TIBER-EU Framework
TIBER-EU Framework
One-liner: The European framework for conducting controlled, intelligence-led adversary emulation tests on critical live production systems.
π― What Is It?
TIBER-EU (Threat Intelligence-based Ethical Red Teaming) is a standardized framework developed by the European Central Bank to test and improve the cyber resilience of financial institutions and critical infrastructure. It combines threat intelligence with Red Teaming to simulate realistic attacks on live systems.
Key Distinction: Unlike traditional pentests, TIBER-EU tests are:
- Run on live production systems (not test environments)
- Driven by bespoke threat intelligence for the specific entity
- Designed to test people, processes, and technology together
π€ Why It Matters
- Provides standardized approach across EU financial sector
- Tests real resilienceβnot just theoretical vulnerabilities
- Regulatory recognition in multiple EU jurisdictions
- Forces collaboration between threat intel, red team, and blue team
π¬ How It Works
The Three Phases
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TIBER-EU PROCESS β
βββββββββββββββββββ¬ββββββββββββββββββ¬ββββββββββββββββββββββββββ€
β PREPARATION β TESTING β CLOSURE β
β β β β
β β’ Scope Define β β’ Threat Intel β β’ Red Team Report β
β β’ Team Setup β Report β β’ Blue Team Report β
β β’ Procurement β β’ Red Team β β’ Replay Workshop β
β β’ Approval β Execution β β’ Remediation Plan β
β β β’ Blue Team β β’ Test Summary β
β β Detection β β
βββββββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββββββββββββββββ
Phase 1: Preparation
| Activity | Description |
|---|---|
| Scope Definition | Define critical functions to test |
| Team Establishment | Set up white team (internal oversight) |
| Procurement | Engage threat intel and red team providers |
| Launch Approval | Management sign-off on test parameters |
Phase 2: Testing
| Activity | Description |
|---|---|
| Targeted Threat Intelligence | Custom report on threats to the specific entity |
| Attack Scenarios | Red team develops plans based on TI report |
| Red Team Execution | Live attack simulation using real TTPs |
| Blue Team Response | Defensive team attempts to detect and respond |
Phase 3: Closure
| Activity | Description |
|---|---|
| Red Team Report | Detailed findings, techniques used, access achieved |
| Blue Team Report | What was detected, what was missed, timeline |
| Replay Workshop | Red + Blue teams walk through attack together |
| Remediation Plan | Prioritized fixes for identified gaps |
| Test Summary | Executive summary for leadership/regulators |
ποΈ Governance Structure
| Role | Responsibility |
|---|---|
| White Team | Internal oversight, knows test is occurring |
| Blue Team | Defensive team, NOT informed (realistic response) |
| Red Team | External provider executing attack scenarios |
| Threat Intel Provider | Creates bespoke intelligence report |
| Authority | Regulatory body overseeing the test |
π Adoption
TIBER-EU has been adopted (with local variations) across:
- TIBER-NL (Netherlands)
- TIBER-BE (Belgium)
- TIBER-DK (Denmark)
- TIBER-DE (Germany)
- CBEST (UK - similar framework)
- iCAST (Hong Kong)
π€ Interview Angles
Common Questions
- "What is TIBER-EU and why was it created?"
- "How does TIBER-EU differ from traditional penetration testing?"
- "What are the three phases of TIBER-EU?"
STAR Story
Situation: Financial institution needed to meet regulatory expectations for resilience testing but had never done intelligence-led testing.
Task: Coordinate TIBER-aligned assessment as white team lead.
Action: Engaged external threat intel provider for bespoke report, procured red team, established communication protocols, maintained operational secrecy from blue team. Facilitated replay workshop post-test.
Result: Red team achieved domain admin without detection. Replay identified 6 critical detection gaps. Remediation reduced detection time from 72 hours to 4 hours in follow-up test.
β Best Practices
- Ensure strong white team governance (prevent leaks to blue team)
- Use threat intelligence specific to YOUR entityβnot generic
- Test on production systems for realistic results
- Conduct thorough replay workshopsβthis is where learning happens
- Track remediation progress and retest
β Common Misconceptions
- "It's just a fancy pentest" β TIBER requires bespoke threat intel and tests live production
- "Only for banks" β Applicable to any critical infrastructure
- "Red team wins = failure" β Success is measured by learning and improvement
- "One-time exercise" β Should be cyclical (every 2-3 years)
π Related Concepts
- Threat Emulation
- Red Teaming
- Purple Teaming
- Cyber Threat Intelligence (CTI)
- MITRE ATT&CK
- TTPs (Tactics, Techniques, Procedures)
π References
- TIBER-EU Framework: https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/
- ECB TIBER-EU Implementation Guide
- Bank of England CBEST Framework