Article written by Vito Rallo
TIBER, intelligence led red teaming that works
Back in 2018, the European Central Bank published the TIBER (Threat Intelligence-based Ethical Red teaming) framework. Inspired by the UK's CBEST and adapted to each European member state, TIBER regulates cybersecurity assessments for improving financial institutions’ resilience by mimicking real-life attacks. To do so, TIBER prescribes a red team exercise strictly led by threat intelligence-inspired scenarios.
If you’re reading this article, you probably already know about TIBER. Good - let’s skip the typical overview of TIBER and red teaming expertise claims, and get straight to the point. For those looking for more details, the official ECB paper is a good place to start.
This article focuses on the viewpoint of the red team provider (RTP) and discusses success factors identified on the basis of experience. It’s important to appreciate that the TIBER framework has evolved across the years, overcoming pitfalls, to finally focus on the essential aspect: reciprocal value creation. If you’re leading an ethical hacking team, there are insights to be had while sparing yourself some unnecessary frustration. If you’re leading the security team of a financial institution, then this is a chance to discover together how to spend money wisely and make the TIBER exercise a success.
When winning isn’t about winning
A service provider should focus primarily on three aspects aligned with the essence of the framework: cyber resilience, quality and value. Quality comes with experience, skills and certifications, but it’s also all about the approach (or in red teaming vocabulary, ‘tactical exploitation’ - the provider must adapt all aspects to the constraints of a regulated test).
The value aspect is trickier: the goal is a real-life inspired experience, in a challenging game where three players - the regulator, the institution and the provider - are trying to win. Paradoxically, this makes it easy to end up ‘losing’ and missing the opportunity to create value for everyone involved.
For ethical hackers, success is often defined in terms of ‘capture the flag hacking’. For the bank, success means making sure that the red team provider doesn't win while avoiding criticism from the regulator. The regulator meanwhile is auditing the cybersecurity controls in place at the financial institution. In brief: a recipe for disaster.
Nothing could be further from the spirit of TIBER. It's a framework designed around feedback and collaboration where ideas, opinions, results and comments are part of a constructive process that starts from the modus operandi of a possible attacker (the threat intelligence), and which provides insight into the many aspects of a bank's security operations (secops).
A key ingredient in the recipe for success is setting the right mindset across the entire exercise, aligning the red team’s understanding and goals, setting proper and realistic expectations, and always highlighting the reciprocal benefits of fruitful and positive cooperation. Call it the W3 if you will, not referring to the web but rather a three-way win-win-win for all parties involved.