- On 10. Nov 2020
On July 22, 2020 the German Central Bank published its information on the implementation of TIBER-DE. The TIBER-DE framework defines how threat intelligence based red teaming tests must be carried out. The framework is aimed at large banks and insurers active in Germany as well as financial market infrastructures active in Germany and IT service providers that are critical for the financial sector.
The Red Team members: what counts is experience and attack know-how
As a neutral cybersecurity consultancy boasting an international team of experts in the field, all of whom can draw from years of experience in Red Teaming, the SEC Consult Red Team meets all the TIBER-DE requirements and is available to the financial services sector as a competent partner. The highly qualified team has proven expertise in attacks and covers a wide range of skills in various areas – from penetration testing to threat intelligence, risk management, exploit design, physical penetration and social engineering – and is therefore, able to implement all defined attack scenarios in a thorough, structured, secure and intelligent manner. The activities are led and supervised by a Red Team Manager, who is responsible for the end-to-end management of the security audit and has at least five years of experience in a leading role in Red Team testing (including three years in the financial services sector).
What requirements does a Red Team provider have to meet to perform TIBER-DE tests?
To ensure that the Red Team test delivers the promised results and is ultimately recognized by the relevant authorities, the TIBER-DE framework places high demands on Red Team providers. In addition to an impeccable reputation and specific experience requirements, the Red Team provider must master the following topics:
1 Excellent risk management
The Red Team provider must be able to ensure that its activities do not endanger or create risks for the test subject. This relates just as much to processes as it does to data protection. In the course of its work, the Red Team is likely to come across sensitive, confidential and business-critical data, which may affect the company being audited, its customers or third parties. Not only must the team be fully aware of this, but it must also implement appropriate security measures and guidelines, to cope with such situations. Therefore, SEC Consult has in place a robust Information Security Management System (ISMS) with a customized security control framework and appropriate certifications based on recognized international standards. It defines clear processes that are effectively implemented and continuously monitored.
2 Innovative methods
To provide a detailed and sound threat assessment, robust and innovative methods are key. This is why the Red Team at SEC Consult offers the best in security testing; that is to say the tests are based on the most advanced techniques, as they can imitate sophisticated cyber-attacks (at a national level) and, therefore, perfectly challenge the defense level of the unit being tested.
3 Collaboration with the other teams
In addition, a Red Team provider must be able and must proactively demonstrate the willingness to cooperate with all the other teams involved in the security audit. In addition to the company being tested and the Blue Team, this particularly includes the Threat Intelligence (TI) provider. To transform the threat scenarios drawn up by the TI team into a coherent and comprehensible test plan, it is necessary to review and comment on the TI results. Therefore, the specialists at SEC Consult consider close and transparent cooperation with the partner preparing the TTI report, a top priority.
4 Absolute confidentiality
When choosing a Red Team provider, confidentiality is an absolute knockout criterion. This is also particularly true for security audits in the context of TIBER-DE tests. The Red Team provider must, for instance, be able to guarantee that it will not re-use confidential information acquired during its activities, for services provided to other parties. The team at SEC Consult can prove at any time how an unintentional disclosure of data will be prevented. Even before the tests are carried out, the team at SEC Consult will, together with the client, log procedures for how and when the sensitive information will be destroyed, in accordance with the law, after completion of the project.
Threat intelligence-based security testing offers great opportunities
There are great opportunities throughout the German financial landscape for widespread implementation of threat intelligence-based security testing in accordance with the TIBER-DE framework, as it ensures unparalleled transparency, regarding the cyber security of financial market players. Security gaps and points of attack become visible thanks to realistic hacker scenarios and this makes it possible to effectively expand defense strategies. The result is that banks are able to not only prevent cyber-attacks more effectively and fend them off more quickly, but also align processes and systems more efficiently from the outset.
For the time being, the decision as to whether a security check on the basis of TIBER-DE guidelines is carried out is still up to companies and organizations themselves. The German Central Bank is currently considering an obligation of financial market players to carry out these tests. The United Kingdom is the pioneer and model for mandatory security tests in the financial sector. CBEST, a framework for intelligence-led penetration testing, was already introduced there in 2014. This requires UK-based businesses of a certain size in the financial sector to carry out a CBEST security test once a year in cooperation with a certified provider.