Skip to content

Threat intelligence providers

Threat intelligence-based scenarios mimicking real-life cyber adversaries are essential to the success of TIBER-EU testing activities. Threat intelligence provides a detailed view of the specific entity’s attack surface and helps produce actionable and realistic testing scenarios. Such test scenarios look to emulate the tactics, techniques and procedures (TTPs) of real-life threat actors within a threat landscape and will be used to deliver a realistic simulation. Threat intelligence will be used by the RT provider to develop attack scenarios and execute an intelligence-led red team test of specified critical live production systems, people and processes that underpin the entity’s critical functions (CFs). These scenarios will be integrated into the RT provider’s Red Team Test Plan and help the RT provider to deliver a practical assessment of the entity’s protection, detection and response capabilities.

This section provides an overview of the role of threat intelligence and TI providers in the TIBER-EU context; sets out the core requirements of a TI provider delivering services for a recognised TIBER-EU test; and describes the guiding principles and criteria for the entity to consider when procuring a TI provider.

Threat intelligence for TIBER-EU

TIBER-EU defines a threat as:

  • an expression of intent to do harm, deprive, weaken, damage or destroy;
  • an indication of imminent harm;
  • an agent that is regarded as harmful; and
  • a harmful agent’s actions comprising TTPs.

TIBER-EU defines threat intelligence as “information that provides relevant and sufficient understanding for mitigating the impact of a potentially harmful event”. Threat intelligence encompasses: (1) the technical details of the attack (indicators of compromise, or the what, when and where); (2) the TTPs behind the attack (the modus operandi or how); and (3) the details of the attackers themselves and their motivations (the who and why).

Within this context, threat intelligence-based scenarios mimicking real-life cyber adversaries are essential to the success of testing activities. There are two complementary tools to develop these threat intelligence-based scenarios: the Generic Threat Landscape (GTL)1 Report and the Targeted Threat Intelligence (TTI)

Report. The GTL Report should reflect the most significant threats faced by the financial sector, whether at a national or European level. The GTL Report can be used to develop the TTI Report, which gives a more detailed view of the specific entity’s current defences and attack surface and helps produce actionable and realistic attack scenarios. Such attack scenarios look to emulate the TTPs of real-life threat actors within a threat landscape and will be used to deliver a realistic simulation.

The role of the TI provider

The TI provider has a crucial role in the TIBER-EU process. It should provide the RT provider with a TTI Report that formulates threat scenarios aimed at mimicking potential threat actors’ attacks against the live systems that underpin the critical functions of an entity. These threat scenarios form the basis of the attack scenarios the RT provider will deliver.

Creating accurate and realistic threat intelligence is a complex activity. This means that the TI provider must have adequate knowledge of the threat actors, their motives and their skills and TTPs, as well an understanding of how the core elements of the financial system interact and operate. In addition, the TI provider must have a good insight into the targeted entity. It needs to know for example: what the target’s critical functions are; how the target operates; who the crucial employees are and whether they are “usable” for the attack; and what the target’s vulnerabilities are.

All this will provide the RT provider with the information needed to simulate a real-life and realistic attack on the entity’s live systems underpinning its critical functions.

Collecting and analysing all this information and converting it into threat intelligence require specialised skills and expertise. The TI provider must also have robust risk management and security controls in place, as such threat information about an entity is highly sensitive and may pose a threat to the entity, if the information falls into the wrong hands.

TI provider requirements

To ensure that the TI provider is able to furnish the deliverables cited above in an effective and safe manner, it must display the highest standards. Consequently, the TIBER-EU Framework requires TI providers to meet specific requirements to also ensure that the test is recognised by the relevant authorities. The core requirements below are set to ensure that only the highest-quality providers, with sufficient experience and capabilities, can contribute to red team tests on the most critical functions of entities. These requirements are without prejudice to the application of all relevant EU and national data protection regulations and other rules.

All TIBER-EU tests will require a Threat Intelligence Team, composed of a Threat Intelligence Manager and other Threat Intelligence Team members, with a broad set of skills and experience. The size of the Threat Intelligence Team will depend on the entity being tested, the scope of the test, and the specific skills and expertise required to deliver the test.

