The following activities are part of the preparations phase.
Initiating and organizing the testing activities
The financial entity must decide about initiating and resourcing testing activities. A key decision is setting up the White Team. The White Team, in practice, launches the preparations for testing.
The White Team must familiarize themselves with the TIBER-FI guidelines, the generic threat landscape report and the legal framework. Based on these documents and the entity’s own objectives for testing, the White Team makes high-level decisions about which functions will be tested and to what extent. This decision has a substantial impact on the cost level of testing on the selection of service providers.
|Nominating the White Team||Financial entity’s executive board|
|Familiarization with the TIBER-FI guidelines||White Team|
|Familiarization with the generic threat landscape report||White Team|
|Familiarization with the legal framework||White Team|
|Deciding on the functions to be tested||White Team|
Procuring the testing services
The White Team is accountable for the sourcing of the testing services. The services are needed for creating targeted threat intelligence and for the testing itself. The services might be procured from the same provider or the entity could partially or fully source these services internally. There are more specifics about this in role definitions.
When procuring the testing services, it is important to pay attention to the competence of the providers, so that the testing itself would not cause a major business interruption and so that the testing achieves the objectives set for it. It is recommended to follow the TIBER-EU guidelines for procuring these services.
The Test Manager will provide consultation as required on procurement matters.
|Procuring targeted threat intelligence services||White Team|
|Procuring Red Team testing services||White Team|
After the testing services have been sourced, a kick-off is organized for the stakeholders. The purpose of the meeting is to agree responsibilities and schedules about planning and executing the testing. The agenda for the meeting will cover:
- the testing organization
- the objectives for the test in relation to the generic threat landscape report
- the schedule for preparations and testing
- risk management
- other practicalities about the testing.
The following will participate in the kick-off meeting
- The White Team, at minimum the White Team Lead
- representatives from the testing services providers
- The Test Manager.
|Organizing the kick-off meeting||White Team|
Managing risks from testing
It is a core concept of TIBER-FI that testing is conducted in production systems. This way, the results from testing accurately reflect how cyber criminals see the attack surface and the weaknesses of entities. This method of testing means that there are a number of risks associated with the execution of the test, and special attention must be paid to the management of these risks. Risk management activities must be applied to ensure that the testing activities do not cause disruptions. The functions and information systems being targeted in testing contain information protected by law, such as confidential banking information, electronic communications and personal data. During testing, every effort must be made to maintain the integrity of this information by risk management means.
In the planning and execution of tests, stakeholders should engage at a minimum in the following risk management activities:
- Targets and objectives for testing have been clearly documented, and stakeholders made aware of them.
- Limitations in testing, such as functions, systems, and information have been documented, and stakeholders made aware of them.
- The times of testing are known by the White Team.
- The communication methods used during testing have been agreed and the White Team has the possibility to terminate testing at all times.
- The financial entity has agreed with the targeted threat intelligence provider and the Red Team about the protection of the entity’s information.
The White Team will prepare a risk management plan for the testing. The plan will detail the following:
- What kind of tactics, techniques, and procedures are not allowed to be used.
- What functions, systems, and other potential targets are outside the scope of testing.
- What contingency preparations have been made for potential disruptions caused by the testing.
The White Team is accountable for ensuring that the Red Team prepares its testing plan within the boundaries of the risk assessment.
It is recommended that the threat intelligence provider, the Red Team, and the White Team agree on a project codename to be used in all documentation. The intention with the codename is to conceal the identity of the financial entity and the nature of the assignment.
The threat intelligence provider and the Red Team must be particularly careful in handling all information pertaining to testing assignments. They must as required show to the White Team their internal procedures for handling and protecting information during the assignment and for deleting information after the assignment.
The TIBER-FI Cyber Team and the Test Manager are obliged by Finnish law on the openness of information to keep information pertaining to TIBER-FI testing confidential.
|Creating and executing a risk management plan||White Team|
|Security controls and procedures||Service providers|
Preparing a test plan
Test plan preparation is a joint effort between the White Team and testing services providers. The White Team is accountable for scoping, setting the specific objectives (flags), risk management and setting the boundaries. Boundaries or limitations to testing arise from the legal framework and risk management, for example.
The test plan covers
- testing schedule
- tested functions
- specific objectives
- risk management
- testing organizations
- communications during testing.
The following aspects should be minded when creating a test plan:
- The selected functions and systems and the way they are going to be tested are linked to the generic threat landscape report and critical financial sector functions.
- The planned test scenarios cover some of the most critical threats from the generic and targeted reports.
- The testing procedures and tools planned for the test cases resemble those used by real cyber criminals and include the Red Team provider’s tradecraft views on tactics, techniques and procedures that are realistic and expected, even though not yet witnessed in attacks.
- The test plan must include scenarios that the Blue Team are expected to detect so that response capabilities are tested.
- The Red Team provider will describe those situations where leg-up assistance is warranted to optimize use of time. For example, a phishing-based scenario can be executed in a fashion where a possibility of phishing is demonstrated and the rest of the scenario executed using a separate foothold not actually gained through phishing.
- The planned scenarios should not aim to fully replicate known attacks. It is also not appropriate to design scenarios that require skills, tools or technology that the RT provider has but real attackers are not using. The scenarios should represent creative use of the tactics, techniques and procedures presented in the generic threat landscape report for emulating realistic threat actors.
A TIBER-FI testing assignment will typically last for several weeks to a few months on the calendar. It is recommended that the White Team and the service providers agree on a regular way of monitoring the progress, for example through weekly status updates.
|Documenting a test plan||White Team, Service providers|