Have you heard about the TIBER-EU? This question is the title we gave to a blog post last week, introducing that initiative led by the European Central Bank primarily to assess and protect the euro area's financial systems. In this new blog post, we explicitly focus on TIBER-EU requirements for threat intelligence (TI) and red teaming (RT) providers. These companies are in charge of analyzing the potential threats and performing ethical hacking against European financial entities to test their cybersecurity and cyber resilience. Stakeholders must not make an off-the-cuff choice of providers. This is why the TIBER-EU Services Procurement Guidelines exist, which we take as a reference for this second post in the series. We invite you to review the entire document for more details on what we present here.
What do we find in the Services Procurement Guidelines?
As put in the Services Procurement Guidelines, "Due to the sensitive nature of TIBER-EU tests, entities need to carefully select TI and RT providers which can provide an appropriate level of professional expertise and support for conducting the test." These guidelines make available the requirements and standards that TI and RT providers must meet in order to perform TIBER-EU tests. They furnish guidance and selection criteria for entities seeking to contract providers. And they also offer questions and agreement checklists that help formalize the procurement process. The TIBER-EU Knowledge Centre is in charge of tracking the TI and RT market and making changes to the Guidelines requirements whenever necessary.
Guidelines related to threat intelligence providers
The TI provider has the mission to provide a clear picture of the attack surface of the entity under assessment and generate threat scenarios mimicking reality. These serve as the foundation for the attack scenarios to be used by the RT provider. The supplier must be aware of the threat actors, their capabilities, motives and methodologies, especially concerning the type of entity involved. Regarding this testing target, the TI provider must get to know its operations, critical functions and staff, and weaknesses.
Among the requirements for the TI provider is to have "at least three references from previous assignments related to threat intelligence-led red team tests." Next, TIBER-EU mentions appropriate indemnity insurance with which the supplier can respond to compromising situations, such as those that could result from negligence. There must be a TI Manager to lead and supervise the activities. They should have at least five years of experience in the area, at least three of which should be in financial sector projects. Moreover, they should hold certifications such as the CREST Certified Threat Intelligence Manager (CCTIM) and the Offensive Security Certified Expert (OSCE).
On the TI team members' side, each should possess at least two years of threat intelligence experience. A multidisciplinary team "with a broad range of skills including OSINT, HUMINT and geopolitical knowledge" is required. Among the wide range of certifications they could have earned are the CREST Certified Simulated Attack Specialist (CCSAS), the Cybersecurity Nexus (CSX), the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP). The team is expected to have delivered threat intelligence for red team tests in the past.
The entity receiving the TIBER-EU test is in charge of verifying that the TI provider meets these and other standards set out in the Guidelines. However, it can entrust this responsibility to accreditation and certification bodies in the European Union. The entity should look for a TI provider with technical experts who can articulate its methodology and with support staff. It should be a firm with a mature grasp of ethical standards and attached to a recognized code of conduct. It should be a supplier that guarantees it will adequately manage the entity's systems and information risks. In addition, the entity should request evidence from the prospective supplier about its information security policies.
Guidelines related to red teaming providers
According to the TIBER-EU Framework, the entity must ensure that the RT provider will conduct an intelligence-led red team test and not just penetration testing. The main distinction between these two testing methods is the following: The former includes a whole scenario with people, processes and technologies in the assessment. The latter usually focuses on systems and their technical and configuration vulnerabilities. Following the efforts of the TI provider, this other supplier takes threat scenarios and turns them into attacks. "The RT provider should aim to assess the cyber resilience posture of the entity in the light of the threat it faces." There should always be a close liaison between the providers to structure and update test plans and generate and deliver the final report.
As in the case of the TI provider, the RT provider must have several years of experience, indemnity insurance and a proficient and qualified manager. Apart from the aforementioned OSCE, the Red Team Test Manager should also hold a certificate such as the CREST Certified Simulated Attack Manager (CCSAM). Team members should possess at least two years of experience in red team testing. Among the knowledge and skills that the red team must have, TIBER-EU suggests the following: "business knowledge, red team testing, penetration testing, reconnaissance, threat intelligence, risk management, exploit development, physical penetration, social engineering [and] vulnerability analysis."
The certifications a member of a red team can get are manifold. TIBER-EU suggests some of them that could be among those that certify the RT provider's team. Of course, the more they have, the better. Apart from highlighting several certifications from GIAC and Offensive Security, they mention the eLearnSecurity Certified Professional Penetration Tester (eCPPT) and the Certified Ethical Hacker (CEH), among others. At Fluid Attacks, we have some of these and more. We recently included in our list of certifications several from Mile2. Closely associated with red teaming, we have, for instance: the Certified Red Team Operator, the Certified Red Teaming Expert, and the Certified Red Team Professional.
Again, the supplier's compliance with the requirements is something that the entity or the accreditation and certification bodies must verify before commencing the TIBER-EU test. "Three of the most important criteria for a buyer of red team testing services are the reputation and history of the RT provider and the ethical conduct it both adopts and enforces." The entity needs to find an adequate plan for risk management and confidentiality in the provider. The latter should offer advanced, innovative and high-quality methodologies. All this, expecting a proper simulation of real-world attacks against the entity as a whole target.
Red teaming assesses organizations and their strategies for risk mitigation, threat detection and response, and resilience. It also identifies their weaknesses and vulnerabilities so that they fix them and improve their preventive measures. Although TIBER-EU is an initiative for projects with European entities, it can serve as a reference for many worldwide. Both to those of us who offer services such as those mentioned above and those who require them. Fluid Attacks, for instance, is a highly experienced and qualified red team that can act in favor of your organization's cybersecurity. We invite you to discover it. Contact us!
Recommended blog posts
You might be interested in the following related posts.
An OffSec Exploitation Expert review
Towards an approach that engages more than SCA and SBOM
An interview with members of our hacking team
A brief overview of this recent EU draft regulation
Increase the board's cyber savvy with these reads
Soon it will be a must in cybersecurity due to NIS2
Toyota's ancient and recently disclosed data leaks
Watch out for keylogging/keyloggers