What is TIBER-EU?
TIBER-EU is the European framework for threat intelligence-based ethical red-teaming. It is the first EU-wide guide on how authorities, entities and threat intelligence and red-team providers should work together to test and improve the cyber resilience of entities by carrying out a controlled cyberattack.TIBER-EU framework
How does it work?
TIBER-EU tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies. The outcome is not a pass or fail; instead the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.
Who is involved in a TIBER-EU test?
The main participants in a TIBER-EU test are assigned to one of five different teams depending on their role and responsibilities:
- blue team – the people in the entity that is the subject of the test and whose prevention, detection and response capabilities are being tested without their foreknowledge
- threat intelligence provider – the company that looks at the range of possible threats and carries out reconnaissance on the entity
- red team provider – the company that carries out the simulated attack by attempting to compromise the critical functions of the entity by mimicking a cyber attacker
- white team – a small team within the target entity who are the only ones there who know a test is happening and that leads and manages the test in collaboration with the TIBER cyber team
- TIBER cyber team – the team within the authority that is responsible for overseeing the test and making sure it meets the requirements of the TIBER-EU framework, thus enabling mutual recognition of the test by relevant authorities
The TIBER-EU Services Procurement Guidelines provide more details on how to select and procure the services of threat intelligence and red-team providers. The TIBER-EU White Team Guidance explains how to set up the team which manages the TIBER test from inside the target entity.
The TIBER-EU Purple Teaming Best Practices provide guidance on how purple teaming may be introduced and managed in the TIBER testing phase and/or closure phase as outlined in the TIBER-EU Framework.
The TIBER-EU Framework aims to harmonise and standardise the approach to threat intelligence based ethical red-teaming across the EU. To achieve this aim, the main participants listed above should use the following templates and guidance to conduct an end-to-end test. The templates are to be used in different phases of the test – such as scoping, threat intelligence , red team testing (planning and reporting) – and should be formalised via a final test summary report and an attestation to facilitate mutual recognition.
Who is the TIBER-EU framework for?
The TIBER-EU framework is designed for (supra)national authorities and entities that form the core financial infrastructure, including those whose cross-border activities fall within the regulatory remit of several authorities. It is applicable to entities not only in the financial sector but also in any other critical sector. In addition to a number of mandatory requirements, the framework also includes options that can be adapted to the specificities of different jurisdictions. This facilitates mutual recognition and lowers the burden on both authorities and entities.
Building on our joint expertise and experience
TIBER-EU was jointly developed by the ECB and the EU national central banks, approved by the Governing Council of the ECB and published in May 2018. It was inspired by and takes into account the lessons learned from similar initiatives in the United Kingdom (CBEST) and the Netherlands (TIBER-NL).
The TIBER-EU framework is currently (being) implemented in Belgium , Denmark , Finland, Germany, Ireland, Italy, Norway, Portugal, Romania, Spain, Luxembourg, Sweden and the Netherlands , as well as by the ECB in its oversight capacity. Other jurisdictions are expected to follow in due course.
Hiring threat intelligence and red-team specialists
To ensure that the providers of threat intelligence and red-team services meet the appropriate standards for conducting a TIBER-EU test, entity being tested should carry out due diligence to make sure its selected provider meets all the requirements set out in the TIBER-EU Services Procurement Guidelines.
In the future, entities should procure only those providers who have achieved formal TIBER-EU certification and accreditation. There is currently no suitable certification and accreditation agency in Europe for this purpose. Once EU certification and accreditation capabilities are in place, all companies should rely on them when hiring providers for the TIBER-EU test.
Organisations interested in providing certification and accreditation for TIBER-EU can contact the TIBER-EU Knowledge Centre at TIBER-EU@ecb.europa.eu