Annex
TIBER-EU requirements
Table 1 - Adoption and implementation
| Requirements | Mandatory | Optional |
|---|---|---|
| The TIBER-EU framework is adopted and implemented by each jurisdiction in the EU. | ||
| If a jurisdiction decides to implement a TIBER-XX framework, then the framework is formally adopted by an authority, and the TIBER-EU Knowledge Centre is informed. | ||
| The jurisdiction adopts the TIBER-XX framework as a supervisory or oversight tool, as a catalyst, or for the purposes of financial stability. | ||
| On adoption, the core documentation of the national TIBER-XX framework is published, and the sector is informed. | ||
| The jurisdiction determines which entities should undertake a test – either on a voluntary or mandatory basis. | ||
| The jurisdiction conducts a legal analysis of its TIBER-XX framework to ensure it complies with national laws and regulations. | ||
| The jurisdiction puts in place appropriate governance structures and allocates adequate resources to implement the TIBER-XX framework. | ||
| The jurisdiction has a centralised TIBER Cyber Team (TCT) to manage the programme, oversee the tests and liaise with the TIBER-EU Knowledge Centre. | ||
| In case of cross-border entities, the test is initiated and driven by the lead authority. If another relevant authority seeks to initiate and lead the test, the lead authority must agree to it. | ||
| In case of cross-border entities, the test is conducted jointly between the lead authority and other relevant authorities. | ||
| The TIBER-EU test is conducted by independent third-party providers, i.e. external threat intelligence (TI) and red team (RT) providers. |
Table 2 - Preparation phase
| Requirements | Mandatory | Optional |
|---|---|---|
| For each test, there is a White Team (WT), independent TCT (and Test Manager), and external TI/RT providers. | ||
| The national intelligence agency/national cyber security centre/high-tech crime unit is involved in each test. | ||
| Once the procurement process has been completed, there are appropriate contracts in place between the different stakeholders, with relevant controls embedded into the contracts, to facilitate a controlled test (in a discreet manner). | ||
| Prior to conducting the test, the WT conducts a risk assessment and then puts in place all the necessary risk management controls, processes and procedures to facilitate a controlled test. | ||
| Throughout the end-to-end test process, in all documentation and communication between stakeholders a code name is used to conceal the identity of the entity being tested. | ||
| At the outset of the test process, there is a launch meeting which includes the WT and TCT. | ||
| The launch meeting also includes other relevant authorities and the TI/RT providers. | ||
| The scope of the test includes critical functions (CFs), as well as the people, processes, and technology and databases that support the delivery of CFs. This is documented in the TIBER-EU Scope Specification document and signed off in the attestation by the board. | ||
| The entity expands the scope of the test beyond the CFs and includes other functions and processes. | ||
| During the scoping phase, the WT (with agreement from the TCT), sets “flags”, which are targets or objectives, that the RT provider aims to meet during the test. | ||
| The test is conducted on live production systems. | ||
| Only the WT and TCT are informed about the test, its details and the timings – all other staff members (i.e. Blue Team, BT) remain unaware of the test. | ||
| Only TI/RT providers that meet the minimum requirements set out in the TIBER-EU Services Procurement Guidelines can undertake the TIBER-EU test. The TI/RT providers will be TIBER-EU-certified and accredited once the EU has these capabilities in place. |
Table 3 - Threat intelligence and red team testing phase
| Requirements | Mandatory | Optional |
|---|---|---|
| For each test, an external TI provider produces a dedicated Targeted Threat Intelligence Report (TTI Report) on the entity being tested. Where infrastructure has been outsourced and a third party is included in the scope of the test, the TTI Report also includes information about that third party. | ||
| For each national implementation, a Generic Threat Landscape Report (GTL Report) for the country’s financial sector is produced and maintained, and is used to help inform the TTI Report. | ||
| For each threat intelligence report (TTI and GTL), the national intelligence agency/national cyber security centre/high-tech crime unit is involved to provide feedback. | ||
| For each TTI Report on the entity, the TI provider sets out multiple threat scenarios which can be used by the RT provider. | ||
| The TI provider holds a handover session with the RT provider, providing the basis for the threat scenarios. | ||
