For the objectives of TIBER-FI, it is essential to ensure that the results from testing result in security improvement measures. The following phases describe the procedures for improving cyber resilience with TIBER-FI.
Preparing the Red Team test report
The Red Team prepare a test report following the testing. To ensure the quality of the report it is recommended that it is finalized soon after the tests have been conducted. The report will contain a description of the testing activities, findings from the testing and recommendations for improving security. The testing activities outlined in the report will be detailed in a fashion that allows the Blue Team to analyze and reference them.
|Creating the Red Team test report||Red Team|
Preparing the Blue Team report
The Blue Team are informed of the tests conducted and they are supplied with the Red Team test report. In this context, the Blue Team consists of the operational security and information security personnel that should have detected and responded to the attacks that the Red Team conducted during testing.
After receiving the report, the Blue Team investigate if the testing activities were detected and what response where initiated. The Blue Team create their own summary connecting their detection and response activities to the Red Team’s testing activities.
|Informing the Blue Team||White Team|
|Creating the Blue Team report||Blue Team|
The White Team organize a walkthrough workshop for the Red Team and the Blue Team. In the workshop, the Red Team present their activities, procedures and results from testing. At the same time, the Blue Team’s observations and responses as well as opportunities to improve activities are discussed.
The Test Manager is invited to participate in the walkthrough to assess that TIBER-FI procedures have been followed during testing.
|Organizing the walkthrough||White Team|
Recording improvement opportunities
White Team compiles a record of improvement opportunities for the purpose of internal development based on the Red Team and Blue Team reports. Typical improvement opportunities contain recommendations for improving detection capabilities and internal processes as well as clarifying responsibilities.
Improvement opportunities are recorded for internal use by the financial entity.
|Recording improvement opportunities||White Team|
The White Team compile a final report, describing at a high-level how the testing was prepared and implemented, observations on improving activities, recommendations for improving the entity’s own testing process the next time, and observations and feedback on the generic threat landscape report, the legal framework and TIBER-FI procedures. The White Team must attest in the report that the testing phases were conducted in accordance with TIBER-FI procedures.
The final report is delivered to the Test Manager for the purpose of compiling a summary across the financial sector.
|Compiling a final report||White Team|
|Delivering final report to Test Manager||White Team|
The Test Manager organizes a feedback session after each TIBER-FI testing and invites the White Team and service providers to participate. From each team, at least the lead must participate in the session, and some of the other members as required.
The purpose of the feedback session is to discuss observations on the effectiveness of the TIBER-FI procedures during the testing. The participants will use the observations and feedback obtained to improve their own activities and the TIBER-FI procedures.
|Organizing a feedback session||TIBER-FI Test Manager|
Financial sector summary and information exchange
TIBER-FI Cyber Team compile a financial sector summary of TIBER-FI testing conducted and their high-level results. The purpose of the summary is to form a common understanding about what type of TIBER-FI test have been conducted and what kind of improvement measures will be initiated on the basis of the results. The summary does reveal specifics about testing or results that could be tied to any individual financial entity.
The TCT organize an end-of-season information exchange seminar for the participating TIBER-FI financial entities and, where applicable, for targeted threat intelligence and Red Team service providers and other stakeholders. The purpose of the seminar is to share observations and lessons learned from applying TIBER-FI in practice.
|Creating a financial sector summary||TIBER-FI Cyber Team|
|Organizing an information sharing seminar||TIBER-FI Cyber Team|