Threat Intelligence-Based Ethical Red-teaming (TIBER)

Threat intelligence-based ethical red-teaming (TIBER) is a testing framework created by the European Central Bank in 2018, which provides guidance on conducting realistic simulated cyberattacks to test the cyber resilience of critical infrastructure. The framework was primarily created with the financial sector in mind, but is also appropriate for other critical sectors. It describes how authorities, organisations, threat intelligence providers, and red-team providers can work together to run an assessment, and obtain actionable information about the strengths and weaknesses of the target organisation.

The TIBER framework is both provided as a general European standard (TIBER-EU), as well as national implementations (e.g. TIBER-DK, TIBER-NO). It is also closely related to the CBEST framework in the UK.

TIBER versus Red Team exercise

Although a TIBER test contains elements of a Red Team assessment, it differentiates itself by having a separate phase where a dedicated threat intelligence provider performs an assessment on the target organisation, in order to create customised realistic attack scenarios that the Red Team will carry out. These attack scenarios may dictate the Red Team to simulate known threat actors, and adopt all their known techniques, tactics, and procedures (TTPs).

The three phases of a TIBER test are similar to that of a standard Red Team assessment, but are then further split into six sub-parts. These sub-parts are there to provide standardised and measurable approaches that can be audited by a governing organisation.

For more information about TIBER-EU, we refer to the European Central Bank's official documentation.

How mnemonic can assist your TIBER test

mnemonic has the capability to deliver both the threat intelligence and Red Team services required for a TIBER assessment. These capabilities are performed by different departments internally, and can be made to cooperate or work independently without communications, depending on the needs of the assessment.

The detailed approach will depend on the specific TIBER framework applicable. For example, the Norwegian Financial Supervisory Authority, together with the Norwegian Central Bank, are currently in the process of establishing a TIBER-NO framework, but this is not yet in place. Conversely, TIBER-DK is in place and initial assessments are being carried out within this framework.

mnemonic as Red Team provider

As mnemonic has conducted security and penetration tests ever since the company was founded in 2000, we have some of the most experienced and knowledgeable consultants in the Nordics in this area. Several of the consultants have experience from TIBER or similar threat intelligence based redteaming engagements, for large multinational enterprises. Throughout a TIBER test, mnemonic will draw on a diverse team with broad technical expertise, in order to provide realistic adversary simulation of the capabilities of known threat actors and APT groups.

mnemonic as Threat Intelligence provider

mnemonic has a mature Threat Intelligence practice, which is organised in a separate department of more than 15 FTE's, and has experience providing threat intelligence to multiple customers. As part of a TIBER test, their role is to prepare a Targeted Threat Intelligence Report which details attack scenarios and other inputs to the Red Team. The Targeted Threat Intelligence Report will be based on the generic threat landscape as well as multiple additional information sources. A typical Threat Intelligence team will consist of 3 consultants, an engagement lead, an OSINT specialist, and a technical specialist.

Need more information?

Contact me for more information

Manager Risk Services

Andreas Furuseth