Skip to content

Red team providers

An intelligence-led red team test mimics the TTPs of real attackers on the basis of bespoke threat intelligence. In doing so, it looks to target the people, processes and technologies underpinning the CFs of an entity in order to test its protection, detection and response capabilities with no foreknowledge.

It allows the entity to understand its real-world resilience by stressing all elements of its business against the TTPs of the threat actors that are specific to its organisation. The intelligence-led red team test provides a comprehensive end-to-end understanding of weaknesses present in people, business processing, technology, and their associated intersection points, and provides a detailed threat assessment which can be used to further enhance the entity’s situational awareness.

Intelligence-led red team tests differ from conventional penetration tests, which provide a detailed and useful assessment of technical and configuration vulnerabilities, often of a single system or environment in isolation. However, they do not assess the full scenario of a targeted attack against an entire entity (including the complete scope of its people, processes and technologies).

During the procurement process, entities must ensure that RT providers with the requisite skills are hired to perform intelligence-led red team tests, and these should not be confused with penetration testing services.

The role of RT provider

The RT provider plans and executes a TIBER-EU test of the target systems and services, which are agreed in the scope. This is followed by a review of the test and issues arising, culminating in a Red Team Test Report drafted by the RT provider.

The RT provider should expand on and execute the established threat scenarios identified by the TI provider and approved by the entity. The threat scenarios are developed from an attacker’s point of view. The RT provider should indicate various creative options in each of the attack phases based on the various TTPs used by advanced attackers. This is in order to anticipate changing circumstances or is in case other attack methods do not succeed during the test. The scenario development is a creative process, and TTPs should not simply mimic scenarios seen in the past but should look to combine the TTPs of various relevant threat actors. The RT provider should aim to assess the cyber resilience posture of the entity in the light of the threat it faces.

The RT provider should follow a rigorous and ethical red team testing methodology, and should meet the minimum requirements defined in the TIBER-EU Framework, as set out below. The rules of engagement and specific testing requirements should be established by the RT provider and the entity.

The RT provider must demonstrate a willingness to work closely with the TI provider, which includes reviewing and commenting on the intelligence deliverables as well as transforming the threat scenarios into a cohesive and tractable Red Team Test Plan. Furthermore, the RT provider is expected to liaise and work with the TI provider throughout the testing in order to update the threat intelligence assessment and attack scenarios with relevant and up-to-date intelligence. Lastly, the RT provider is expected to work with the TI provider in order to design and deliver the final report issued to the entity.

RT provider requirements

To ensure that the RT provider is able to furnish the deliverables cited above in an effective and safe manner, it must display the highest standards. Consequently, the TIBER-EU Framework requires RT providers to meet specific requirements to also ensure that the test is recognised by the relevant authorities. The core requirements below are set to ensure that only the highest-quality providers, with sufficient experience and capabilities, can contribute to red team tests on the most critical functions of entities.

All TIBER-EU tests will require a red team, composed of a Red Team Test Manager and red team testers. A red team should comprise a mix of staff with a broad set of skills and experience, in areas such as red team testing, penetration testing, reconnaissance, threat intelligence, risk management, exploit development, physical penetration, social engineering and vulnerability analysis. The size of the red team will depend on the entity being tested, the scope of the test, and the specific skills and expertise required to deliver the test.

Table 3 - RT Provider requirements to deliver TIBER-EU tests

Who Requirements
RT provider (at company level) At least five references from previous assignments related to intelligence-led red team tests

Adequate indemnity insurance in place to cover activities which were not agreed upon in the contract and/or which stem from misconduct, negligence, etc.
Red Team Test Manager – responsible for the end-to-end management of the TIBER-EU red team test Lead and oversight of the RT provider’s activities for delivering a TIBER-EU test are ensured by a Red Team Test Manager

Sufficient experience of the Red Team Test Manager in red team testing. Expectation: at least five years of experience in red team testing, including three years managing intelligence-led red team tests in the financial services industry

Up-to-date CV and at least three references of the Red Team Test Manager from previous assignments to be provided to the entity, specifically in red team testing activities

