Standardizing Red Teaming for the Financial Sector with the TIBER EU Framework

Cyber attacks may not have been around when Ben Franklin said, “By failing to prepare, you are preparing to fail,” but it has become an appropriate cybersecurity principle, nonetheless. So what does preparation involve and how are organizations ensuring that is integrated into their security strategy?

One example is the TIBER EU Framework, a set of standardized red teaming procedures designed for the financial community in Europe. By implementing its principles, financial services entities can have a set, duplicatable way of preparing their architecture, people, and processes for an impending cyberattack.

Here’s what you need to know.

Why Attackers Target the Financial Sector

Put simply, targeting financial institutions just makes sense: they possess a great number of valuable assets. Whether it’s money, sensitive customer data, or the interconnectivity with other institutions, it’s too tempting for cyber attackers to resist.

Due to the value of these assets, financial institutions are also more likely to pay. According to the Financial Crimes Enforcement Network, U.S. Banks alone paid $1.2 billion in ransomware payments in 2021.

Additionally, the financial sector on the whole faces a great deal of cybersecurity challenges. An International Monetary Fund (IMF) survey of 51 countries revealed that, among emerging market and developing countries:

• Over half (56%) of the central banks lack a national cyber strategy for finance.
• 64% do not mandate testing and exercising cybersecurity measures.
• Nearly half (48%) do not have any regulations on cybercrime.

Threat actors are preying on these weaknesses, but financial firms can fight back by beating them at their own game. And that’s where offensive security measures come in.

The Importance of Offensive Security in the Financial Sector

While all are setbacks, consequences of financial sector attacks can be particularly damaging; as hubs of financial commerce, what happens to them has far-reaching social and economic consequences. As the digital transformation expands the attack surface, companies struggle to keep up, both in time and resources. To make matters worse, the resources it takes to defend digital assets need to be not only immediately effective but also continuous if they are to scale to the changes. A proactive security approach is needed to limit damage and reduce risk, and often that proactivity means taking the fight to them.

Offensive security techniques such as vulnerability management, pen testing, and red team engagements are particularly useful for identifying and prioritizing vulnerabilities, as well as stress-testing how environments will do in the case of an attack.

What is TIBER-EU?

Developed jointly by the European Central Bank (ECB) and the European Union’s national central banks, TIBER-EU was approved by the Governing Council of the ECB and published in May 2018.

The framework contains the “tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence” and is designed to simulate an attack on a financial entity's critical functions, "i.e. its people, processes and technologies.”

Its main objective is not to deliver a pass/fail verdict. Rather, the point is to reveal to the FinServ organization where it stands in terms of cyber maturity so that it can choose the best next steps going forward.

While vulnerability management identifies technical weak points and pen testing exploits vulnerabilities, red team exercises run a true simulation to test defenses. As TIBER operators delve into a system, they perform one of five critical functions to compromise an enterprise. In a TIBER engagement, participants can fall into one of the following categories:

1. Blue Team – The security team charged with defending the enterprise. They are the ones being tested and have no knowledge of the simulated attacks.
2. Threat Intelligence Provider – The company that investigates possible causes of the attack.
3. Red Team Provider – The team (often an outside entity) doing the dirty-work; the ones simulating adversarial tactics to “take down” the organization in question.
4. White Team – The security personnel who have arranged for the red team engagement in the first place.
5. TIBER Cyber Team – The TIBER team that oversees the engagement and ensures the TIBER-EU framework is being met.

While created by and for the financial community, these principles – and TIBER in general – can be used for other sectors as well. The principles of preparedness still apply.

Performing TIBER-EU Engagements

An effective team is key to getting everything you need out of these engagements. When it comes to selecting your TIBER-EU red team (the team in charge of simulating the cyberattack), look for experience and a mindset towards training blue teams, not just defeating them. This is, after all, the real point.

A highly skilled red team composed of experienced professionals, Outflank specializes in not only “attacking an enterprise” but in assessing resilience and providing the feedback that leads to improved outcomes. Fortra’s Outflank team has worked on developing and improving TIBER from its inception, creating testing guidelines and sharing their expert opinion during various meetings with central banks throughout Europe.

To this end, Outflank has also created a toolset that is ideal for TIBER engagements. A “powerful toolbox made by red teamers for red teamers,” Outflank Security Tooling (OST) is a sophisticated set of solutions that level up the red teaming game, covering every significant step in the attacker kill chain. OST tools are explicitly developed to bypass defensive measures and detection tools, creating authentic scenarios that simulate a real-world attack from an advanced threat actor or cybercrime group. In this manner, a team can be tested against the same kind of tactics employed by organized crime groups and nation-state actors.

The best preparation yields the best results. That’s why financial services require the best red team tools and services to ensure that they can successfully follow the TIBER-EU framework, readying themselves so they can better respond when real-world attacks do come, be they basic phishing attempts from inexperienced threat actors or the best APT-yielding cybercriminals.