TIBER-EU, time to close the cybersecurity overdraft

The ECB has decided to strengthen the cybersecurity of banks through the TIBER-EU project in view of the growing number of cyberattacks on financial institutions

The world’s major institutions have been on edge for years. The unstoppable growth of cyber-attacks on banks and financial institutions has become much more than an isolated threat. The fear that the incident could take on a global dimension and destabilize the system has become a reality. So much so that in Europe, for example, the European Central Bank has launched the TIBER-EU project.

The European Framework for Threat Intelligence-based Ethical Red Teaming (or TIBER-EU) is probably the most ambitious cybersecurity initiative ever launched by the regulator.

HSBC, JPMorgan, Equifax, the Russian and Bangladeshi Central Banks, Tien Phon Bank, Austro Bank, the Polish Financial Authority, the Mexican Banking, and Securities Commission… The list of banks and financial institutions attacked by hostile actors in recent years is endless. The phenomenon is clearly choral. And it is growing.

It is logical. Where there is money, there will always be the bad guys.

Fear of systemic crisis

The current president of the ECB, Christine Lagarde, warned some time ago that a cyber-attack could trigger a serious financial crisis. A thesis endorsed by the IMF’s Financial Stability Board, whose diagnosis leaves little room for doubt:

«A major cyber incident, if not adequately contained, could seriously disrupt financial systems. Including critical financial infrastructures, which would have wider implications for financial stability».

And since fear has been, since time immemorial, a trigger for change, Europe has decided to step up to the plate. How? By inviting all entities in its financial system to undergo TIBER-EU testing.

Basically, this is a harmonized approach that combines cyber-intelligence techniques with Red Team services. In short? It proposes the need to design attack scenarios independently, without being directed by the entity undergoing the exercise, which is then used to simulate sophisticated cyber-attacks on banks, stock exchanges, and financial institutions, taking advantage of the knowledge of independent external providers to expose the vulnerabilities that their systems may have.

We are talking about advanced cyber-attacks. Highly sophisticated tests driven by teams with extensive knowledge in the field of cyber-intelligence and Red Team services. In short, an efficient and truthful tool to measure the cyber resilience of any entity.

This is why the ECB has published a supplier procurement guide (TIBER-EU Services Procurement Guidelines) that establishes a framework of requirements to define which companies will be able to carry out these tests. Experience, technical solvency…

A framework that a priori will be subscribed to by the monetary authorities of the respective member states. Just a few days ago, the Bank of Spain approved the TIBER-ES Implementation Guide, which subscribes one by one to the fundamentals established by Brussels.

Endorsement from Brussels

In the specific case of suppliers, the monetary authorities are not going to prescribe companies, but they will finally endorse them informally when certifying the quality of TIBER-EU. A company like Tarlogic Security, for example, with a huge experience in both Red Team and Cyber Intelligence services, will certainly have the endorsement to perform these advanced tests.

«We, in fact, already work with a TIBER scheme in projects we carry out for financial institutions», says José Lancharro, the director of BlackArrow, Tarlogic’s offensive and defensive services division.

It will even be an added value for financial institutions, given their expertise in the two disciplines that will be involved in these tests. «In many cases -says Jessica Cohen, head of Tarlogic’s Cyber Intelligence division– banks will need two different providers: one for Cyber Intelligence and one for Red Team. We have a lot of experience in these two services and, that is an asset».

In this first phase, TIBER-EU testing will be voluntary, not mandatory. But everything indicates that, in the future, they may end up as an essential certification to maintain the banking folio.

The hidden competition between financial institutions could end up playing a key role in this process. «When one has an approved TIBER-EU, the rest of the entities will follow suit», Lancharro predicts.

In the same vein, Cohen points out that the member states could end up triggering the change. From voluntary to mandatory. Because of the transnational nature of banking, but also because of the security of financial systems. «As soon as there is a country whose banks comply, it is very likely that they will push for the rest to do so as well», She points out.

TIBER like rather than TIBER cool

What they do agree on is that most banks are going to do several tests before going to the approved TIBER-EU. The fear that the test will not yield optimal results from the outset will lead them to carry out several pre-tests to certify the strength of their systems.

In essence, this is what the European Central Bank wants.

An institution is hardly going to risk a reputational crisis resulting from a TIBER-EU that gives poor results for its cybersecurity structures. Hence, there is a consensus on the roadmap to be followed by banks now that the Brussels-driven project is starting to gather speed.

How will these tests be?

As in 2009, when the stress testing framework for banks was created, the starting point is technically ambitious. Brussels wants the tests to be sophisticated and simulate real scenarios and threats. To this end, it wants independent, solvent providers to certify the resilience of its systems.

TIBER-EU will divide into two phases. In the first phase, Cyber Intelligence services will comprehensively analyze all the information and threats surrounding a specific financial institution after gaining in-depth knowledge of its critical functions.

What is the purpose? To understand and assess each of these threats and identify the potential malicious actors behind them. And all with a clear objective:

• Identify these actors: Who.
• Uncover their intentions: Why.
• Discover their modus operandi: How.

It will be from the recapitulation of all this information that the most plausible critical risk scenarios will be designed and then attacked by Red Team’s services.

The second phase of the TIBER-EU test has thus arrived. Red Team’s teams will have the task of carrying out these cyber-attacks and measuring their effectiveness. That is, the bank’s ability to contain the threat.

They will do so by simulating the procedures of real attackers. Following the phases that usually occur in this type of incursion: reconnaissance, intrusion, lateral displacement, exfiltration…

In short, to determine whether it is possible to breach the organization’s systems.

With all this information under the arm, a very precise report will be drawn up which will draw relevant conclusions on the threats and the systems solvency in terms of cybersecurity.

A detailed diagnosis will be submitted to the judgment of the technical teams of the monetary authority. Those who, ultimately, will be responsible for attesting to the institution’s ability to face the multiple and countless threats of this era.

The banking sector has an arduous task ahead of it…

Discover our work and cybersecurity services at www.tarlogic.com