| Following the handover, the TI provider continues to be engaged during the testing phase and provides additional up-to-date, credible threat intelligence to the RT provider, where needed. | ||
| The RT provider develops multiple attack scenarios, based on the TTI Report. This is documented in the Red Team Test Plan and shared with the WT and TCT. | ||
| The jurisdiction, in its implementation of the TIBER framework, allows physical red teaming in the scope of the methodology for the TIBER test (e.g. planting a device at the entity), provided all necessary precautions are taken. | ||
| The RT provider executes the attack based on the scenarios (with some flexibility) in the Red Team Test Plan and goes through each of the phases of the kill chain methodology. Where needed, a “leg-up” will be provided by the entity. | ||
| During the test, the RT provider keeps the WT and TCT informed about progress, “capture the flag” moments, the possible need for leg-ups, etc. The RT provider takes a stage-by-stage approach and consults the WT and TCT at all critical points to ensure a controlled test. | ||
| The duration of the red team test is proportionate to the scope, size of the entity, complexity of threat scenarios, etc. Sufficient time is allocated to testing to guarantee that a comprehensive test has been conducted across the enterprise. Experience suggests that a period of at least 10–12 weeks is required. |
Table 4 - Closure phase
| Requirements | Mandatory | Optional |
|---|---|---|
| At the end of the test, the RT provider produces a Red Team Test Report, outlining the findings from the test. | ||
| The entity’s BT is informed of the test and uses the Red Team Test Report to deliver its own Blue Team Report. In the Blue Team Report, the BT maps its actions alongside the RT provider’s Team actions. | ||
| At the end of the test, the RT provider, the BT and the WT conduct an interactive replay of the test, where possible using live production systems, to review the impact of the actions of the RT provider. | ||
| The TCT, supervisors/overseers and TI provider are also present during these replay workshops. | ||
| A purple teaming element is added in which the BT and the RT provider can work together to see which other steps could have been taken by the RT provider and how the BT could have responded to those steps. | ||
| At the end of the test, there is a 360-degree feedback meeting which includes the entity, TI/RT providers and TCT. In this meeting, the parties review the TIBER-EU test process and give feedback. | ||
| After the BT and RT provider replay and 360-degree feedback workshop, the entity produces a Remediation Plan to address the findings. The Remediation Plan is agreed with the supervisor and/or overseer as part of their planning and control cycle. | ||
| The entity produces a Test Summary Report, which it shares with the lead authority. | ||
| The entity’s board and the TI/RT providers sign an attestation to validate the true and fair conduct of the TIBER-EU test (to enable recognition by other relevant authorities). | ||
| If mutually agreed, the lead authority and/or the entity share the Test Summary Report and attestation with other relevant authorities (where applicable). | ||
| The TCT in each jurisdiction analyses the results of all the TIBER tests and the lessons learned from the 360-degree feedback meetings to produce high-level, aggregated findings. This information is used to enhance sector resilience and improve the TIBER-XX framework. |
Responsibility Assignment Matrix for a TIBER-EU test
Table 5 - RACI Matrix
Adoption and implementation
| Requirement | Responsible | Accountable | Consulted | Informed | Documents |
|---|---|---|---|---|---|
| The TIBER-EU framework is adopted and implemented | Authorities | Authorities | Financial and cyber security sector | Financial and cyber security sector | Notice to TIBER-EU Knowledge Centre and TIBER-XX Guide |
Preparation phase
| Requirement | Responsible | Accountable | Consulted | Informed | Documents |
|---|---|---|---|---|---|
| Pre-launch meeting | TTM | TTM | WT | n/a | TIBER-XX Guide, TIBER-EU Services Procurement Guidelines, TIBER- EU White Team Guidance |
| Launch meeting | WT | Board of entity | TTM | n/a | n/a |
| Procurement process and formal contracts between the different stakeholders | WT | Board of entity | TTM | TI/RT providers | TIBER-EU Services Procurement Guidelines, contracts |
| Pre-test risk assessment | WT | Board of entity | TTM | TI/RT providers | Risk assessment |
| Scoping meeting | WT | Board of entity | TTM | TI/RT providers, if available | TIBER-EU Scope Specification document |
Testing phase: threat intelligence
| Requirement | Responsible | Accountable | Consulted | Informed | Documents |
