TIBER-EU calls on cyber intelligence to arm banks

The TIBER-EU community project will test the cybersecurity structures of stock exchanges, banks, and community institutions. Cyber intelligence services will design attack scenarios to be executed by Red Team providers

Clifford Stoll, the astronomer and author of that incunabulum on the world of cybersecurity, The Cuckoo’s Egg, maintains that data, by itself, is not knowledge. Not even information. There is no written record that those in charge of the European Central Bank have read the professor, but they have listened to him. The TIBER-EU project, for example, has called in cyber intelligence professionals to convert data into knowledge.

In short, to bring structured and valuable information to the table to arm European banks, stock exchanges, and monetary institutions against the growing cyber threats looming around them.

Cyber intelligence services will be one of the two strategic pillars (the other being Red Team services) of the European Framework for Threat Intelligence-based Ethical Red Teaming (or TIBER-EU). The most important cybersecurity program linked to financial institutions was ever promoted by Brussels.

An initiative designed to protect the sector from the multiple threats that, in extreme cases, could trigger a crisis in the system with unforeseeable consequences.

To prevent it, TIBER-EU is presented as a harmonized framework for all member states, combining cyber intelligence and red team techniques to test the resilience of the cybersecurity structures of banks and financial institutions.

Identifying and exploiting threats

Thus, those banks that wish to do so will be able to contract suppliers to undergo these tests, which will be divided into two phases. The first phase will involve the identification of threats and vulnerabilities and the design of attack scenarios by cyber intelligence professionals. A second one is in which Red Team providers will carry out these attacks by simulating the techniques and modus operandi of hostile actors.

This article focuses on the first phase. On the role that cyber intelligence services will ultimately have to play in drawing up the critical scenarios faced by banks in a global and delocalized context.

Although their work is extremely complex, the mission of these professionals within the framework of the TIBER-EU tests can be summed up in a few words: Collecting useful information on the financial institution to be analyzed, defining the threats it faces and, determining the attack scenarios to be executed by the Red Team providers. Ultimately, designing the real situations that could be used by malicious actors to attack a financial institution.

Within these guidelines, the good work of the cyber intelligence team in charge of this phase can go further, accompanying this analysis with higher quality information that allows refining the certainty, in this case, suitability, of the scenarios to be developed.

In this sense, Tarlogic’s Cyber Intelligence and Global Risks department chooses to expand the minimum lines established in the TIBER-EU framework, including in its analysis information on threats that can potentially affect the sector, even if they are not originally directed to it.

Answering questions

Special attention is also paid to the causal course that may give rise to the attack in the most classic criminological terms, i.e., answering questions such as: who (which actors may be behind it); how (analyzing not only the TTPs that may be implemented but also the attack vectors to be used); why (since motivation is always a variable that favors understanding the type of attack, and intensity, that may be suffered); and where (there are geographical areas, sectors, companies and even systems that are more exposed than others).

Special emphasis is also placed on the risk rating associated with each of the threats, as a criterion before establishing the most suitable scenarios for subsequent use as a roadmap by the Red Team. One of the most relevant variables that the TIBER EU framework confers to the Read Team exercises developed under its coordinates is precisely the independence of both the Read Team services provider and the tested entity in the choice, design, and prioritization of scenarios to be exploited.

This working approach is embodied even in the initial stages of the threat intelligence service. The first information inputs are included in the so-called Generic Landscape Report if requested.

This document is not initially contemplated as a deliverable within this service, but at Tarlogic we understand that its realization or, at least, the updating, will provide the Targeted Threat Intelligence Report with a higher quality of information. This approach permeates all levels of threat intelligence that can be delivered under the TIBER perspective.

As the main delivery of the service, the Targeted Threat Intelligence Report (TTI Report), i.e. the analysis that fully documents the scenarios to be followed, is delivered to the tested entity. Various methodologies are used for this analysis, the use of which will depend on the different information inputs available.

It’s worth opening a parenthesis here to refer to the Generic Threat Report (GTR Report). This is a step before the TTI Report which, a priori, is understood to be part of the knowledge managed by the financial organization in question. However, even if it is available, the intelligence service in charge must evaluate the relevance of carrying out this analysis in person or updating it if necessary. The ingredients must be fresh to be manipulated.

Access to critical information

To be able to carry out this work, the cyber intelligence teams must have access to critical information of the entity under study. Information that will be key in the correct choice and orientation of each of the scenarios that have to be designed with the care of a tailor-made suit.

At this point, Jessica Cohen, director of the Cyber Intelligence Department at Tarlogic Security, points out the uniqueness of the banking sector. In its transnational and highly regulated nature.

Cohen believes that for TIBER-EU testing to be truly effective, it is imperative to raise awareness of the need for it and to work together to include this framework in the day-to-day work of institutions. She is also committed to the involvement of the intelligence services of the member states, bringing the orchestration of these exercises to the level of prevention that globalization and digital challenges demand.

In this regard, she gives an example of the case of France. Surely, the member state that leads the field of economic intelligence. «The exchange of information there is continuous so that banks have very accurate information on threats and critical scenarios, input of extraordinary value if it is integrated into the analysis process that requires threat intelligence at this level», she specifies.

The director of Cyber Intelligence at Tarlogic intuits that, although submitting to these exercises is at the discretion of each organization, as their understanding and adherence spread and the good pace of their use in surrounding countries is maintained, their implementation will become a kind of train of no return.

This cybersecurity effort will rely on the expertise and density of knowledge and research of cyber intelligence professionals. On their ability to gather valuable information, transform it and translate it into real scenarios that the Red Team providers will then try to replicate.

In short, TIBER-EU tests are undoubtedly an excellent tool to mitigate the uncertainty and potential damage that cyber threats have on the continuity, credibility, and viability of the organization.

Discover our work and cybersecurity services at www.tarlogic.com