Have you heard about the TIBER-EU?
This question is the title
we gave to a blog post last week,
introducing that initiative
led by the European Central Bank
primarily to assess and protect the euro area’s financial systems.
In this new blog post,
we explicitly focus on TIBER-EU requirements
for threat intelligence (TI)
and red teaming (RT) providers.
These companies are in charge of analyzing the potential threats
and performing ethical hacking against European financial entities
to test their cybersecurity and cyber resilience.
Stakeholders must not make an off-the-cuff choice of providers.
This is why the TIBER-EU Services Procurement Guidelines
exist,
which we take as a reference
for this second post in the series.
We invite you to review the entire document
for more details on what we present here.

What do we find in the Services Procurement Guidelines?

As put in the Services Procurement Guidelines,
“Due to the sensitive nature of TIBER-EU tests,
entities need to carefully select TI and RT providers
which can provide an appropriate level of professional expertise
and support for conducting the test.”
These guidelines make available the requirements and standards
that TI and RT providers must meet
in order to perform TIBER-EU tests.
They furnish guidance and selection criteria
for entities seeking to contract providers.
And they also offer questions and agreement checklists
that help formalize the procurement process.
The TIBER-EU Knowledge Centre is in charge of tracking the TI and RT market
and making changes to the Guidelines requirements whenever necessary.

Guidelines related to threat intelligence providers

The TI provider has the mission
to provide a clear picture of the attack surface of the entity under assessment
and generate threat scenarios mimicking reality.
These serve as the foundation for the attack scenarios
to be used by the RT provider.
The supplier must be aware of the threat actors,
their capabilities, motives and methodologies,
especially concerning the type of entity involved.
Regarding this testing target,
the TI provider must get to know its operations,
critical functions and staff,
and weaknesses.

Among the requirements for the TI provider is to have
“at least three references from previous assignments
related to threat intelligence-led red team tests.”
Next,
TIBER-EU mentions appropriate indemnity insurance
with which the supplier can respond to compromising situations,
such as those that could result from negligence.
There must be a TI Manager to lead and supervise the activities.
They should have at least five years of experience in the area,
at least three of which should be in financial sector projects.
Moreover,
they should hold certifications
such as the CREST Certified Threat Intelligence Manager (CCTIM)
and the Offensive Security Certified Expert (OSCE).

On the TI team members’ side,
each should possess at least two years of threat intelligence experience.
A multidisciplinary team
“with a broad range of skills including OSINT,
HUMINT and geopolitical knowledge” is required.
Among the wide range of certifications
they could have earned
are the CREST Certified Simulated Attack Specialist (CCSAS),
the Cybersecurity Nexus (CSX),
the Certified Information Systems Security Professional (CISSP)
and the Systems Security Certified Practitioner (SSCP).
The team is expected to have delivered threat intelligence
for red team tests in the past.

The entity receiving the TIBER-EU test is in charge of verifying that
the TI provider meets these and other standards
set out in the Guidelines.
However,
it can entrust this responsibility to accreditation and certification bodies
in the European Union.
The entity should look for a TI provider with technical experts
who can articulate its methodology
and with support staff.
It should be a firm with a mature grasp of ethical standards
and attached to a recognized code of conduct.
It should be a supplier that guarantees
it will adequately manage the entity’s systems and information risks.
In addition,
the entity should request evidence from the prospective supplier
about its information security policies.

Guidelines related to red teaming providers

According to the TIBER-EU Framework,
the entity must ensure that
the RT provider will conduct an intelligence-led red team test
and not just penetration testing.
The main distinction between these two testing methods is the following:
The former includes a whole scenario with people,
processes and technologies
in the assessment.
The latter usually focuses on systems
and their technical and configuration vulnerabilities.
Following the efforts of the TI provider,
this other supplier takes threat scenarios
and turns them into attacks.
“The RT provider should aim to assess
the cyber resilience posture of the entity
in the light of the threat it faces.”
There should always be a close liaison between the providers
to structure and update test plans
and generate and deliver the final report.

As in the case of the TI provider,
the RT provider must have several years of experience,
indemnity insurance
and a proficient and qualified manager.
Apart from the aforementioned OSCE,
the Red Team Test Manager should also hold a certificate
such as the CREST Certified Simulated Attack Manager (CCSAM).
Team members should possess at least two years of experience
in red team testing.
Among the knowledge and skills that the red team must have,
TIBER-EU suggests the following:
“business knowledge, red team testing, penetration testing,
reconnaissance, threat intelligence, risk management,
exploit development, physical penetration,
social engineering [and] vulnerability analysis.”

The certifications a member of a red team can get are manifold.
TIBER-EU suggests some of them
that could be among those that certify the RT provider’s team.
Of course,
the more they have,
the better.
Apart from highlighting several certifications from GIAC
and Offensive Security,
they mention the eLearnSecurity Certified Professional Penetration Tester
(eCPPT) and the Certified Ethical Hacker (CEH),
among others.
At Fluid Attacks,
we have some of these and more.
We recently included in our list of certifications
several from Mile2.
Closely associated with red teaming,
we have,
for instance:
the Certified Red Team Operator,
the Certified Red Teaming Expert,
and the Certified Red Team Professional.

Again,
the supplier’s compliance with the requirements is something
that the entity
or the accreditation and certification bodies
must verify before commencing the TIBER-EU test.
“Three of the most important criteria
for a buyer of red team testing services
are the reputation and history of the RT provider
and the ethical conduct it both adopts and enforces.”
The entity needs to find an adequate plan for risk management
and confidentiality in the provider.
The latter should offer advanced,
innovative and high-quality methodologies.
All this,
expecting a proper simulation of real-world attacks
against the entity as a whole target.

Red teaming assesses organizations
and their strategies for risk mitigation,
threat detection and response,
and resilience.
It also identifies their weaknesses and vulnerabilities
so that they fix them and improve their preventive measures.
Although TIBER-EU is an initiative for projects with European entities,
it can serve as a reference for many worldwide.
Both to those of us who offer services
such as those mentioned above
and those who require them.
Fluid Attacks,
for instance,
is a highly experienced and qualified red team
that can act in favor of your organization’s cybersecurity.
We invite you to discover it.
Contact us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/tiber-eu-providers/