TIBER-FI is a Red Teaming cybersecurity testing model designed for financial sector entities. TIBER-FI is a Finnish application of the TIBER-EU framework developed within the European Union, aiming to standardize cybersecurity testing for financial sector entities across the Union. The name comes from the words Threat Intelligence Based Red Teaming.
European Union’s regulations defining the level of cybersecurity in the financial sector, such as the DORA regulation, demand recurring technical threat-based testing, and currently, the TIBER-FI framework is the recommended model for conducting such testing.
The TIBER-FI framework defines the structure of a Red Teaming exercise and the techniques and tactics of the threat actors that the service provider executing the attack will apply during the assignment. The framework also sets requirements for the parties involved in the exercise. For example, the Red Team conducting the simulated attack must be an independent, external, and neutral party with no direct connections to the target organization’s cyber defense planning and monitoring.
The key is the first two letters of the framework’s name, T and I (Threat Intelligence). The methods used by the Red Team simulating the attack are based on genuine threat intelligence produced by authorities about the types of cyber threats currently targeting various financial sector entities. In Finland, the basis is the Nordic Financial CERT (NFCERT) joint Nordic threat intelligence report commissioned by the Bank of Finland.
Threat intelligence as the basis for the TIBER-FI exercise
The threat intelligence produced by authorities is supplemented with open-source intelligence (OSINT) and other preparatory work and reconnaissance about the organization being tested. The threat intelligence is also related to the types of assets and critical functions that the target organization has.
Using threat intelligence, threat scenarios targeting the company being tested are mapped out, and the attack scenarios executed in the testing are planned based on these. The goal of the attack simulation is to model the tactics, techniques, and processes (TTP’s) of potential attackers.
In the planning of the TIBER project, the parties involved are the entity responsible for intelligence, the Red Team organization simulating the attack, the White Team representing the commissioning organization, which approves the course of the exercise and the threat scenarios to be simulated in the implementation. The testing framework demands that the Blue Team representing the defense of the target organization must not be aware of the attack simulations in advance to ensure the tested response is as realistic as possible.
The TIBER framework requires the most realistic testing possible, so the testing is conducted in the commissioning organization’s production environment. Therefore, the attack scenarios for the Red Teaming phase are carefully planned to limit the potential risks from the testing. The planning of the project is also supported by a special expert provided by the Bank of Finland.
After the planning phase, the TIBER-FI project proceeds to the actual attack simulation, the results of which the Red Team reports to the target organization. Based on the reporting results, the target organization receives valuable and comparable information within the TIBER framework about the state of cybersecurity of its critical assets.
2NS, or Second Nature Security, is an experienced provider of Red Teaming cybersecurity tests. We have also tested our clients’ cybersecurity in TIBER-FI assignments.