Table 1 - TI Provider requirements to deliver TIBER-EU tests

Who Requirements
TI provider (at company level) At least three references from previous assignments related to threat intelligence-led red team tests

Adequate indemnity insurance in place to cover activities which were not agreed upon in the contract and/or which stem from misconduct, negligence, etc.
Threat Intelligence Manager – responsible for the end-to-end management of the threat intelligence for a TIBER-EU test Lead and oversight of the TI provider’s activities for delivering a TIBER-EU test are ensured by a Threat Intelligence Manager

Sufficient experience of the Threat Intelligence Manager in threat intelligence. Expectation: at least five years of experience in threat intelligence, including three years of producing threat intelligence in the financial services industry

Up-to-date CV and at least three references from previous assignments of the Threat Intelligence Manager to be provided to the entity, specifically in delivering threat intelligence for red team testing activities

Background checks on the Threat Intelligence Manager are conducted by the TI provider (as a minimum). Enhanced background checks are conducted as required by the national authorities

Ideally, the Threat Intelligence Manager should have appropriate recognised qualifications and certifications for threat intelligence (as set out in Annex 1)
Threat Intelligence Team (all members of the team, except for the Threat Intelligence Manager) – responsible for delivering the threat intelligence for a TIBER- EU test Sufficient experience of the Threat Intelligence Team members. Expectation for each member: at least two years of experience in threat intelligence

Up-to-date CV for each member of the team to be provided to the entity

Multi-disciplinary composition of the Threat Intelligence Team, with a broad range of skills including OSINT, HUMINT and geopolitical knowledge

Background checks on each member of the Threat Intelligence Team are conducted by the TI provider (as a minimum). Enhanced background checks are conducted as required by the national authorities

Ideally, the Threat Intelligence Team members should have appropriate recognised qualifications and certifications for threat intelligence (as set out in Annex 1)

Ideally, the Threat Intelligence Team should have experience in delivering threat intelligence for red team tests

It is the responsibility of the entity to ensure that the TI providers meet these requirements prior to formalising any test, and therefore it should undertake thorough due diligence during its procurement process.

However, it is recommended that the entity delegate this responsibility to accreditation and certification bodies in the EU. As soon as there is sufficient capability in the EU to conduct TIBER-EU accreditation and certification of TI providers and their staff, respectively, the entity should opt for only TIBER-EU accredited and certified TI providers2. The Services Procurement Guidelines will be updated by the TIBER-EU Knowledge Centre when such capability is deemed to be in place.

Guiding principles and criteria for selecting TI providers

This section sets out the guiding principles and criteria for the entity to consider during its procurement process and when evaluating the capabilities of a TI provider. These principles are of a more qualitative nature than the requirements set out in Section 3.3, and thus entities should look to integrate these principles and criteria in their request for proposals and bilateral discussions with prospective providers, aided by the questions in Annex 2.

TI provider’s reputation, history and ethics

Three of the most important criteria for a buyer of threat intelligence services are the reputation and history of the TI provider and the ethical conduct it both adopts and enforces.

A suitable and reputable TI provider should be able to clearly demonstrate its knowledge and expertise in threat intelligence and in the financial services industry more generally. This should be focused on highlighting areas where risk to the entity can be minimised – such as understanding the legal and ethical challenges.

Mature and capable TI providers are generally those that have conducted multiple assignments already for a broad range of entities in different jurisdictions; have first- hand experience of the issues and complexities involved; have a good depth and breadth of experience and knowledge of the financial services industry; and have appropriate processes and capabilities to gather, analyse and produce threat intelligence on a variety of entities.

Successful TIBER-EU tests are underpinned by a collaborative, transparent and flexible working approach observed by all TIBER-EU stakeholders. TI providers must demonstrate an ability and willingness to work in this way. This entails requirements regarding the roles present in the TI provider’s organisational set-up. The TI provider, as a minimum, should have:

  • Threat Intelligence Managers and TI experts;
  • thematic and functional analysts; and
  • technical experts and support staff.

The entity should engage with potential TI providers and understand their history, organisational set-up, range of expertise and body of previous work, particularly within the financial services industry.

TI providers should be committed to ensuring that they act in a professional and ethical manner. For example, the TI provider:

  • should adhere to a professional Code of Conduct, e.g. the Code of Conduct for Ethical Security Testers or the OSIRA Code of Conduct3 ; and
  • should have a mature understanding of ethical standards in gathering and processing human and technical intelligence.

Information must be gathered using approaches that respect the relevant legislative framework. In particular, the law of the relevant EU Member State in which the TIBER-EU test is executed must be adhered to.

Governance, security and risk management

It is important that the TI provider gives a high priority to governance, security and risk management. A competent TI provider should be able to provide assurances that the security of and risks associated with the entity’s critical systems and confidential information (together with any other business risks) will be adequately addressed. The TI provider should be able to ensure that the results of its tests are generated, reported, stored, communicated, redacted (if necessary) and destroyed in a manner that does not put entities at risk.

