The European Central Bank yesterday launched its TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union) framework for financial institutions regulated within the EU. In short, there is a new voluntary framework for threat intelligence-led red-teaming exercises that has been published by the European Central Bank (the Central Bank for eurozone economies). The framework does the following:
- It specifies that if national authorities adopt it (most are expected to), they must undergo a red-team test guided by a threat intelligence assessment of the tactics, techniques, and procedures (TTP) that would be used to attack specific systems of interest. They want to mimic the reconnaissance phase of a targeted attack against a financial entity.
- The red-team test is performed on live production systems with very little warning. (Only a very small number of people within the entity will know about the test in advance.)
- The test is performed to test out how effective, in a real-life scenario, the financial entities’ detection and response capabilities are. There is then the usual wrap-up and reporting of areas of strengths and weaknesses, with remediation agreed upon with the entity.
- The tests, once conducted once in one country, are then valid for all the countries that the finance entity operates in; this is intended to prevent replication by multiple finserv supervisor authorities in different countries.
- Red-team and threat intelligence providers must be external.
The basic premise of the framework is to conduct red-teaming based on a scope of work developed using threat intelligence to understand the target organization’s threat model. The exciting thing about this approach is that the red-team simulations are based on observed intelligence indicators during the threat assessment.
I see the following challenges with the adoption of this framework:
- Unclear requirements for the TTI report. One of the key issues in TIBER-EU is that the precise requirements of the Targeted Threat Intelligence (TTI) report are not well specified. This leaves quite a lot of ambiguity as to what is really expected by authorities from the TTI report. Giving threat intelligence very specific requirements will increase the value of the testing process. Getting this right is crucial to the success or failure of the framework. Poor-quality TTI reports will impact the effectiveness of the testing as well as the value that the financial entity gets from the process.
- The requirement to operate within the law limits the red-team tests. The enemy we are all defending against is not limited by mere legal rules and regulations; anything goes in their world. For red-team and threat intelligence providers, the framework specifically requires them to stick within the limits of what is permitted by local laws and regulations. This means that in some jurisdictions (e.g., German Criminal Code Section 202(c) proscribes very stringent requirements on the conduct in this matter), the tests will be limited to very specific scopes that are predefined in advance and agreed to by the white team within the financial services organization and by the regulator before the test happens. It is important to recognize that the point of the framework is to improve cyber resilience, not to cause impact to consumers and businesses.
- The framework is voluntary, ensuring that widespread adoption is critical to its success. The framework is not compulsory, so this could lead to inconsistent coverage if some EU member states decide not to adopt it. The key here is that it is left to national financial services regulators to determine whether to adopt the testing regime. It is important for the longevity of the framework that as many EU financial services regulators accept it as possible. If uptake is not strong, then the framework could see the same uptake and longevity issues as the CBEST framework, which has not been expanded to other sectors within the UK as was initially expected.
If these challenges can be overcome in the implementation of the framework by the financial services industry, regulators, and the security services market, then this approach is a welcome step to improving cyber resilience across the eurozone financial sector. I, for one, hope to see it succeed.