Do You Know What TIBER Is?
Have you read the public TIBER framework documents and felt overwhelmed? Then read on as I explain how to prepare for and implement the TIBER framework.
Let’s get started with some background information about the origins of the TIBER framework. TIBER is an acronym for Threat Intelligence-based Ethical Red Teaming. TIBER was constructed by ECB to, in a structured way, strengthen cybersecurity in the financial sector across the European Union. Sweden has decided to participate and has designed an adaptation called TIBER-SE.
A TIBER test is a long and frankly time-consuming process as it requires an extensive amount of preparation and planning, even for organizations currently following security best practices. There is a dedicated team at Riksbanken, the TIBER Cyber Team, responsible for the framework. They are required to be involved in every TIBER-SE test performed.
With this in mind, we strongly suggest you view TIBER as a journey. Your TIBER security journey contains three phases: preparation, implementation, and follow-up.
Preparation
When preparing a plan for a TIBER test, you must ask yourselves the following questions: Is it realistic for us to go through with a TIBER test right now? Do we have a sufficient amount of economic resources to justify the test? Finally, and the question Truesec most often asks, can you afford to not go through with this?
The main part of a TIBER test is a blind Red Team attack against your production environment. Your staff will be unaware of how or when the simulated attack will happen. Planning a full red team engagement is complicated and expensive. To obtain better value from a full red team engagement, we recommend you start small and complete a Security Health Check or a Threat Check first. These focused checks will ensure you have a safe and solid foundation before the full red team engagement TIBER requires. Completing health checks allows the TIBER test to focus on less apparent threats and risks.
The most critical activity during the preparation phase is choosing the right security partner for the red team engagement and for the threat intelligence report. The ECB has, in the Services Procurement Guidelines, clear explanations of the requirements your security partner should be able to meet. Finally, ensure you keep a dialogue open with the cyber team in Riksbanken. They will help you through the process and are essential during this journey.
Implementation
During the implementation stage, there are two teams: Threat Intelligence (TI) and Red Team (RT). The mission of the TI team is to analyze relevant threats to your organization and identify a few possible attack scenarios. These scenarios will be presented in a report called Targeted Threat Report (TTR). We strongly encourage you to take a look at our similar report – Swedish Cyber Threat Landscape – as it provides a general idea of current relevant threats in Sweden. The Truesec report works well as a foundation you can analyze to achieve a broader understanding of threats that apply to your organization.
The mission of the Red Team is to perform attacks against your environment based on the scenarios presented in the TTR. Both teams (TI and RT) can be composed of one partner or two separate ones. The TIBER framework has no guidelines or recommendations on if you should use the same vendor for both teams. If the security partner you have chosen can provide both the TI team and the RT, we believe there are numerous advantages to selecting only one partner.
Follow-up
A TIBER project always closes with follow-up actions and reports. You will receive a write-up containing a variety of different weaknesses and vulnerabilities in your environment. The vulnerability list can include anything from physical protection to improved policies during attacks and even some purely technical solutions. Your part begins here as you now need to plan how to prioritize the recommendations and enhance your security.
Remember, the goal of TIBER is not the test, but to ensure constant security improvements occur. We believe that TIBER is an excellent way to improve security in your environment. With TIBER as a standard, it creates an efficient way of identifying what internal projects will be necessary for your organization and Sweden’s financial stability.
If you are still wondering how to get started or would like to discuss what a TIBER project might look like for your organization? Truesec is only a phone call away.
You don’t need the best cybersecurity partner #UntilYouDo
Read more about the implementation of TIBER-SE at Riksbanken.