

 

Conclusion

Guided by the ambitious goal of enhancing the cyber resilience of financial institutions across Europe, the TIBER-EU framework is built on three main pillars:

  1. Threat intelligence.
  2. Ethical Red Teaming.
  3. Collaboration between different financial stakeholders.

 

It is a comprehensive approach that serves as a baseline for critical services like Red Teaming and Threat-Led Penetration Testing. Organisations that implement the TIBER-EU test are better equipped to face cyber threats, to protect their business operations and customer data.
Red Team expert analysing vulnerabilities
Red Teaming to stay ahead of attackers
Our team of pentesters employ offensive techniques used by actual attackers to expose vulnerabilities in an organisation’s security strategy, that need to be addressed.
Learn more
Share this article