Skip to content

Preparation phase

Overview

During the TIBER-EU preparation phase, the engagement for the TIBER-EU test is formally launched, and the TTM starts liaising with the participating entity. The scope is established and the entity procures the TI and RT providers. This phase lasts approximately four to six weeks, not including the duration of the entity’s procurement process. An overview of the key activities involved in this phase is shown in Figure 4.

Pre-launch

Following the adoption of the TIBER-EU framework at national or European level, each lead authority should decide which entities should be invited to undertake a TIBER-EU test. Once the lead authority and entity agree to undertake this test, the relevant authorities should be identified, the authority responsible for leading the test should inform its TCT – and the TCTs of all other relevant authorities, if this is deemed appropriate – and the parties involved in the TIBER-EU test should be briefed on the TIBER-EU process, documentation, roles and responsibilities.

The pre-launch meeting marks the start of the planned and agreed TIBER-EU test process for each individual entity. The TTM asks the entity to establish a WT. This comprises a select number of individuals who are experts (e.g. cyber, operational and risk specialists, experts from the business areas that support the CFs, etc.) and are positioned at the top of the security incident escalation chain. The composition of the WT can be flexible, depending on the specific structure and organisational set-up of the entity. The WTL makes sure that the WT is aware of the TIBER-EU red team test, the need for secrecy and the process the team should go through in case the BT detects and escalates a TIBER-EU related incident. The WTL holds the pre-launch session with the TTM and any additional WT members that the lead wishes to involve. Further guidance on the WT can be found in the TIBER-EU White Team Guidance.

During the pre-launch session, the TTM should brief the entity on the requirements for:

  • the TIBER-EU process as reflected in the TIBER-XX Implementation Guide;
  • the stakeholder roles and responsibilities;
  • the security protocols (including the set-up of secure document transfer);
  • contractual considerations (including sharing of documentation from TI/RT providers);
  • project planning.

With regard to contractual considerations, the smooth delivery of a TIBER-EU test requires a transparent process with the appropriate information and documentation flowing freely, safely and securely between the relevant parties. To facilitate the free, safe and secure flow of information, participating parties can sign an NDA.

Procurement

After the pre-launch meeting, the entity s hould start its procurement process. Owing to the sensitive nature of the red team test, and the fact that it is carried out on the live production systems, it is critical that the external TI and RT providers possess the highest levels of skills, capabilities and qualifications. The entity must therefore select external TI and RT providers with the requisite skills and experience to perform the test.

To ensure that the TI/RT providers meet the appropriate standards for conducting such a test, the entity should procure the services of TI/RT providers that have undergone a formal TIBER-EU certification and accreditation process carried out by an organisation or authority that specialises in this task.

In the absence of such an organisation or authority, the entity should conduct its own due diligence as part of its procurement process and existing risk management practices to ensure that each TI/RT provider meets all the requirements set out in the TIBER-EU Services Procurement Guidelines. However, once EU certification and accreditation capabilities are in place, all entities should rely on these for TIBER-EU test. Responsibility for ensuring that the appropriate TI/RT providers are selected lies solely with the entity.

The TIBER-EU Services Procurement Guidelines set out in detail the minimum requirements for TI/RT providers. These are deliberately stringent requirements intended to mitigate the risk of tests being conducted by inexperienced personnel, which could have an adverse impact on the entity.

During procurement, the entity should carry out the following activities:

  • draw on best practice procurement guidelines to identify potential TI/RT providers capable of meeting the objectives of the test;
  • issue an invitation to tender in compliance with the TIBER-EU framework and any relevant procurement legislation;
  • assess tender responses, and then interview and select appropriate providers;
  • establish conditions governing the sharing, confidentiality and retention of intellectual property rights.

Once the procurement process has been completed and all relevant contractual arrangements are in place, the entity should complete the TIBER-EU Test Project Plan, including the final schedule of meetings to be held between the entity, TI/RT providers and TCT, and share this with all the relevant stakeholders.