Background checks on the Red Team Test Manager by the RT provider (as a minimum). Enhanced background checks are conducted as required by the national authorities

The Red Team Test Manager must have appropriate recognised qualifications and certifications (as set out in Annex 1)
Red team (all members of the team, except for the Red Team Test Manager) – responsible for conducting the TIBER-EU red team test Sufficient experience of the red team members. Expectation for each member: at least two years of experience in red team testing

Up-to-date CV for each member of the team to be provided to the entity

Multi-disciplinary composition of the red team, with a broad range of knowledge and skills, such as: business knowledge, red team testing, penetration testing, reconnaissance, threat intelligence, risk management, exploit development, physical penetration, social engineering, vulnerability analysis and combinations thereof

Background checks on each member of the red team are conducted by the RT provider (as a minimum). Enhanced background checks are conducted as required by the national authorities

The red team members should have appropriate recognised qualifications and certifications (as set out in Annex 1)

It is the responsibility of the entity to ensure that the RT providers meet these requirements prior to formalising any test, and therefore it should undertake thorough due diligence during its procurement process.

However, it is recommended that the entity delegate this responsibility to accreditation and certification bodies in the EU. As soon as there is sufficient capability in the EU to conduct TIBER-EU accreditation and certification of RT providers and their staff, respectively, the entity should opt for only TIBER-EU accredited and certified RT providers1. The Services Procurement Guidelines will be updated by the TIBER-EU Knowledge Centre when such capability is deemed to be in place.

Guiding principles and criteria for selecting RT providers

When an entity decides to undertake a TIBER-EU test, one of the most significant decisions will be its selection of the RT provider. Given the sensitivity of the test, it is critical that the entity makes an informed decision about its procurement, ensuring that the highest-quality RT provider, which possesses the requisite skills, resources and capabilities to deliver a red team test, is chosen.

This section sets out the guiding principles and criteria for the entity to consider during its procurement process and when evaluating the capabilities of an RT provider. These principles are of a more qualitative nature than the requirements set out in Section 4.2, and thus entities should look to integrate these principles and criteria in their request for proposals and bilateral discussions with prospective providers, aided by the questions in Annex 3.

RT provider’s reputation, history and ethics

Three of the most important criteria for a buyer of red team testing services are the reputation and history of the RT provider and the ethical conduct it both adopts and enforces.

A suitable and reputable RT provider should be able to clearly demonstrate its knowledge and expertise in red team testing. This should be focused on highlighting areas where risk to the entity can be minimised – such as understanding the legal and ethical challenges, and how their processes and methodologies will deliver results, whilst taking a risk-based approach.

Mature and capable RT providers are generally those that have conducted multiple assignments already for a broad range of entities in different jurisdictions; have first- hand experience of the issues and complexities involved; have a good depth and breadth of experience and knowledge of the financial services industry; and have appropriate processes and capabilities to conduct tests on a variety of critical functions and information systems.

Governance, security and risk management

It is important that the RT provider gives a high priority to governance, security and risk management. A competent RT provider should be able to provide assurances that the security of and risks associated with the entity’s critical systems and confidential information (together with any other business risks) will be adequately addressed. The RT provider should be able to ensure that the results of its tests are generated, reported, stored, communicated, redacted (if necessary) and destroyed in a manner that does not put entities at risk.

During any red team test, it is likely that the red team will encounter sensitive or business-critical data related to the entity or its third party suppliers. The entity should ensure that the RT provider fully understands the sensitivity of this, and should put in place all the appropriate security objectives, policies and procedures to address these possible situations, including for data of the entities’ third party suppliers which are in the scope of a TIBER-EU test. Overall, the entity will need to be comfortable that it can trust the RT provider and its individual testers.

Suitable and mature RT providers should have a robust ISMS with a bespoke security control framework and appropriate certification, based on recognised international standards. Examples of such certifications are included in Annex 1. The

ISMS should define a clear governance structure and processes, which are effectively established, implemented, operated, continuously monitored, tested, reviewed, maintained and improved.

