TIBER-EU: A Framework for Red Team Penetration Tests to strengthen cyber resilience

With TIBER-EU, the European Central Bank has published a framework with which companies of the financial sector can better protect themselves against cyber attacks in order to avoid economic damage. The own cyber security can be checked by so-called “Red Team” penetration tests. Compared to a simple security analysis, this has the benefit that external attackers work under real condi­tions with profes­sional attack methods. This reveals how far they can penetrate the existing infra­structure and to what extent the organ­i­sation could be damaged. Our SRC experts prepare your company optimally and individ­ually for the execution of a TIBER-EU test.

In detail: What is TIBER-EU?

TIBER-EU serves to enable organ­i­sa­tions to perform so-called threat or intel­li­gence led penetration tests. This type of penetration test is intended to imitate the highly agile attack methods of actual attackers. This enables organ­i­sa­tions to develop better prevention, security and control measures and to respond more quickly to threats. This strengthens their own cyber resilience. The TIBER-EU test resembles a military exercise. Attackers (Red Teams) and the defending organ­i­sation (Blue Teams) fight each other within the framework of a previ­ously defined test scope. The Red Team attempts to attack an organisation’s critical business functions and processes, steal data and disrupt the live operation of that organisation’s production systems. This includes attacks against infor­mation technology systems as well as targeted attacks against employees and process struc­tures.

What is not allowed in a TIBER-EU test?

Within the framework of the TIBER-EU tests, realistic methods are to be used. However, despite its realistic nature, such a test must not go beyond limits. It is not yet completely clear which attack methods are explicitly prohibited or permitted by the TIBER-DE-Guide, which is still in devel­opment. Taking the Dutch TIBER-NL- or Belgian TIBER-BE-Guide as a basis for a first impression, they prohibit e.g:

  • the destruction of equipment,
  • uncon­trolled modifi­cation of data and programmes,
  • endan­gering the conti­nuity of critical business functions,
  • blackmail attempts against employees,
  • threats against employees and
  • bribery of employees of the organ­i­sation and
  • the publi­cation of (partial) results of a TIBER-EU test.

What will finally be found in the TIBER-DE Guide remains to be seen. In principle, however, it can be assumed that there will be parallels to the guides listed above.

To whom is TIBER-EU addressed?

TIBER-EU is primarily addressed to financial market infra­struc­tures, organ­i­sa­tions and insti­tu­tions operating within financial market infra­struc­tures. These include banks, insurance companies, payment service providers, clearing houses, central securities depos­i­tories, credit rating agencies, stock exchanges and payment insti­tu­tions. If these organ­i­sa­tions outsource critical business functions to IT service providers, TIBER-EU also addresses them. Secondary, harmon­i­sation measures could also oblige other sectors, such as electricity network operators or telecom­mu­ni­ca­tions providers, to carry out TIBER-EU tests.

Ready for a TIBER test?

To success­fully perform a TIBER test, organ­i­sa­tions must properly observe, implement and master the necessary technical, organ­i­sa­tional and data protection measures.

Against the background of their extensive financial market, IT security and compliance expertise, our SRC experts offer you optimal and individual consulting services. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to accompany you through the entire process flow of a TIBER test. Further infor­mation can be found here.