During any TIBER-EU test, it is likely that the TI provider will encounter sensitive or business-critical data related to the entity or its third party suppliers. The entity should ensure that the TI provider fully understands the sensitivity of this, and puts in place all the appropriate security objectives, policies and procedures to address these possible situations, including for data of the entities’ third party suppliers which are in the scope of a TIBER-EU test. Overall, the entity will need to be comfortable that it can trust the TI provider.

Suitable and mature TI providers should have a robust Information Security Management System (ISMS) with a bespoke security control framework and appropriate certification, based on recognised international standards. Examples of such certifications are included in Annex 1. The ISMS should define a clear governance structure and processes, which are effectively established, implemented, operated, continuously monitored, tested, reviewed, maintained and improved.

The entity should request the TI provider to furnish evidence of its relevant internal information security policies that ensure the security and resilience of its services and methods. The entity should analyse these pieces of evidence, ensuring that they are aligned with the TI provider’s high-level security objectives.

Methodology

TI providers should have robust methodologies in place to develop their threat intelligence and reconnaissance. The TI provider should be able to clearly explain its methodologies, how they evolve and how they result in effective and high-quality outputs for red team tests.

The methodologies should demonstrate how the TI provider:

  • is able to obtain a useful context for conducting the threat analysis;
  • sources information about the current state of the entity;
  • gathers evidence;
  • engages with entities and other key stakeholders;
  • has a comprehensive view of the financial sector and the current geopolitical context that entities operate in;
  • conducts risk assessments and analysis; and
  • can operationalise its methodologies in a clear, transparent and flexible manner.

The TI provider must be able to demonstrate a comprehensive threat intelligence collection process and function, which provides the raw materials for conducting threat intelligence analysis. In collecting threat intelligence, the TI provider must be able to demonstrate its ability to harvest information from a variety of source types, as these will directly influence the quality of the output.

Most collection processes and functions acquire data from a wide variety of data sources. The extent of this variety is a useful indicator of the range of intelligence that a procuring entity should expect from a TI provider. These sources include internet services, a mixture of public and private forums, and a range of media types such as IRC chats, email and video. The key characteristics of such threat intelligence collection are set out below:

Table 2 - Characteristics of TI collection

Characteristics of TI collection process and function Explanation
Breadth of sources The number of information items in any given source type is a useful means of measuring the likely catchment capability of any collection function. A TI provider that collects across 100,000 unique information items will be expected to generate fewer results overall compared with one that collects across 30 million. That said, the classic “garbage in, garbage out” rule applies and this must, of course, be balanced against the ability of the TI provider to select information items that are likely to contain content of interest and the likely rate of false positives emanating from that source.
Depth of sources TI providers collecting intelligence may only touch the surface content of a given source, but it is also important to know that all the content of a given source can be incorporated when there is an appropriate, and lawful, opportunity to do so. It is therefore important to assess whether a TI provider can provide the option of acquiring data at scale. By acquiring data at scale in this manner, it is possible to query the data after retrieval from its original source. This can be useful when the hypothesis, or question, is sensitive in nature.
Language support Languages play an important role in selecting an effective TI provider. For local TIBER-EU implementations, the TI provider must have staff with proficiency in the language needed for the test (e.g. Dutch in the case of TIBER-NL, German in the case of TIBER-DE). In the case of entities that operate across multiple jurisdictions, TI providers may need to demonstrate proficiency in multiple languages, or at least be able to obtain information in any language on threat actors and convert this into actionable intelligence in the local language. Cyber threats are a global phenomenon and a TI provider that offers no coverage of major global languages will miss a significant proportion of relevant information. Therefore, TI providers with staff who can demonstrate fluency in key languages will offer a considerable advantage. This includes ensuring that the TI provider’s technology and people can ingest, process and manage content in multiple languages.
Timeliness of collection The timeliness of collection will vary from source to source. A TI provider must demonstrate its ability to absorb information from high-volume and dynamic data sources (such as Twitter) at a rate at which the intelligence is relevant at the moment it is processed and analysed. It is also useful to understand the TI provider’s retention period for such information, to gauge how long the TI provider can store and interrogate this information. For example, having the ability to spot malicious tweets over a previous two-year period is more valuable than over a six-month period.
Types of intelligence The threat intelligence market contains TI providers which employ a variety of intelligence-gathering disciplines. TI providers that use both OSINT (open source intelligence derived overtly from publicly available sources) and HUMINT (intelligence derived overtly or covertly from human sources/social engineering) are better able to gather intelligence relating to covert groups such as organised criminals compared with those that use OSINT only. TI providers that use SIGINT (signals intelligence derived, for example, from signals generated routinely by hardware devices or software applications) are more likely to gather intelligence suitable for system monitoring purposes.
Intelligence- gathering process The TI provider’s intelligence-gathering process life cycle must include review, operations management and quality management. The TI provider must provide transparency in the way intelligence is collected and ensure that it does not participate in or enable criminal activities.
Threat intelligence analysis It is important to ensure that a TI provider employs a range of techniques to ensure the consistency, accuracy and relevance of the information resulting from this phase of the process. For example, the TI provider should be able to:
  • demonstrate that it has systems and processes to remove confirmation bias and other cognitive errors where results are curated by an analyst;
  • cross-check facts by de-duplicating and collating content into a consistent format;
  • employ data-driven and hypothesis-driven assessment strategies, i.e. the TI provider is capable of uncovering new intelligence by identifying patterns in the collected data and by validating hypotheses;
  • proactively anticipate client needs;
  • work productively together with the RT provider in order to develop the best possible scenarios, based on robust TI analysis;
  • deliver near-real-time alerts and warnings when analysis shows emerging and/or immediate threats; and
  • deliver specific analysis upon client request in a timely manner.
Dissemination The final threat intelligence product disseminated to the entity should:
  • provide state of the art intelligence: this is information that provides relevant and sufficient understanding for mitigating the impact of a potentially harmful event, plus relevant guidance, so that an RT provider can use it to construct realistic attack scenarios;
  • be in an appropriate format: intelligence should be concise, clear and consistent, written in the language preferred by the procuring entity and – in the case of cross-jurisdictional entities – in English too. Outputs should avoid the use of jargon wherever possible;
  • offer a mechanism for prioritising and comparing results: intelligence should be graded according to the severity of the threat and the veracity and urgency of intelligence that has been found;
  • provide both granularity and situational awareness; and
  • be in line with the General Data Protection Regulation (GDPR)

