Testing is performed in the following phases.
Gathering targeted threat intelligence
Gathering of targeted threat intelligence is conducted by combining information from a number of public and other sources into a consistent report. Targeted threat intelligence describes the cyber security attack surface and especially the weaknesses that could be exploited.
Cyber criminals take a lot of time gathering information and performing analysis about the attack surface of their chosen target. It is recommended to optimize the time spent in this process during a TIBER-FI test so that the White Team present or deliver some of their existing cyber risk reports to be included in the analysis. These reports could be, for example, about IT infrastructure, technologies being used, or other elements where weaknesses have been identified that an attacker might exploit.
It is forbidden for the threat intelligence service provider to use any of this threat or risk information in any other context outside the testing assignment as is or aggregated.
A targeted threat intelligence provider will aggregate their analysis into threat scenarios. These scenarios provide detail and context to the generic threat landscape report. Threat scenarios form the basis for Red Team testing.
|Presenting cyber risks for the threat analysis||White Team|
|Gathering targeted threat intelligence||Targeted threat intelligence provider|
|Creating the threat scenarios||Targeted threat intelligence provider|
Red Team testing
Preparations for Red Team testing will begin with preparation of attack scenarios. Attack scenarios are explanations of attack practicalities, such as selection of tools and procedures. Attack scenarios are based on threat scenarios. The White Team will organize a workshop for the targeted threat intelligence provider and Red Team to discuss the threat scenarios and how to implement them.
In addition to the prepared threat scenarios, the Red Team has as agreed the possibility to include an additional scenario based on their knowledge and experience.
The Red Team plan and execute the tests based on the attack scenarios. The Red Team must act responsibly and monitor results of their own activities at all times. The Red Team’s actions must follow instructions written in the risk management plan and otherwise given, particularly when the actions cause negative effects to production systems or it is possible to violate confidentiality of information protected by law.
The Red Team keep the White Team updated about progress of the tests at least weekly. Potentially critical vulnerabilities and other security problems must be reported without delay. Good communication between the White Team and the Red Team is critical for successful testing.
The Red Team may ask for help or guidance to make progress with testing from the White Team as needed to make good use of the time allotted for testing. All advice, help and guidance given are documented clearly in the testing report.
The White Team may suspend testing at any time, in which case the Red Team must stop all their testing activities.
Red Team testing is done in secret from the data security officers of the tested objects. If Red Team testing is not possible for compelling reasons, the Purple Team testing method can be utilised, and some parts of the tests can be conducted by using e.g., workshops, desktop exercises or reviews, or otherwise together with the Blue Team. This may be necessary when the Blue Team detects the testing activities too early, or the White Team assesses that the tests may jeopardise the business continuity of the organization.
Purple Team testing must be agreed in advance with the TIBER-FI testing manager and the TIBER-EU Purple Teaming Best Practices must be followed.
The Red Team must keep record of all activities during testing and keep a timeline of how the scenarios are progressing. The record is needed at least to clean up the target environment, to produce a testing report, in walkthrough with the Blue Team, in test replays and for analyzing possible incidents. It is also possible that a real intrusion is detected during testing, in which case it is essential to be able to make a distinction between the activities of the Red Team and the activities of a real attacker.
It is forbidden for the Red Team service provider to use any of this threat or risk information or test results in any other context outside from the testing assignment as is or aggregated.
|Creating the attack scenarios||Targeted threat intelligence provider, Red Team|
|Executing the attack scenarios||Red Team|