Entities may apply a degree of flexibility on the timing of the procurement, as the process may differ across jurisdictions. Hence, the lead authority’s TCT should exercise a degree of judgement over whether to allow the entity to start the procurement process in parallel with the pre-launch, or whether to allow it to do so only once the pre-launch and scoping have been completed. The entity should, as early as possible, develop a draft TIBER-EU Test Project Plan taking into consideration timelines, procurement, etc. to ensure that there are no bottlenecks or delays in the overall testing process.

Launch

Since cooperation is key for a successful TIBER-EU test, the launch meeting is a physical meeting that should involve all the relevant stakeholders (including the TTM, WT and TI/RT providers). During this meeting, all stakeholders discuss the test process and their expectations, as well as the draft TIBER-EU Project Plan, which should be prepared by the WT.

Scoping

The key objective of scoping is for the entity and the relevant authorities to agree the scope of the red team test. The scope must include the entity’s CFs. The entity may decide at its discretion to include additional non-critical functions (i.e. people, processes and technologies) within the scope of the test, provided these do not negatively affect the testing of the CFs.

Within the TIBER-EU framework CFs are defined as:

the people, processes and technologies required by the entity to deliver a core service which, if disrupted, could have a detrimental impact on financial stability, the entity’s safety and soundness, the entity’s customer base or the entity’s market conduct.

Note that a CF is not a system. It is a function which could be considered critical or essential to the financial services sector and/or a financial services sector organisation. Entities across the sector support and deliver these functions in different ways via their own internal processes, which are in turn underpinned by critical technological systems. It is these critical technological systems, processes, and the people surrounding them that are the focus of TIBER-EU threat intelligence and red team testing. In most cases, this will also include the systems, people and business processes underpinning the entity’s CFs that are outsourced to third-party service providers.

For the purposes of a TIBER-EU test, testing must be performed on the live production systems of the entity. However, the entity may also include other types of infrastructure, including pre-production, testing, backup and recovery systems, within the scope of the red team test.

The purpose of scoping is for all relevant parties, i.e. the TCT and entity, to agree on the scope of the test and the identification of the CFs. Both the TCT and entity should have extensive knowledge of the entity’s business model, functions and services.

Entities may conduct a business impact analysis defining the CFs as part of their standard operational risk management practices. In defining the CFs and consequently the scope of the test, the entity may also refer to the Generic Threat Landscape Report (GTL Report) to further contextualise its business and the threats it faces, and to map the possible threat scenarios to its CFs. The GTL Report is discussed in more detail in Chapter 8.

Setting and capturing the flags

During the scoping process, the entity must complete a TIBER-EU Scope Specification document. The TIBER-EU Scope Specification sets out the scope of the TIBER-EU test, and lists the key systems and services that underpin each CF. This information helps the WT set the “flags” to be captured, which are essentially the targets and objectives that the RT providers must strive to achieve during the test, using a variety of techniques.

The WT should discuss the flags with the TTM, who must approve them. Although the flags are set during the scoping process, they can be changed on an iterative basis following the threat intelligence gathering and as the red team test evolves.

Scoping meeting

The final TIBER-EU Scope Specification document should be agreed by the TTM during a workshop organised by the entity for all relevant stakeholders (i.e. WT, TTM and possibly the TI/RT providers). Importantly, the scope will need to be agreed at the board level of the entity.

If the procurement has been completed, the scoping process and meeting may include the TI/RT providers. Alternatively, the entity may opt to exclude the TI/RT providers at this stage. In any case, it is recommended that the WT and TTM discuss this in advance of the scoping meeting.

Explanation of the scope to the TI/RT providers

For the test to be successful it is important that the TI/RT providers understand the business of the entity. Therefore, if the TI/RT providers are not already involved during the scoping process, a meeting should be planned with the providers after the scoping process to explain the CFs and systems underpinning them. If the entity feels that further dialogue on the functioning of its business is necessary to arrive at realistic scenarios, the TIBER-EU framework encourages this. The sharing of knowledge between the entity and TI/RT providers will facilitate a smooth transition to the next phase of target intelligence gathering.

Overview of the TIBER-EU preparation phase

Overview of the TIBER-EU preparation phase