Staff competence

The level of threat intelligence provided depends heavily on the staff of the TI provider. Therefore:

  • staff employed by the TI provider should be of irreproachable behaviour, as demonstrated by screening of criminal antecedents;
  • staff employed by the TI provider should be from a range of backgrounds and possess sufficient experience, e.g. backgrounds in governmental intelligence, law enforcement and financial services;
  • the TI provider should be able to show that its recruitment process involves selection based on: analytical capabilities, technical skills, social skills, creativity and relevant financial sector experience; and
  • the TI provider should promote and have mechanisms to ensure continuous professional development and an R&D culture.

Collaborative working

Successful TIBER-EU tests are underpinned by a collaborative, transparent and flexible working approach observed by both TI and RT providers. A TI provider must demonstrate a willingness to work in this way, sharing its deliverables with its RT testing counterpart for review and comment. The TI provider should also demonstrate a willingness to work with the RT provider throughout the test to ensure that the threat scenarios are transformed into a cohesive and tractable Red Team Test Plan.

Language support

Given the multinational nature of entities and the possible implementation of TIBER- EU across different jurisdictions in the EU, the TI provider should have the capability to deliver threat intelligence, perform reconnaissance and produce reports in different languages. The entity should discuss the TI provider’s capabilities and resources in this regard.

In national implementations of the TIBER-EU Framework, the entity may ask the TI provider for a test report written in the local language. However, in the case of cross- border entities where mutual recognition is being sought amongst various authorities, the TI provider should be able to deliver the report written in English.

Confidentiality

The TI provider should not use information acquired in the context of TIBER-EU for services provided to other parties. Therefore, TIBER-EU information can only be used for the purpose for which it was provided. Furthermore, due to the confidential nature of TIBER-EU tests, information must be protected against unintentional disclosure. The TI provider needs to be able to provide assurances that the security and risks associated with the confidential nature of TIBER-EU tests are being adequately addressed, in accordance with jurisdictional regulations.

The TI provider should agree with the procuring entity the protocols to destroy all sensitive information related to the entity and the outputs from the TIBER-EU test, once the test has been completed.

  1. The GTL Report is not necessarily to be procured by the tested entity; it could be a joint procurement by a subset of national financial sectors or by the European financial sector. Alternatively, the lead authority could take responsibility for delivering the GTL Report. 

  2. The accreditation and certification provider validates the baseline level of proficiency of the TI provider and its staff to provide threat intelligence services. 

  3. Open Source Intelligence and Research Association.