TIBER-DE: attack simulations to ensure greater resilience against cyber-attacks in the financial sector
- On 14. Oct 2020
The financial sector – one of the most attractive targets for cybercriminals – is now being attacked more frequently by hackers than any other.
While this is partly due to banks and their service providers being part of the critical infrastructure and attackers expecting maximum profits, it is also due to cumbersome, fragmented and outdated IT infrastructures – that are unfortunately not uncommon in the banking system and offer many points of attack.
To strengthen the German financial market’s resilience against cyber-attacks, the Federal Ministry of Finance and the German Central Bank adopted TIBER-DE in the summer of 2019: a framework for Threat Intelligence-based ethical Red Teaming and the German edition of the TIBER-EU framework published by the ECB in May 2018. TIBER-DE allows financial market players to put their own cyber security to the test. The security experts at SEC Consult provide banks, insurance companies, financial technology providers and their service partners with professional support in executing independent and comprehensive attack simulations. By assuming the role of cybercriminals and following a strictly defined procedure to check for weaknesses and security holes in critical systems, they help financial actors check their systems for weaknesses and effectively increase their resilience to cyber-attacks.
The three phases set out by TIBER-DE
Any TIBER-DE test aims to provide a comprehensive picture of a company or organization’s security situation, providing essential insights into its strengths and weaknesses. The TIBER-DE process is divided into three successive phases that must be adhered to:
Phase 1: Preparation
Before providers such as SEC Consult begin their actual security audit, those responsible for the entire process define the upcoming audit’s objectives, as well as any challenges they may face, and discuss these with the responsible authority. This is followed by the external threat intelligence and Red Team providers being selected according to strict criteria (see below). Since the application of the framework and the implementation of the processes described therein go hand in hand with tough regulations that must be strictly adhered to, it is essential to bring certified, experienced providers, such as SEC Consult and its partners, on board.
Phase 2 Testing
In the second phase, the Threat Intelligence Provider produces the Targeted Threat Intelligence Report (TTI), that defines specific threat scenarios on the basis of which the Red Team (this is where the specialists at SEC Consult come in) develops and executes its individual test scenarios.
Phase 3 Reporting
The Red Team prepares a detailed report that documents both the procedures during the security audit in detail and provides all the test results. In addition, it gives recommendations of actions that the tested organization can take, to optimize its systems or security policies (both from a technical and human point of view).
Red Teaming: at the heart of TIBER-DE
At the heart of the TIBER-DE process is the security audit carried out by an external team of specialists, the “Red Team”. As an independent, external cyber security consultancy, SEC Consult is a competent Red Team partner for the financial services sector when executing TIBER-DE tests and identifying and evaluating weaknesses in its clients’ cyber defense strategy. Red Team activities are centered around scenario-driven missions based on a targeted Threat Intelligence Report, developed specifically for the organization being audited. The goal is to determine how efficiently the organization identifies and defends itself against these targeted sophisticated threats. Based on threat scenarios created by the Threat Intelligence Teams, the experts at SEC Consult imitate the actions of real cyber criminals and use a variety of different attack patterns and vectors – from collecting open source intelligence (OSINT) to social engineering with custom-made malware to physical infiltration of the company. Ultimately, it is not only the company-wide technical defense measures that are put to the test, but also the effectiveness of the organization’s own IT security experts, also known as the Blue Teams.
Though the use of Red Team specialists is often equated with penetration testing, it must be understood that it goes far beyond this traditional security test. A major difference is that Red Teaming considers not only technical, but also human and physical security factors that are not part of conventional penetration tests.