For the objectives of TIBER-FI, it is essential to ensure that the results from testing result in security improvement measures. The following phases describe the procedures for improving cyber resilience with TIBER-FI.
Preparing the Red Team test report
The Red Team prepare a test report following the testing. To ensure the quality of the report it is recommended that it is finalized soon after the tests have been conducted. The report will contain a description of the testing activities, findings from the testing and recommendations for improving security. The testing activities outlined in the report will be detailed in a fashion that allows the Blue Team to analyze and reference them.
|Creating the Red Team test report||Red Team|
Preparing the Blue Team report
After Red Team testing is completed and the White Team has been informed of the results, the White Team assesses what type of Blue Team will be compiled for analysing the test results. The Team should consist of persons responsible for the operational monitoring of cyber security and the investigation of incidents, and within whose area of responsibility the testing and detection activities lay.
The White Team informs the Blue Team of the tests conducted and supplies them with the Red Team test report. After receiving the report, the Blue Team investigates if the testing activities were detected and what response was initiated. The Blue Team prepares a summary connecting their monitoring, investigation and other response activities to the Red Team’s testing activities. The summary is referred to as the Blue Team report.
|Informing the Blue Team||White Team|
|Creating the Blue Team report||Blue Team|
The White Team organize a walkthrough workshop for the Red Team and the Blue Team. In the workshop, the Red Team present their activities, procedures and results from testing. At the same time, the Blue Team’s observations and responses as well as opportunities to improve activities are discussed.
The Test Manager is invited to participate in the walkthrough to assess that TIBER-FI procedures have been followed during testing.
|Organizing the walkthrough||White Team|
Recording improvement opportunities
White Team compiles a record of improvement opportunities for the purpose of internal development based on the Red Team and Blue Team reports. Typical improvement opportunities contain recommendations for improving detection capabilities and internal processes as well as clarifying responsibilities.
Improvement opportunities are recorded for internal use by the financial entity.
|Recording improvement opportunities||White Team|
preparing the Final report
The White Team compile a final report, describing at a high-level how the testing was prepared and implemented, observations on improving activities, recommendations for improving the entity’s own testing process the next time, and observations and feedback on the generic threat landscape report, the legal framework and TIBER-FI procedures. The White Team must attest in the report that the testing phases were conducted in accordance with TIBER-FI procedures. In addition, the management of the testing organisation, together with the service providers, sign an attestation confirming that the test was conducted in accordance with the mandatory requirements of the TIBER-EU framework. The attestation is based on the TIBER-EU attestation template.
The final report is delivered to the Test Manager for the purpose of compiling a summary across the financial sector.
|Compiling a final report||White Team|
|Preparing an attestation||Management of testing organisation and service providers|
|Delivering final report and attestation to Test Manager||White Team|
The Test Manager organizes a feedback session after each TIBER-FI testing and invites the White Team and service providers to participate. From each team, at least the lead must participate in the session, and some of the other members as required.
The purpose of the feedback session is to discuss observations on the effectiveness of the TIBER-FI procedures during the testing. The participants will use the observations and feedback obtained to improve their own activities and the TIBER-FI procedures.
|Organizing a feedback session||TIBER-FI Test Manager|
Financial sector summary and information exchange
TIBER-FI Cyber Team compiles a financial sector summary of TIBER-FI testing conducted and their high-level results. The purpose of the summary is to form a common understanding about what type of TIBER-FI test have been conducted and what kind of improvement measures will be initiated on the basis of the results. The summary does not reveal specifics about testing or results that could be tied to any individual financial entity. The summary will be presented for the TIBER-FI cooperation network.
The TIBER-FI Cyber Team has established a cooperation network to discuss TIBER-FI related topics. The cooperation network shares information on developments of TIBER-EU and TIBER-FI frameworks as well as on experiences and lessons learned from practice. Financial entities are invited to participate in the cooperation network. The network meets a few times a year.
|Creating a financial sector summary||TIBER-FI Cyber Team|
|Organizing the TIBER-FI cooperation network||TIBER-FI Cyber Team|
|Sharing experiences and lessons learned from TIBER-FI||Financial entities on their own discretion|