The Tiber EU Framework: What is it and why is it important?

Updated: 1 day ago

At CovertSwarm, we’re a proud part of the cyber security sector and nothing slips under our radar. In fact, from the latest technology to best-practice testing methods, our Swarm rallies to keep our knowledge base growing, our clients better protected and our teams out-pacing cyber criminals. Today, we’re sharing some key intel on TIBER-EU, a framework for intelligence-led penetration testing and ethical hacking that’s gaining traction across Europe. Here’s what it is, how it works, and why it’s important for the cyber security of your business, data and customers.


What is TIBER-EU?


It’s the European framework for threat intelligence-based ethical red teaming. In other words? It’s a way to simulate cyber attacks across your estate and ensure your security is as effective as possible. But, here’s the main point of difference: as a framework across countries, borders and jurisdictions in Europe, it aims to be something of an industry standard for critical sectors like finance and infrastructure. It’s TIBER-EU’s goal to unite these authorities and entities and work together on improving their cyber hygiene and real-world resilience. You can read more about the TIBER-EU framework here.

Why was the TIBER-EU framework developed?


As each country’s authority works to develop national, intelligence-led red teaming frameworks, it made sense to combine efforts and offer greater protection and consistency, while minimising the risk of exposing potentially sensitive information. The framework also means there’s less burden on authorities’ resources, as they can share (and rely on) each other’s intel and analysis. True to form, TIBER-EU was jointly developed by the ECB and EU national central banks through insights and learnings from initiatives in both the UK (CBEST) and the Netherlands (TIBER-NL). Since being approved in May 2018 by the Governing Council of the ECB, it’s widely used across more than 13 European countries (including the UK), with more to follow.


How does TIBER-EU testing work?


As it sounds, it provides a framework for a controlled cyber attack, mimicking the tactics, techniques and procedures (TTPs) of real-life threat actors. It essentially outlines modes of attack to leverage in your penetration testing – though we’d caution that for a business to keep up with the bad actors of today, you’ll need to be just as ruthless and relentless.


The TIBER-EU framework is an attack guide which can target an organisation’s critical functions (CFs) and underlying systems (i.e. its people, processes and technologies). It helps blue and red teams detect threats, assess damage and adapt that entity’s protection for the future. It’s a modern way to highlight strengths and weaknesses in your defences and leaves you with a detailed, actionable report that helps safeguard your systems.


What happens during a test?

There are three phases in a test:


1. Preparation. This involves setting out the scope needed for the test and establishing the teams who will carry it out.

2. Testing. Possible attack scenarios are posited, which are used by the intelligence-led red team to test the systems, people and processes that underpin the organisation’s CF.

3. Closure. The last phase reports on the test’s findings and observations, as well as areas for improvement (including technical elements and educational aspects) to develop a remediation plan.


What’s involved in the testing phase?


At this stage, a number of steps are taken to gather information, use it against the target, and fulfil the objective set out in the initial preparation stage. More specifically, this includes:

  • Reconnaissance – Teams collect as much information as possible about the target, including its people, technology, surroundings and environment.

  • Weaponisation – This information is used to build a picture of the target and its primary operations.

  • Delivery – The launch stage of the test. This could involve attacks such as social engineering, analysing vulnerabilities, or planting malware.

  • Exploitation – The red team attempts to compromise areas like servers, apps or networks, and exploit staff through tactics like phishing.

  • Control and movement – If gains have been made, the red team will next attempt to ‘hop’ between systems to increase access and find more targets.

  • Actions on target – The final stage of the test involves completing the objectives outlined in the first stages.

Why is the TIBER-EU framework important?

  1. It considers every angle. Traditional penetration tests focus on a single system (or ‘environment’), rather than the entire scope of an organisation (which covers its people, processes and technologies). The framework has been developed to take all of these into account, as most bad actors won’t just stop at an initial target, but will attempt to ‘sidestep’ across connected systems to see if these are also viable targets (lateral and vertical movement).

  2. It uses the TTPs of advanced threat actors. Hackers – and their methods – only increase in sophistication as time goes on, so your threat intelligence needs to keep up. The only way to do that is to mimic their tactics, tools and behaviours.

  3. It’s widely used across Europe. TIBER-EU helps bring together governmental and commercial threat intelligence, adapted to your business type and systems. It protects entities across various countries, particularly in critical sectors, but can still be adjusted to the needs (and laws) of different jurisdictions.


What’s the future of TIBER-EU and intelligence-based ethical red teaming?


TIBER-EU aims to grow knowledge and collaboration across European entities and its own teams. The framework is the structure it needs to do this. But, there’s more work to come – TIBER-EU wants to involve more countries, develop its framework (and training) further, and create a central bank of resources and materials for its members. Regardless of whether the TIBER-EU framework is used for intelligence-based ethical red teaming, many of the actions carried out in its testing phase play a part in how cyber attacks can be staged, and the cyber security industry will continue to work together through sharing information, feedback and lessons learnt.


Why choose CovertSwarm?


We meet all the requirements set out in the TIBER-EU Services Procurement Guidelines, Our ethical hackers also already use the approach that’s outlined in the framework, and we share the same goal as TIBER-EU – to improve the cyber security of businesses, their data and their people through improved cyber hygiene and real-world resilience.


To learn more about how we can help make your organisation more secure, contact the CovertSwarm team today.