OPINIONS

TIBER: How do you go About it?

12th of August 2019

Opinion, by Philippe Roy, TIBER expert & Information Security Consultant @ FortConsult

Financial institutions in Denmark are regulated by TIBER-DK, which is a Red Team test framework, established with the aim of strengthening cyber security in the sector.

Whether you have been selected to run TIBER as early as 2019, or will be in a few years, one thing is certain: TIBER is here to stay. All financial organisations should conduct a TIBER test at some point in the future.

For Danish organisations, the central bank has shared clear guidelines for conducting a TIBER test, which you can read here, and other countries are expected to follow suit. A TIBER test is a long and resource-consuming process that requires months of preparation and planning for even the most security-conscious organisations. Therefore, it is important to see TIBER as a journey, which I propose to be divided into three phases: preparation, execution and follow-up.

Preparation

TIBER is not a test that you just throw yourself into. It requires a certain amount of security maturity, which is why it is important that there is also a preparation phase. At this point, you have to ask yourself: is it realistic to run a TIBER test?

A TIBER test is carried out in production, i.e. the live environment. That in itself is a risk factor for any business, and in particular, if the organisation is not prepared to handle this type of test. If you have never done a red team test before, you are not ready. It might be better to start with a tabletop exercise, bringing together the key stakeholders. Get an overview of the security maturity and set an action plan to prepare your organisation for the actual execution. We must all be able to crawl before we can walk.

Execution

In the execution phase, there are two main deliverables: Threat Intelligence (TI) and Red Team (RT). You can consciously choose one supplier to perform both of these deliverables or choose one for each part. There are clear synergies to be gained if you choose to stick to one supplier.

If a generic Threat Intelligence report is provided by your central bank, as is the case in Denmark, you can choose whether to use this version or a create your own, tailored report. There are, however, clear advantages to getting your own targeted Threat intelligence report.

Follow-up

The test will illuminate the things that have gone well and areas, where there is room for improvement - which are gathered in a report. In a traditional project, there is a risk that the journey will end here: all of the boxes on the checklist are crossed off and new projects await. Time to move on.

But, in order to get value for money from TIBER, it is necessary to act on the report.

First of all, you must learn from the findings highlighted in the report - and act on the knowledge that you have acquired from it. An action plan must be drawn up with a prioritised order of tasks that must be solved, so that your maturity is higher after the test than it was before. After all, the goal of TIBER is to become more resilient to potential cyber attacks.

Of course, after these improvements have been implemented, they need to be tested again. It is important to make sure that the techniques and processes work as expected and that cyber awareness has improved, ensuring that the people in your organisation act appropriaetely when under duress.

You can read more about the main deliverables and the rest of the TIBER framework here.