The following actors are part of the TIBER-FI framework.
TIBER-FI Cyber Team (TCT)
The Bank of Finland has created the TIBER-FI framework and is responsible for providing guidance of its application. For this task, the central bank has appointed an internal TIBER-FI Cyber Team (TCT).
The responsibilities of the TIBER-FI Cyber Team are to promote voluntary adoption of the TIBER-FI procedures, to coordinate the creation of the financial sector general threat landscape report and to provide support and guidance for financial entities in the application of the procedures. The TCT is in contact with European Central Bank’s TIBER-EU Knowledge Center coordination group and the TCTs of other central banks.
Test Manager (TIBER-FI Test Manager, TTM)
The Test Manager, i.e. the TIBER-FI Test Manager (TTM) is a person working on Bank of Finland’s mandate and is part of the TCT. It is the responsibility of the Test Manager to coordinate and support TIBER-FI practicalities. The TTM is the contact person for financial entities and service providers in all matters pertaining to the TIBER-FI, the practical application of the generic threat landscape report, testing preparation and scoping, and managing risks of testing.
Financial entities evaluate the suitability of the TIBER-FI procedures to their cyber security testing activities. It is voluntary for an entity to join TIBER-FI and there no fee is collected. The decision on the adoption of the TIBER procedures will be made by the executive board of the financial entity. (Decision to participate)
An entity that has decided to adopt TIBER-FI must organize an internal coordination group for the testing activities (White Team), procure the services needed for the testing activities, as well as plan, undertake and report on the testing.
Each financial entity covers the expenses from testing-related internal work, as well as the expenses of subcontractors, testing service providers and other similar parties. Entities have wide discretion in determining the extent of the testing. The Bank of Finland will assist entitles with Test Manager support.
The Bank of Finland classifies participation in TIBER-FI activities as confidential information.
White Team (WT)
Each financial entity participating in TIBER-FI must appoint a team to coordinate testing activities. This team is referred to as the White Team (WT). The team is responsible for
- organizing and steering testing activities
- communicating with the TCT
- scoping the testing activities
- procuring threat intelligence and Red Team services
- managing the risks related to testing
- collecting observations for improvement and reporting.
Additionally, when the TIBER-FI framework is applied in testing, White Team is responsible for making sure that testing activities are aligned with the procedural requirements of TIBER-FI.
The White Team consists of
- the White Team Lead, who has overall responsibility for coordination of testing activities and communicating with the TCT
- an executive board member, for example the COO or CIO
- the CISO
- experts on the tested functions.
The White Team Lead may be a consultant or other person who is not part of the financial entity’s own personnel. The White Team may also consist of service providers, such as IT and information security service partners.
The overall size of the team should be kept small in order to ensure that the scope and schedule of testing remains confidential. It is essential to ensure that the information that the White Team has about upcoming testing will not affect the activities by the Blue Team. This should be taken into account in communications between the White Team and its stakeholders.
When organizing a White Team, it is recommended to follow the TIBER-EU White Team Guidance document (pdf).
Blue Team (BT)
The personnel and service providers of the financial entity who are not participating in the White Team have no knowledge of the scope and schedule of testing. This group will continue to work according to normal policies and procedures. In the TIBER-FI procedure and Red Team testing it is essential, that only the White Team is aware in advance of the scope, methods and timing of testing.
After testing is completed, a dedicated Blue Team is formed to report on the testing and the lessons learned. This group consists where applicable of key cyber security and IT personnel in those functions that were tested at the time in question. Service provider personnel may join the Blue Team. The Blue Team will take part in test summaries, walkthroughs and reporting.
Threat intelligence provider
The threat intelligence provider is the entity who prepares the targeted cyber security threat intelligence report pertaining to the financial entity. This report contains intelligence about the cyber security and attack surface of the financial entity. The report contains the same information that an advanced cyber security threat actor would gather when preparing an attack on a target organization and its functions. Red Team testing performed according to TIBER-FI is based on well-formed threat intelligence on those functions identified for testing.
The threat intelligence provider has the capability to gather and combine information from publicly available sources and otherwise, for example by obtaining information through deception from the financial entity’s personnel.
Red Team (RT)
The team performing the operational aspects of the testing is referred to as the Red Team. The Red Team is typically a commercial service provider. When a financial entity has their own internal Red Team, there must be credible controls in place to ensure that the Red Team is independent from the design, implementation and operations of tested information systems. It is essential that the Red Team has the aspect of an external advanced attacker when planning and executing testing.
A good Red Team is composed of professionals with varied sets of cyber security skills, ranging from risk management, penetration testing, targeted attacks, open source intelligence and social engineering. The size of the team varies, based on the specifics of the tested functions and the scope of testing.
Every team has a Red Team Test Manager, who acts as contact person for the team and is responsible for test planning, coordinating the team activities and reporting.
One of the key risk treatment decisions is to select a competent and experienced Red Team for the testing assignment. There is a TIBER-EU guideline about the procurement practicalities (pdf).
Nordic Financial CERT
Nordic Financial CERT (NFCERT) is a non-profit CERT organization for distributing threat information to its members. NFCERT is specialized in serving financial entities.
The Bank of Finland acquires from NFCERT the financial sector general cyber security threat landscape report for TIBER-FI. The report is confidential and available to enrolled entities for the purposes of TIBER-FI testing.