Threat Intelligence-Based Ethical Red Teaming

The Digital Operational Resilience Act (DORA) and the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union) framework are complementary initiatives designed to enhance the cybersecurity and operational resilience of the European financial sector. While DORA provides overarching regulatory guidelines, TIBER-EU offers a specific methodology for conducting rigorous security assessments.

TIBER-EU Framework:

  1. Threat Intelligence: TIBER-EU emphasises leveraging current and relevant threat intelligence to simulate realistic attack scenarios, ensuring assessments align with the evolving threat landscape facing financial institutions.
  2. Red Teaming Exercises: The framework employs ethical hacking techniques and tactics, mimicking sophisticated cyberattacks, to comprehensively evaluate an institution’s defences. This includes exploiting vulnerabilities, attempting unauthorised access, and assessing the effectiveness of security controls.
  3. Scenario-Based Assessments: TIBER-EU employs a scenario-based approach, tailoring simulations to reflect plausible cyber threats and attack vectors that are relevant to each institution’s specific operational environment, systems, and assets.
  4. Collaborative Approach: TIBER-EU encourages collaboration among financial institutions, regulatory authorities, and national competent authorities. This facilitates information sharing, best practices, and collective defence strategies, enhancing sector-wide resilience.
  5. Detailed Reporting & Recommendations: Following assessments, TIBER-EU mandates comprehensive reporting, detailing findings, vulnerabilities exploited, and recommendations for improving cybersecurity defences. This enables institutions to prioritise remediation efforts and effectively enhance their security posture.
  6. Continuous Improvement: Recognising the dynamic nature of cyber threats, TIBER-EU promotes a culture of constant improvement. Financial institutions are encouraged to conduct regular assessments, adapt to emerging threats, and refine their cybersecurity strategies to maintain resilience effectively.

TIBER-EU Test Process:

  • Preparation Phase:
    • Scope Definition: Identify and define the objectives, scope, and boundaries of the red team exercise based on organisational requirements, systems, networks, and assets.
    • Rules of Engagement (RoE): Establish a clear RoE outlining permissible actions, targets, techniques, and constraints for the red team.
  • Threat Intelligence Integration:
    • Incorporate relevant and current threat intelligence to inform and guide the development of realistic and plausible attack scenarios, tactics, techniques, and procedures (TTPs).
  • Red Team Execution:
    • Conduct simulated cyber-attack scenarios using advanced techniques, tools, and methodologies to exploit vulnerabilities, bypass security controls, and assess detection and response capabilities.
    • Collaborate with stakeholders, regulatory authorities, and national competent authorities throughout the testing process to facilitate information sharing, coordination, and approval.
  • Assessment & Analysis:
    • Evaluate the organisation’s detection, response, and recovery capabilities based on red team findings, insights, and observations.
    • Analyse exploited vulnerabilities, identify weaknesses, and areas for improvement within the cybersecurity infrastructure and processes.
  • Reporting & Recommendations:
    • Generate comprehensive reports detailing findings, exploited vulnerabilities, recommendations, and actionable insights.
    • Prioritise remediation efforts, develop mitigation strategies, and enhance cybersecurity defences based on red team findings and recommendations.