Press release: With TIBER-DE, the Federal Ministry of Finance (BMF) and the Deutsche Bundesbank have been implementing the ESCB-developed framework for threat-led penetration tests (TIBER-EU) in Germany since summer 2019.
SEC Consult is supporting the German financial market players by carrying out independent, comprehensive attack simulations. With specialized Red Teaming projects, the experts help banks, insurance companies, fintechs and their service providers to reveal the weaknesses of their systems and to reach a higher level of cyber maturity.
Banks In The Focus Of Cyber Attacks
As a critical infrastructure, the financial services sector is an attractive target for cybercriminals. The increasing digitization as well as highly developed attack techniques and malware are increasingly pushing the sector’s cyber resilience to the limit. For this reason, the Federal Ministry of Finance (BMF) and the Deutsche Bundesbank have adopted TIBER-DE, a framework designed to strengthen the resistance to cyberattacks the entire German financial system.
Comprehensive attack simulation
TIBER-DE is a German spin-off of the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) adopted by the European System of Central Banks in May 2018. The framework is based on full-scale attack simulations with the aim of revealing critical vulnerabilities of the tested entity according to a strictly defined procedure. All cyber security measures as well as the effectiveness of the internal IT security experts, the so-called blue teams, are on trial.
The independent cybersecurity consultant SEC Consult supports the financial services sector as a competent Red Teaming partner for the implementation of TIBER-DE tests and identifies and evaluates weaknesses in the cyber defense strategy within extensive Red Teaming projects.
SEC Consult’s experts mimic the behavior of real cybercriminals and use a variety of possible attack patterns and attack vectors – from collecting open source intelligence (OSINT) to social engineering, (spear-)phishing with customized malware, to physical infiltration and compromise of the organization. All missions are derived from risk analysis and threat intelligence and are therefore specifically tailored to the tested entity.
“The Red Teaming approach as described by the TIBER-DE framework goes beyond classical penetration testing. Red Teaming not only looks at technical but also human security factors, which are not included in conventional penetration tests,” says Markus Robin, General Manager of SEC Consult. “The tester not only reviews the systems within an environment, but also the people and processes of the company. This provides a comprehensive picture of the current state of security, which enables companies to prepare themselves optimally against attacks. The SEC Consult Red Team has the full clout of an international team of experts at their disposal and structurally simulates realistic scenarios within the framework defined by TIBER-DE.”
Security checks mandatory for critical infrastructure
So far, financial market players can still decide for themselves whether to participate in TIBER-DE tests or not, but an obligation in the foreseeable future is already being considered. “Regardless of whether vulnerability testing according TIBER-DE will be mandatory, banks should regularly carry out TIBER tests simply in their own interest in order to strengthen their cyber resilience and sustainably and make the German financial system nationwide more secure,” adds Robin.