The European Central Bank (ECB) has published the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU). The ECB describes it as the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market. It’s for national banking authorities and banks to determine if and when TIBER-EU based tests are performed.
As the central bank says, banks should reduce their vulnerabilities at every point and strengthen their overall resilience. “This requires diverse, layered approaches, solutions and tools,” and intelligence-led red team testing is one such tool.
The TIBER-EU framework facilitates a harmonised European approach towards intelligence-led tests which mimic the tactics, techniques and procedures of hackers. TIBER-EU based tests simulate a cyber attack on an entity’s critical functions and underlying systems, such as its people, processes and technologies. This helps to assess protection, detection and response against cyber attacks.
Comments
Pete Banham of cyber product company Mimecast, said: “Red teaming is vital for robust security so it’s great to see European coordination on this issue for financial services. However stress testing needs to involve all employees simulating how they could keep operating even if an attack does get through. It only takes one employee to open a malicious email attachment and the attacker is in. There is also a major supply chain risk, as attackers could use an employee as a stepping stone to launch impersonation attacks against a bank’s suppliers and corporate customers.
“More needs to be done ensure organisations, not just those in the financial sector, remain cyber resilient. This needs to span beyond security and look at continuity, remediation and recovery to ensure businesses can get back on their feet if something does get through. Accountability also shouldn’t be limited to the IT team. As every employee is a potential route into the business, ongoing education for all is critical.”
And Mark Weir, Cisco UK and Ireland director of cybersecurity, said: “More organisations need to implement the same mind-set as the European Central Bank and have a cyber-drill in place to prepare for cyber-attacks. Rehearsals and drills are part of life, however a government survey of large companies found only 54% of boards view cyber risks as a top business concern, 68% of boards have not received any training in how to respond to a cyber incident, and 10% have no plan whatsoever.
“The devastation caused, financially and reputationally, around the world by cyberattacks shouldn’t be escalated because companies are unprepared. As cyber incidents aren’t as easy to detect as disasters such as fires – where the flames, smoke and heat are giveaways – walking through a case study allows an organisation to reflect on whether they would detect such an incident, and how the alert would be raised.
“Cisco is working extensively with a lot of its customers to build a plan to mitigate this risk through its Incident Response service – to help businesses prepare for, manage and recover from breaches. It is no longer a luxury, but a necessity that organisations of all sizes consider cyber risk to be a key part of a business continuity plan and even insure against this risk.
With the arrival of GDPR just around the corner, it is more vital than ever that organisations do everything they can to prepare for the cyber-attacks of tomorrow, or face the consequences. It’s not a case of if you will fall victim to cybercrime, it’s when. And we need to ensure we remain one step ahead – whatever it takes.”
