What is TIBER-EU?
TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks.
TIBER-EU frameworkHow does it work?
TIBER-EU tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies. The outcome is not a pass or fail; instead the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.
Who is involved in a TIBER-EU test?
The main participants in a TIBER-EU test belong to one of five different teams, depending on their roles and responsibilities under the TIBER-EU framework:
blue team – the people in the entity that is the subject of the test whose prevention, detection and response capabilities are being tested without their foreknowledge
- threat intelligence provider – the company that looks at the range of possible threats and carries out reconnaissance on the entity
- red-team provider – the company that carries out the simulated attack by attempting to compromise the critical functions of the entity, mimicking a cyberattacker
- white team – a small team within the target entity who are the only ones there who know a test is happening and lead and manage the test in collaboration with the TIBER cyber team
- TIBER cyber team – the team within the authority that is responsible for overseeing the test and making sure it meets the requirements of the TIBER-EU framework, thus enabling mutual recognition of the test by relevant authorities
The TIBER-EU Framework Services Procurement Guidelines provide more information on the process of selecting and procuring the services of threat intelligence and red-team providers. The TIBER-EU White Team Guidance explains how to set up the team which manages the TIBER test from inside the target entity.
The TIBER-EU Purple-Teaming Best Practices provide guidance on how purple-teaming may be introduced and managed in the TIBER testing phase and/or closure phase as outlined in the TIBER-EU framework.
The TIBER-EU framework aims to harmonise and standardise the approach to threat intelligence-based ethical red-teaming across Europe. To achieve this aim, the main participants listed above should use the following templates and guidance to conduct an end-to-end test. The templates are to be used in different phases of the test – such as scoping, threat intelligence, and red-team testing (planning and reporting) – and should be formalised via a final test summary report and an attestation to facilitate mutual recognition.
Who is the TIBER-EU framework for?
The TIBER-EU framework is designed for entities that provide core financial infrastructure (including those whose cross border activities fall within the regulatory remits of several different authorities) and national/supranational authorities. It can be used for entities in all critical sectors, not just the financial sector. In addition to a number of mandatory requirements, the framework also includes optional requirements that can be adapted to the specificities of individual jurisdictions. The TIBER EU framework harmonises threat intelligence-based ethical red-teaming and facilitates mutual recognition, reducing the burden on entities and authorities alike.
The TIBER-EU framework can also assist competent authorities and financial entities in meeting the requirements for threat-led penetration tests under the Digital Operational Resilience Act (DORA). See this publication for further information on how adopting the TIBER-EU framework can help fulfil these DORA requirements.
Building on joint expertise and experience
TIBER-EU was developed jointly by the ECB and the EU’s national central banks, approved by the Governing Council of the ECB and published in May 2018. It was inspired by and takes account of the lessons learned from similar initiatives in the United Kingdom (CBEST) and the Netherlands (TIBER-NL).
The TIBER-EU framework has been adopted in Austria, Belgium, Denmark, Finland, France Germany, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Romania, Spain and Sweden, as well as being applied by the ECB. Other jurisdictions are expected to follow suit in due course.
National TIBER cyber teams conduct TIBER tests with entities in their respective jurisdictions, while entities that are active in multiple jurisdictions may participate in joint tests with multiple TIBER cyber teams. By January 2023, more than 100 TIBER tests had been conducted under the TIBER-EU framework.
Hiring threat intelligence and red-team specialists
To ensure that providers of threat intelligence and red-team services meet the appropriate standards for conducting a TIBER EU test, the entity being tested should carry out due diligence to make sure its chosen provider meets all the requirements set out in the TIBER-EU Framework Services Procurement Guidelines.
The TIBER community can provide support
The TIBER-EU Knowledge Centre (TKC) is a forum hosted by the ECB in which national and European TIBER cyber teams coordinate and discuss initiatives and share details of their experiences. This helps to ensure consistent implementation of the TIBER-EU framework in the adopting jurisdictions.
If new jurisdictions want to adopt the TIBER-EU framework and join the TIBER community, they can send an email to TIBER-EU@ecb.europa.eu