For the objectives of TIBER-FI, it is essential to ensure that the results from testing result in security improvement measures. The following phases describe the procedures for improving cyber resilience with TIBER-FI.

Preparing the Red Team test report

The Red Team prepare a test report following the testing. To ensure the quality of the report it is recommended that it is finalized soon after the tests have been conducted. The report will contain a description of the testing activities, findings from the testing and recommendations for improving security. The testing activities outlined in the report will be detailed in a fashion that allows the Blue Team to analyze and reference them.

Task Responsibility
Creating the Red Team test report Red Team

Preparing the Blue Team report

The Blue Team are informed of the tests conducted and they are supplied with the Red Team test report. In this context, the Blue Team consists of the operational security and information security personnel that should have detected and responded to the attacks that the Red Team conducted during testing.

After receiving the report, the Blue Team investigate if the testing activities were detected and what response where initiated. The Blue Team create their own summary connecting their detection and response activities to the Red Team’s testing activities.

Task Responsibility
Informing the Blue Team White Team
Creating the Blue Team report Blue Team

Walkthrough

The White Team organize a walkthrough workshop for the Red Team and the Blue Team. In the workshop, the Red Team present their activities, procedures and results from testing. At the same time, the Blue Team’s observations and responses as well as opportunities to improve activities are discussed.

The Test Manager is invited to participate in the walkthrough to assess that TIBER-FI procedures have been followed during testing.

Task Responsibility
Organizing the walkthrough White Team

Recording improvement opportunities

White Team compiles a record of improvement opportunities for the purpose of internal development based on the Red Team and Blue Team reports. Typical improvement opportunities contain recommendations for improving detection capabilities and internal processes as well as clarifying responsibilities.

Improvement opportunities are recorded for internal use by the financial entity.

Task Responsibility
Recording improvement opportunities White Team

Final report

The White Team compile a final report, describing at a high-level how the testing was prepared and implemented, observations on improving activities, recommendations for improving the entity’s own testing process the next time, and observations and feedback on the generic threat landscape report, the legal framework and TIBER-FI procedures. The White Team must attest in the report that the testing phases were conducted in accordance with TIBER-FI procedures.

The final report is delivered to the Test Manager for the purpose of compiling a summary across the financial sector.

Task Responsibility
Compiling a final report White Team
Delivering final report to Test Manager White Team

Feedback session

The Test Manager organizes a feedback session after each TIBER-FI testing and invites the White Team and service providers to participate. From each team, at least the lead must participate in the session, and some of the other members as required.

The purpose of the feedback session is to discuss observations on the effectiveness of the TIBER-FI procedures during the testing. The participants will use the observations and feedback obtained to improve their own activities and the TIBER-FI procedures.

Task Responsibility
Organizing a feedback session TIBER-FI Test Manager 

Financial sector summary and information exchange

TIBER-FI Cyber Team compile a financial sector summary of TIBER-FI testing conducted and their high-level results. The purpose of the summary is to form a common understanding about what type of TIBER-FI test have been conducted and what kind of improvement measures will be initiated on the basis of the results. The summary does reveal specifics about testing or results that could be tied to any individual financial entity.

The TCT organize an end-of-season information exchange seminar for the participating TIBER-FI financial entities and, where applicable, for targeted threat intelligence and Red Team service providers and other stakeholders. The purpose of the seminar is to share observations and lessons learned from applying TIBER-FI in practice.

Task Responsibility
Creating a financial sector summary TIBER-FI Cyber Team
Organizing an information sharing seminar TIBER-FI Cyber Team