|---|---|---|---|---|---|
| Produce GTL Report for financial sector | Authorities and/or sector and/or TI providers | Authorities and/or sector and/or TI providers | Possibly national intelligence agency/ national cyber security centre/ high-tech crime unit | Authorities and/or sector | GTL Report |
| Produce a dedicated TTI Report on the entity, setting out threat scenarios which can be used by the RT provider | TI provider | WT | TTM, RT provider, possibly national intelligence agency/ national cyber security centre/ high-tech crime unit | n/a | TTI Report |
Testing phase: red team test
| Requirement | Responsible | Accountable | Consulted | Informed | Documents |
|---|---|---|---|---|---|
| Handover session between TI and RT providers, providing the basis for the threat scenarios | TI provider | WT | RT provider, TTM | n/a | TTI Report |
| Scenario development for TIBER-EU red team test | RT provider | WT | WT, TTM, TI provider | n/a | Red Team Test Plan |
| Weekly test meetings or updates | WT | Board of the entity | RT provider, TTM | n/a | n/a |
| Discussion as flags are captured or when leg-ups are required | RT provider | WT | TTM | n/a | n/a |
Closure phase
| Requirement | Responsible | Accountable | Consulted | Informed | Documents |
|---|---|---|---|---|---|
| Red Team Test Report, outlining the findings from the test | RT provider | WT | Senior executive responsible for cyber resilience at entity | TTM | Red Team Test Report |
| Blue Team Report, which maps the BT’s actions alongside the RT provider’s team actions | BT | WT | RT provider | TTM | Blue Team Report |
| Conduct an interactive replay of the test | WT | Board of entity | RT provider, TI provider, BT | TTM | n/a |
| 360-degree feedback meeting | TTM | TTM | WT, BT, TI/RT providers | n/a | 360-degree Feedback Report |
| Remediation Plan to address the findings | WT | Board of entity | TI/RT providers, TTM | Supervisor and/or overseer, if not involved during the test | Remediation Plan |
| Produce Test Summary Report | WT | Board of entity | TI/RT providers, TTM | Other relevant authorities | Test Summary Report |
| Signed attestation to validate the true and fair conduct of the TIBER-EU test | Board of entity | Board of entity | WT, TI/RT providers, TTM | TTM and other relevant authorities | Attestation |
TIBER-EU documentation
This document, “TIBER-EU FRAMEWORK: How to implement the TIBER-EU framework”, sets out the core foundational elements of the TIBER-EU framework for all EU authorities, entities, TI and RT providers, and all other relevant stakeholders.
This document should be used as a basis for each jurisdiction to determine how it will adopt the TIBER-EU framework for its own purpose.
For the implementation of the TIBER-EU framework, there are a number of accompanying documents which provide additional and more specific guidance, or serve as templates for use during the testing process. There are also certain documents to be produced by the entity, authority and/or TI/RT providers to facilitate the overall test process.
These documents are listed below and can be requested from: TIBER- EU@ecb.europa.eu.
Table 6 - TIBER-EU documentation
| List of TIBER-EU framework documents | Responsible party |
|---|---|
| TIBER-EU FRAMEWORK: How to implement the TIBER-EU framework | Governing Council of the ECB |
| TIBER-EU Services Procurement Guidelines | Governing Council of the ECB |
| TIBER-EU White Team Guidance | Governing Council of the ECB |
| TIBER-XX Implementation Guide | (National) authorities |
| TIBER-EU Test Project Plan | Entity |
| TIBER-EU Scope Specification document (template available) | Entity |
| Generic Threat Landscape Report | (National) authorities or market |
| Targeted Threat Intelligence Report | Threat intelligence provider |
| Input for the Targeted Threat Intelligence (template available) | Entity |
| Red Team Test Plan | Red Team provider |
| Red Team Test Report | Red team provider |
| Blue Team Report | Entity |
| 360-degree Feedback Report | Entity |
| Test Summary Report (template available) | Entity and (National) authorities |
| Remediation Plan | Entity |
| TIBER-EU Attestation (template available) | Entity |
Abbreviations
Term Explanation
- BT Blue Team
- CF critical function
- GTL generic threat landscape
- HUMINT human intelligence
- NDA non-disclosure agreement
- OSINT open-source intelligence
- RACI Responsibility Assignment Matrix (RACI stands for Responsible, Accountable, Consulted, Informed)
- RT provider red team provider
- TCT TIBER Cyber Team
- TIBER threat intelligence-based ethical red teaming
- TI provider threat intelligence provider
- TKC TIBER-EU Knowledge Centre
- TTI targeted threat intelligence
- TTM Team Test Manager
- TTP tactics, techniques and procedures
- WT White Team
- WTL White Team Lead