Skip to content

High-level overview of the TIBER-EU process

Intelligence-led red teaming

There are a range of different types of tests in the market today which help entities to improve their basic “cyber hygiene”. Among them, intelligence-led red teaming is one of the most comprehensive and insightful ways of testing the capabilities of an entity.

An intelligence-led red team test mimics the TTPs of real attackers on the basis of bespoke threat intelligence. In doing so, it looks to target the people, processes and technologies underpinning the CFs of an entity in order to test its protection, detection and response capabilities without their prior knowledge.

It allows the entity to understand its real-world resilience by stressing all elements of its business against the TTPs of the threat actors that are specific to their organisation. The intelligence-led red team test provides a comprehensive end-to- end understanding of weaknesses present in people, business processing, technology, and their associated intersection points, and provides a detailed threat assessment which can be used to further enhance the entity’s situational awareness.

All relevant stakeholders should adhere to the following process for each test, to ensure standardisation and harmonisation across all jurisdictions and implementations:

TIBER-EU process

TIBER-EU process

Process overview

The TIBER-EU test process consists of three mandatory phases and one optional phase. Please note that some phases can and should overlap, as this helps to ensure the best possible test. The four phases are:

  1. The generic threat landscape (GTL) phase – The GTL phase involves a generic assessment of the national financial sector threat landscape, outlining the specific roles of the entities (e.g. investment banks, commercial banks, payment systems, central counterparties, exchanges, etc.), identifying the relevant high-end threat actors for the sector and the TTPs targeting these entities. The GTL will link these threat actors and the TTPs to the specific entities within the sector, and can be used as a basis for later attack scenario development. The GTL may be validated and reviewed by the relevant national intelligence agency if possible, and updated on an ongoing basis as new threat actors and TTPs emerge and pose a risk to the entity. The GTL phase is optional.
  2. The preparation phase (which includes engagement & scoping and procurement) – During this phase, the following takes place: the engagement for the TIBER-EU test is formally launched; the teams responsible for managing the test are established; the scope of the test is determined, approved and attested to by the entity’s board, and validated by the relevant authorities; and the TI and RT providers are procured to carry out the test. The preparation phase is mandatory for each implementation of the TIBER-EU framework.
  3. The testing phase (which includes threat intelligence and red teaming) – During this phase, the procured TI provider prepares a Targeted Threat Intelligence Report (TTI Report) on the entity, setting out threat scenarios for the test and useful information on the entity. Here the TI provider works closely with the RT provider, and the targeted threat intelligence and reconnaissance phases overlap, with the GTL being used as the basis, if available. The TTI Report will be used by the RT provider to develop attack scenarios and execute an intelligence-led red team test of specified critical live production systems, people and processes that underpin the entity’s CFs. The testing phase is a mandatory phase for each implementation of the TIBER-EU framework.
  4. The closure phase (which includes remediation planning and result sharing) – During this phase, the RT provider drafts a Red Team Test Report, which will include details of the approach taken to the testing and the findings and observations from the test. Where necessary, the report will include advice on areas for improvement in terms of technical controls, policies and procedures, and education and awareness. The main stakeholders will now be aware of the test, and should replay the executed scenarios and discuss the issues uncovered during the test. The entity will take on board the findings, and will agree and finalise a Remediation Plan in close consultation with the supervisor and/or overseer; the process of the test will be reviewed and discussed; and the key findings from the test will be shared with other relevant authorities. Approval to close the test should be obtained from the relevant authorities once a Remediation Plan has been agreed. The closure phase is mandatory for each implementation of the TIBER-EU framework.