Published
- 6 min read
Information Security: Tiber-EU and Tiber-DE
We take a peek at two more recent publications in the field of Information Security - lawmaker’s regulations designed to help the implementation of guidelines and processes, aiming at fulfilling Data Protection and achieving High Security for especially vulnerable points (e.g. institutions like Banks) in a modern society.
TIBER EU / DE - RedTeam Frameworks
https://www2.deloitte.com/ro/en/pages/risk/solutions/tiber-ro-framework.html
- TIBER-EU Services Procurement Guidelines. - These guidelines describe how financial institutions should select and purchase the services of cybersecurity companies.
- TIBER-EU Framework - The core framework.
Templates and guidelines for all the different phases of a test
- TIBER-EU White Team Guidance - The TIBER-EU White Team Guidance describes details on the roles and responsibilities of a White Team for a TIBER test, which manages the test from the inside of the tested entity as
overseeing, neutral party in the setup. - TIBER-EU Scoping Specification Template - The TIBER-EU Scoping Specification Template can be used during any TIBER test by the tested entity to present the detailed scope of its respective test.
- TIBER-EU Guidance for Target Threat Intelligence (TTI) Report - The TIBER-EU Guidance for Target Threat Intelligence Report aims to provide the Threat Intelligence Provider with a standardized approach to develop the TTI Report for the tested entity.
- TIBER-EU Guidance for the Red Team Test Plan - The TIBER-EU Guidance for the Red Team Test Plan aims to provide the Red Team Provider with a standardized approach and structure for producing the Red Team Test Plan, focusing on how to: organize the testing phase; plan the organization and management of the test; and develop the attack scenarios, which build on the threat scenarios from the TTI Report.
- TIBER-EU Guidance for the Red Team Test Report - The TIBER-EU Guidance for the Red Team Test Report aims to provide the Red Team Provider with a standardized approach and structure for producing the Red Team Test Report, focusing on: setting out the summary of the test with accompanying evidence; detailing the findings and root cause analyses; determining the key discussion points for the replay with all the relevant stakeholders; and finalizing the remediation plan.
- TIBER-EU Guidance for the Test Summary Report - The Guidance for the TIBER-EU Test Summary Report aims to provide entities undertaking a TIBER test with a standardized approach and structure for producing the Test Summary Report.
EU vs DE
Comparing Tiber-EU and Tiber-DE frameworks.
| Aspect | EU Framework | Germany |
|---|---|---|
| Legal and Compliance | GDPR and NIS Directive set the baseline for security assessments, including red teaming. Cross-border operations must consider each member state’s interpretation. | Must comply with GDPR, BDSG (Federal Data Protection Act), and the IT Security Act. Specific legal frameworks may apply for critical infrastructure sectors. |
| Certification and Standards | ENISA provides guidelines for cybersecurity exercises and red teaming. TIBER-EU framework for threat intelligence-based ethical red teaming. | BSI (Federal Office for Information Security) standards and guidelines for red teaming exercises. TIBER-DE as the German adaptation of TIBER-EU for financial sector. |
| Technical Scope | Emphasis on realistic cyber threat simulation across the EU, with sectors like finance, energy, and transport being focal points. | Similar technical scope with specific attention to critical infrastructures (KRITIS) and sectors deemed vital for national security. |
| Organizational Engagement | TIBER-EU recommends involving top management to ensure strategic alignment and learning. | TIBER-DE and BSI guidance also stress the importance of C-level engagement for effective red teaming. |
| Methodology | TIBER-EU provides a phased approach: Preparation, Testing, and Reporting phases with clear guidelines for each step. | TIBER-DE follows a similar phased approach but may include additional requirements or steps specific to German regulatory or threat landscapes. |
| Tools and Techniques | Encourages the use of up-to-date and sophisticated tools and techniques to simulate advanced persistent threats (APTs). | Adherence to BSI recommendations for tools and techniques, with a strong focus on simulating realistic threat actors that could target German entities. |
| Data Protection | Strict adherence to GDPR during red team exercises, especially with cross-border data flows. | In addition to GDPR, compliance with BDSG is crucial, particularly in handling personal data during simulations. |
| Reporting and Follow-up | Detailed reporting and actionable recommendations are crucial. EU guidelines emphasize the need for clear communication with stakeholders. | German regulations also demand thorough reporting, with an emphasis on remediation planning and follow-up assessments to ensure vulnerabilities are addressed. |
Risk
TIBER-EU has a strong emphasis on risk during assessments. In Redteam Ops, the primary focus is to avoid risking interuption, damage or real data leak. In all Redteam operations, discovering real attacks takes precedence over the Redteam excercise.
| Risk Category | Potential Risks | Mitigation Strategies |
|---|---|---|
| Technical | Unintended system disruptions, data loss, or degradation of service. | Conduct thorough scoping and planning sessions. Use controlled and vetted tools. Implement safe handling practices for sensitive data. |
| Legal/Compliance | Breaching privacy laws (e.g., GDPR), unauthorized access, or non-compliance with regulatory requirements. | Ensure all activities are covered by legal agreements. Obtain necessary permissions and ensure compliance with relevant laws and standards. |
| Organizational | Misalignment with business objectives, insufficient engagement from key stakeholders, or inadequate follow-up on findings. | Engage with senior management and key stakeholders early and throughout the process. Clearly define objectives and ensure findings lead to actionable insights. |
| Reputational | Negative perception by stakeholders or the public if activities are misunderstood or if there is unintended leakage of the exercise’s existence or details. | Maintain strict confidentiality about the assessment details. Prepare communication plans to manage any potential leaks or misunderstandings. |
| Operational | Interruption to business operations, critical services, or emergency response systems. | Schedule testing for low-impact times. Establish clear stop or pause criteria. Maintain constant communication with a designated point of contact. |
Best Practices
Planning and Authorization
Ensure comprehensive planning, including legal and regulatory considerations. All activities should be authorized at the appropriate level within the organization and, when necessary, by external entities.
Scope Control
Keep the assessment within the agreed scope to avoid overstepping bounds, which could lead to legal issues or unintended disruptions.
Communication
Maintain open lines of communication with all stakeholders. This includes pre-assessment briefings, real-time incident reporting, and post-assessment debriefs.
Incident Response Plan
Have an incident response plan in place specifically for the assessment to quickly address any unintended consequences.
Data Protection
Implement strict data handling and protection measures to ensure that sensitive or personal data is not improperly accessed, handled, or disclosed.
Tools and Techniques
Use only approved and tested tools and techniques to minimize the risk of unintended system impacts.
Documentation and Reporting
Keep detailed records of all actions taken during the assessment. This documentation can be crucial for legal protection, analysis, and learning.
Conclusion
Hopefully this document gave a you a quick overview at one of the major legal pillars, on which Redteaming is (supposed to be) implemented.
Have a great day!