Danmarks Nationalbank and entities in the financial sector have in close cooperation established a red team test programme, TIBER-DK. The individual tests generate concrete learning on countering advanced cyber threats. The purpose is to strengthen cyber resilience in order to promote financial stability in Denmark.
TIBER stands for Threat Intelligence-Based Ethical Red-teaming in a framework developed by the European Central Bank, ECB. TIBER-EU is the term for the pan-European framework, while TIBER-DK refers to the Danish national implementation. TIBER-DK was introduced in December 2018 with tests from January 2019. Danmarks Nationalbank was among the first central banks in Europe to establish a TIBER-programme and perform tests.
The Digital Operational Resilience Act, DORA, establishes threat-led testing, TLPT, as mandatory for significant financial entities in the EU. Danmarks Nationalbank is the authority for TLPT in Denmark and identifies the entities required to perform tests. Danmarks Nationalbank is responsible for the TIBER-DK programme and facilitates the performance of tests in the entities.
In the TIBER-DK implementation, requirements on TLPT under DORA are incorporated. Therefore, performing a TIBER-DK test will in effect apply as performing a DORA TLPT.
How a TIBER test works
In a TIBER test, the entity is to identify, prevent and respond to advanced cyber attacks to thereby learn more regarding how the entity can protect societally critical activities against cyber attacks and prevent the cyber attacks from causing damage.
The cyber attacks are based on concrete threats identified by a Threat Intelligence Provider, meaning that the tests simulate actual tactics, techniques and procedures from active cyber groups.
Taking point of departure in tailored scenarios, ethical hackers (also called Red Team Testers) mimic active cyber groups and try to attack societally critical functions and systems in the entity.
In the test, a so-called Control Team constitutes the small group of people within the entity who are aware of the test and responsible for its planning and coordination. The so-called Blue Team consists of those of the entity’s employees who are to stop the cyber attacks and prevent damage. The Blue Team is unaware that the test is taking place.
The tests take place in the actual live production environments, i.e. in the critical systems that are used to support the activity in the financial sector on a day-to-day basis. Both in the preparation and performance of the test, focus is placed on identifying and managing risks, so the societally critical systems are not affected during the test.
The realism of the tests makes the results tangible and effectful. The tests show concrete, advanced cyber attacks unfolding from start to finish. In addition, the learning is unique, since the tests provide an opportunity to broadly explore the critical systems, the underlying infrastructure, and the supporting processes.
The learning is anchored in the entity, for instance via Replay and Purple Teaming activities, where the Blue Team and Red Team Testers play through the attacks along with alternative methodologies.
TIBER-DK Implementation
The documents used in the TIBER-DK implementation are available below. The key documents consist of the ’TIBER-DK Implementation Document’, which describes the TIBER-DK programme and details the test process in-depth, and the ‘TIBER-DK Test Process Overview’, which provides a visual overview of the test process. In addition, a series of guidance documents and templates are used in the TIBER-DK test process. TIBER-EU documentation is used in TIBER-DK, and is available on the ECB website.