Over 2022, the financial sector monitoring and regulatory committee of Luxemburg (CSSF) and the Luxemburg Central Bank (BCL) oversaw a first cyberattack exercise against one of the country’s financial institutions. The maneuver, which will carry on in 2023, aims to test the resilience of the entity. Fifteen or so banks and institutions deemed critical will be subject to these full-scale IT penetration tests.
The approach follows the European ethical hacking protocol named TIBER-EU, published in May, 2018, by the European Central Bank. It is based on similar initiatives in Great Britain (CBEST) and the Netherlands (TIBER-NL). The TIBER framework was jointly approved by the BCL and the CSSF in Luxemburg (TIBER-LU) in November 2021.
Banking cyber vulnerabilities
This European testing and resilience program against sophisticated hacking unfolds against a backdrop of systemic risk in the financial ecosystem. In particular, the latter is undergoing significant digital transformation and facing the growth of remote working, which exposes banks to increasing vulnerability.
All service providers deemed critical to financial sector operations are therefore urged to draw inspiration from TIBER-EU to test their protection, detection, reaction and defense capabilities against cyberattacks. “These critical entities must indeed be able to adequately withstand cyberattacks in order to ensure their own resilience and contribute to the resilience of the financial sector as a whole,” explains Jean de Chillou (TIBER Test Manager, IT Inspector and Supervisor with the CSSF).
In concrete terms, TIBER-EU outlines a standardized European approach to carrying out tests based on intelligence. It replicates the tactics, techniques and procedures used by hackers, to simulate cyberattacks against an entity’s critical functions and underlying systems.
“The approach rests on a voluntary basis, and each State can implement it in a way that suits its specificities. But one of TIBER’s main objectives is mutual recognition between various EU countries of testing carried out within the framework,” points out Simon Riffault, TIBER Test Manager for the Infrastructure and Oversight team at the BCL.
Five teams, three phases
The framework outlines a mandatory testing process from start to finish structured around three phases: preparation, scenario setup and deployment of attack, and debrief and shared experience. The exercise requires five teams: a white team made up of the entity’s top management (in charge of organizing testing in the field, setting up the perimeter, and risks and escalation during the test).
The State’s regulator or central bank is a member of the Tiber Cyber Team (TCT). In Luxemburg, the CSSF and the BCL jointly make up the TCT. “As umpires, we supervise the tests to make sure they’re in line with the TIBER-LU/EU framework. At the end, we issue a certificate to the entity that took the test, proving the test was carried out in accordance with the framework, and in compliance with confidentiality requirements,” explains Jean de Chillou.
The Threat Intelligence, or TI, team, is made up of outside providers who are in charge of identifying threats against the company. It outlines scenarios and the scope of the attack with the white team. “It will search the internet and the dark web for data that was potentially leaked from the tested entity. It will also look at the entity’s various business areas, which are more or less attractive to some hackers,” explains Simon Riffault.
The red team, which is also external to the tested entity, will carry out the hack for around 12 weeks. The operation will enable the assessment of the entity’s protection, detection and intervention capabilities in the face of an attack.
These TIBER-EU tests use the same tactics and procedures as hackers. They take into account actionable risk intelligence gathered by the TI team. Their techniques strike at a target’s critical functions and underlying systems (staff, processes and technology),” describes Jean de Chillou.
The blue team is made up of the rest of the tested entity, which, in accordance with confidentiality requirements, is unaware of the ethical hack and will defend against the attack. The preparation phase lasts several weeks: the white team is selected, the TI and red teams are recruited. The testing perimeter is established and approved by the entity’s management.
The script and running phase includes all teams in the know. It identifies the entity’s critical services and systems. The TI provider prepares an intelligence report detailing the threats against the financial institution. Based on outlined attack scenarios, the red team prepares and carries out its hacking plan, after white team approval.
The closing phase is an assessment of the attack: the red team submits a report on the approach used, and the findings and observations drawn from the test. Where appropriate, the report will include recommendations and measures to implement in terms of technical controls, procedures, training and awareness.
Following the test’s conclusions, the entity outlines a plan for patches, in consultation with the CSSF and the BCL. “This is a very important challenge for the financial establishment,” summarizes Jean de Chillou. “The goal of the process is to maximize learning, in particular by pinpointing weaknesses that will allow top management to ascertain if the entity’s defense mechanisms are established and effective,” Simon Riffault carries on.
Luxemburg is only in the early stages of the program. The Netherlands and the Nordic countries were there before. They have already tested several of their critical entities. Starting from 2025, the voluntary exercise will become mandatory for some entities, which will be supervised and selected by relevant authorities, within the framework of DORA (Digital Operational Resilience Act).
All of the businesses involved will need to ensure they can withstand all types of disruptions and significant ICT threats, and respond to and recover from them. These requirements are standard across the EU.
Will the BCL and CSSF be able to test all of the country’s monitored financial entities? “Impossible, and this is not the goal. They will be selected according to their size and degree of criticality, in accordance with the regulatory technical standards (RTS) that are currently being outlined,” answers Simon Riffault.