REGTECH Know your enemy: The TIBER-EU framework uses ethical teams of hackers to run threat scenarios
The military strategist Sun Tzu famously said ‘if you know the enemy and know yourself, you need not fear the result of 100 battles’. It’s the premise on which the TIBER-EU framework for dealing with cyberthreats might be said to be based, as AIB’s Howard Shortt and Nettitude’s Anthony Long explain Avoiding cyberattacks is always a game of cat-and-mouse, as financial organisations strive to outrun increasingly sophisticated online criminals. However, like many things, the issue has been thrown into sharp relief by the COVID-19 pandemic, with hacking attacks rising alongside an explosion of ecommerce and a switch to homeworking. The UK Government’s Cybersecurity Breaches Survey 2020 found that 46 per cent of businesses experienced cybersecurity breaches or attacks during the year. IBM’s X-Force Threat Intelligence Index 2020 observed that, in the previous year, more than 8.5 billion records were compromised worldwide, a 200 per cent annual rise in reported data exposures. So, there is little doubt that a new approach is needed to help firms cope with this threat to their reputations and bottom lines. Howard Shortt, who is responsible for threat and vulnerability management at Allied Irish Bank (AIB), says that while new personal and work
72
TheFintechMagazine | Issue 19
habits have impacted cybersecurity defence dynamics, in truth, financial organisations’ perimeter defences were already wearing thin. “There is an expectation that financial services defence is strong, but traditionally that relies on perimeter controls and we’ve seen that dissolve in favour of mobile devices. Your perimeter is now everywhere you have an employee, and protecting it is much harder,” he says. Enter the new TIBER-EU (Threat Intelligence-based Ethical Red Teaming) framework, jointly developed by the European Central Bank and EU national central banks, and launched in May 2018, which offers extra protection against not just the risk of cyberfraud itself, but also the impact of attacks that do get through. TIBER mimics real-world threats and measures organisations’ resilience to them, as well as improving defences. Recognising that the skills of today’s cybercriminals mean attacks will inevitably happen, its focus is on making sure firms’ tactics, procedures and
standards are in place to enable them to react quickly and minimise the impact. Shortt, who gained direct experience from the implementation of Ireland’s own version of TIBER – TIBER-IE – in December 2019, adds: “Organisations and regulators needed to know how resilient they would be to these kinds of attacks.” TIBER testing sees multiple teams work through attack cycles. Red team testers are hired from outside for independence. Blue teams are, as Shortt explains, ‘all your responders inside the network, who can defend you’. Blue teams need to be surprised by what occurs, and take effective actions’. The white teams, meanwhile, are everyone who’s aware that an attack simulation is occurring. The fact that organisations’ attack surfaces are continually growing, due to increasing demand for online services and mobile applications and shifts towards remote working, makes TIBER even more vital as new complexities and challenges are introduced, says Shortt. “The last place any bank wants to be is www.fintechf.com