The European Central Bank has recently published a framework (TIBER-EU) intended to improve and standardising the practice of testing the security of financial institutions through application of intelligence-led red teaming.

“The intelligence-led red team test provides a comprehensive end-to-end understanding of weaknesses present in people, business processing, technology, and their associated intersection points, and provides a detailed threat assessment which can be used to further enhance the entity’s situational awareness.”

The framework constitutes a very good on the subject and should definitely be used as a reference guide. Below are some of the insights from the report.

Primacy of intelligence-led approach

TIBER’s philosophy is very much driven by intelligence gathering as a central factor in planning, executing and concluding the red teaming exercise. Given this may seem as obvious and common sense approach, it’s worth noting that authors nevertheless decided to feature this aspect very prominently, perhaps to drive this point home even stronger.

The key rationale of the intelligence-led approach is to tailor the exercise to match the actual threat environment of the target, TTPs of the likely threat actors and the specifications of target’s business model.

Separation of threat intelligence and red teaming services

TIBER clearly distinguishes and separates role of the Threat Intelligence (TI) and Red Teaming (RT). This is worth noting as often the two are bundled together in the context of offensive security testing. At the same time the report stresses the need for both the TI services provider and RT services provider to cooperate closely throughout the exercise.

Central role of the threat intelligence services provider 

The TI services provider plays a central role in the testing process. It’s key responsibility is to produce a Targeted Threat Intelligence Report which provides a detailed information on the target and outlines relevant threat scenarios. The report serves then as a key input for the RT services provider in developing and conducting the actual attack scenarios. It’s worth noting that TIBER underlines the importance of ongoing and interactive rather than sequential nature of cooperation between TI and RT services providers.

Recommended sources for intelligence gathering

TIBER does not propose anything truly revolutionary in terms of where to seek the intelligence required for conducting the red teaming exercise. The report outlines outlines several sources as a starting point for the intelligence gathering process:

– open-source intelligence on the target entity
– open-source intelligence on the entity’s suppliers, employees, customers
– gathering data on the targeted entity from third-parties
– gathering data from the dark web
– deployment of people into the entity under various guises to gather intelligence

Generic threat landscape vs. target-specific threat landscape

In terms of levels of threat intelligence awareness the TIBER distinguishes between the Generic Threat Landscape (GTL) and the Targeted Threat Intelligence (TTI). The former represents an macro overview of the threat environment common for financial institutions operating in a specific jurisdiction and/or geographic area. It’s expected to be produced by the authorities and/or financial industry organisations, not the TI services provider. The TTI describes the micro-level threat environment specific to the entity conducting the red teaming exercise.

The TI services provider may then convert findings of the GTL report (if available) into target-specific insights. TIBER strongly recommends use of the GTL report as a best practice but doesn’t make it an obligatory element of the framework.

“Grey-box” rather than “black-box” approach

TIBER recognises that both TI and RT processes will be limited by ethical, regulatory and legal constraints. Unlike the malicious actors the testers will be subject to variety of limitations which may reduce the effectiveness of the exercise.

For instance the testers may not be in position to intimidate or bribe an executive of the targeted company into providing access to critical element of the network. Also some of the sophisticated malicious actors may spend much more time (i.e. months rather than weeks) planning and preparing the attack than the TI and RT service providers can afford to.

To compensate for these shortcomings TIBER recommends that the targeted entity provides some internal information to the TI and RT so they can better emulate a sophisticated attacker.

Language skills of the threat intelligence provider

Rightly so the report stresses the importance of TI providers to have sufficient relevant linguistic capabilities to properly contextualise the intelligence analysis and acquire information directly from primary sources.

There are many other interesting insights in the report. The TIBER framework is certainly a great reference material for any professional practising offensive security .