The entity should request the RT provider to furnish evidence of its relevant internal information security policies that ensure the security and resilience of its services and methods. The entity should analyse these pieces of evidence, ensuring that they are aligned with the RT provider’s high-level security objectives.

Methodology

RT providers should have robust methodologies in place to conduct the most advanced and innovative forms of red team testing. The RT provider should aspire to conduct the highest-level tests, such that they can mimic a nation state actor and demonstrate sophistication, agility, use of advanced techniques and perseverance to match the level of defence of an entity. The RT provider should have processes in place to be able to clearly explain its methodologies, how they evolve and how they result in effective and high-quality red team tests.

Staff competence

Staff employed by an RT provider should have deep technical capabilities in the specific areas that are relevant to the entity’s target environment (e.g. web applications, infrastructure, mainframe, mobile or vendor-specific), as well as a contextual understanding of the business processes delivered by the entity. Given the unique nature of entities in the financial sector, the RT provider should have staff that possess the requisite experience and knowledge of conducting red team tests on such entities.

The RT provider should have staff members that are appropriately qualified and certified; such qualifications and certifications should not be confined to commonly accepted IT security certifications, but should include a combination of various types of qualifications and certifications, which enables the RT provider to conduct red team tests of the highest standard, using several methodologies and different TTPs. To obtain assurance that the red team has the requisite skills, there are a number of professional qualifications and certifications on the market, some of which have been set out in Annex 1. The RT provider should be able to demonstrate that its staff possess a blend of different skill-sets and specialisms. However, the entity should not rely on qualifications and certifications alone; rather, the entity should try to actively engage with the RT provider during the procurement process to gain an insight into the actual knowledge and experience of its staff.

R&D capability

Good indicators of RT providers’ technology competency are the quality and depth of their technical R&D capability. Some RT providers will constantly develop specific methodologies to address different environments, such as infrastructure, mainframe, web applications, wireless, mobile, etc.

Collaborative working

The end-to-end TIBER-EU test requires a collaborative, transparent and flexible working approach, observed by both TI and RT providers. An RT provider must demonstrate a willingness to work in this way. This might include reviewing and commenting on the TI provider’s deliverables, or working with the TI provider to transform threat scenarios into a cohesive and tractable Red Team Test Plan. Entities may choose to procure from one provider that is capable of providing both TI and RT services; however, in such circumstances, the TI and RT services should be provided by separate teams within the organisation. The entity should explore with the prospective RT providers how they can demonstrate experience of working in a collaborative spirit with TI providers – whether within their own organisation or with another, external TI provider.

Language support

Given the multinational nature of entities and the possible implementation of TIBER- EU across different jurisdictions in the EU, the RT provider should have the capability to deliver tests, perform reconnaissance and produce reports in different languages. For example, a commonly used tactic is “spear phishing”, which would require the use of the local language to be plausible. The entity should discuss the RT provider’s capabilities and resources in this regard.

When the RT provider also offers TI services, the entity should ensure that the provider can cover a broad range of key languages used by most common threat actors, to avoid missing a significant proportion of key relevant information.

In national implementations of the TIBER-EU Framework, the entity may ask the RT provider for a test report written in the local language. However, in the case of cross- border entities where mutual recognition is being sought amongst various authorities, the RT provider should be able to deliver the report written in English.

Confidentiality

The RT provider should not use information acquired in the context of TIBER-EU for services provided to other parties. Therefore, TIBER-EU information can only be used for the purpose for which it was provided. Furthermore, due to the confidential nature of TIBER-EU tests, information must be protected against unintentional disclosure. The RT provider needs to be able to provide assurances that the security and risks associated with the confidential nature of TIBER-EU tests are being adequately addressed, in accordance with jurisdictional regulations.

The RT provider should agree with the procuring entity the protocols to destroy all sensitive information related to the entity and the outputs from the TIBER-EU test, once the test has been completed.

  1. The accreditation and certification provider validates the baseline level of proficiency of the RT provider and its staff to provide red team testing services.