The Digital Operational Resilience Act (DORA) and the TIBER-EU framework work hand in hand to strengthen the cybersecurity and resilience of financial institutions in the EU -DORA sets the regulatory foundation, while TIBER-EU enables realistic, threat-led testing. Together, they promote a proactive approach to identifying and mitigating cyber risks. We spoke with two of our TIBER-experienced experts to explore what makes these tests unique, the challenges they pose, and why elements like social engineering and physical security are more important than one might think.
Table of contents
DORA and TIBER – an Introduction
The Digital Operational Resilience Act (DORA) sets out requirements for risk management, IT system monitoring, and cyber incident reporting to strengthen the security of financial institutions across the EU, and in turn, the stability of the local financial system.
To support financial institutions in effectively testing and improving their cybersecurity measures, the European Central Bank (ECB) developed the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming). The framework provides the implementation of tests based on realistic and current threat scenarios to identify vulnerabilities in the systems of financial institutions. The aim is to strengthen resilience against cyberattacks and to refine security precautions accordingly.
Both DORA and TIBER-EU promote a proactive approach to cyber risks. While DORA establishes the regulatory framework, TIBER-EU provides the practical testing framework to verify and strengthen the digital operational resilience of financial institutions in the EU.
The complex regulatory requirements present completely new challenges for the companies concerned when it comes to cybersecurity tests and attack simulations. We interviewed two of our TIBER-experienced experts to find out what makes DORA and TIBER-EU Threat-Led Penetration Tests (TLPT) special, what challenges such tests entail and why social engineering and physical security plays a central role:
Answering The Basics
What distinguishes a TIBER-EU project from classic security tests?
Renato Venzin: The main difference lies in the scope and completeness of the attack simulation.
While conventional red teaming projects only simulate certain attack phases on selected systems, TIBER-EU projects cover the full spectrum of realistic attack scenarios. Even if individual attacks are detected by the target institute, the test is not terminated, but the complete reaction of the defense team is played through, and further attacks are continued in the same way.
TIBER-EU projects are very similar to an actual attack and are therefore much more extensive than classic red teaming projects. Well over 200 man-days are often required to implement a complete TIBER-EU project.
For which companies and institutions are TIBER and DORA relevant?
Renato Venzin: TIBER primarily concerns the financial sector and the insurance industry, although the tests are not mandatory.
DORA is aimed even more strongly at the financial sector and obliges the relevant companies to carry out tests in accordance with DORA. This primarily addresses financial service providers in the EU, but also IT service providers that serve such institutions as customers. Corresponding Swiss companies operating in the EU market also fall under the scope of DORA and must comply with certain guidelines.
However, there are also requirements for scenario-based exercises on cyber risks in Switzerland and Liechtenstein.
Which actors are involved in TIBER/DORA projects and what roles do they play?
Renato Venzin: These frameworks are characterized in particular by a clear separation of roles:
- The Control Team or white team is provided by the institute or company to be tested. It is informed about the test and serves as the customer’s coordination point. As the central point of contact, it closely accompanies the test activities, monitors them and is responsible for risk management.
- The Blue Team is the defense team of the institute or company being tested. This team has no knowledge of the test activities and is only informed about them afterwards.
- The Threat Intelligence Provider collects and analyzes information about the cyber threats relevant to the institution or company in question, its vulnerabilities, current attacker tactics and techniques and trends. It also evaluates the realistic attack scenarios.
- The Red Team Provider plans security checks based on the conducted threat intelligence and carries them out as part of realistic attack simulations to identify vulnerabilities and assess the security situation of the institution or company in question. This also includes evaluating the Blue Team’s response.
- The TIBER Cyber Team (TCT) monitors the rule-compliant execution of tests and ensures technical and process-related support, in particular for the Control Team. It is provided by the TIBER/DORA authority of the respective country. For TIBER-DE tests, for example, it is the Deutsche Bundesbank.
How long does a project like this usually take?
Renato Venzin: These so-called Threat Lead Penetration Tests (TLPT) essentially comprise a Threat Intelligence Phase lasting around 4 weeks and a Red Teaming Phase lasting at least 12 weeks. In addition, there is scoping, documentation time, purple teaming and feedback rounds.
The ECB document provides guidance on the (internal) effort required on the customer side.
Are red teaming projects also possible on a smaller scale?
Renato Venzin: Of course, red teaming projects can generally be scaled to (almost) any size. TLTP projects in accordance with TIBER and DORA are very extensive and are particularly exciting for companies that already have a high level of security maturity. Projects that are based on these regulations but are not carried out entirely according to the corresponding framework are considerably less complex. In addition, ordinary red teaming projects already offer great added value. A significant efficiency advantage can be achieved here, for example, if the stealth requirement, i.e. the “non-occurrence” during the test activities, is eliminated. In this case, the focus is no longer on the Blue Team’s reaction, but on identifying the technical vulnerabilities and analyzing the attack paths.
Technical Attack Simulation
Why are the technical attack simulations within TIBER particularly demanding?
Renato Venzin: In TIBER projects, it is much more important not to fail during the tests, which is why all tools and commands have to be checked much more closely. In addition, concealment must be used and exit strategies prepared in order to be able to keep the test activity secret in the event of an alert. Furthermore, there is an increased focus on the infiltration phase, for example by gaining physical access to the network or phishing in order to place or execute our devices or code in the target organization’s IT environment. Although there is the possibility of test-specific assumptions (e.g. Assume Breach) and assistance, so-called leg-ups, these are only used if the (partial) target cannot be achieved in any other way.
What are the biggest challenges when carrying out an attack simulation?
Renato Venzin: In addition to the points already mentioned, it is particularly challenging to conceal the test activities for as long as possible, should one of the test attacks attract the attention of the Blue Team. In such a situation, it is important to avoid disclosing the test scenario as far as possible, or at least to delay it so that the incident continues to be treated as an actual attack by the defense side. It is also important to separate the different scenarios in such a way that if one scenario is detected or uncovered, the other scenarios can continue unaffected.
From the customer’s point of view, accessing legacy user accounts or permissions without raising suspicion can be challenging. Existing processes must be adhered to, and the corresponding accounts must not allow any conclusions to be drawn about the control team if attacks via these gateways are detected.
How realistic are your attacks compared to real threats from cyber criminals?
Renato Venzin: The attack simulations in TIBER / TLTP projects come very close to actual attacks. There is currently no framework that simulates cyber threats more realistically. However, it should be noted that real attackers usually have more financial and time resources at their disposal. Furthermore, there are various ethical and legal restrictions in our tests that real attackers are not subject to (blackmail, destructive behavior, etc.). This is particularly relevant in the area of Social Engineering.
What characterizes a successful TIBER Red Team?
Renato Venzin: Experience from comparable projects of a similar nature and complexity is key. It is also essential to have a well-rehearsed Red Team made up of interdisciplinary experts. Only broad-based professional diversity makes it possible to optimally cover the various aspects of such a project. That’s why we don’t have all-rounders in our team, but a variety of specialists with many years of experience in their field who have a great deal of expertise in their subject area.
Social Engineering and Human Factor Attacks
Why are social engineering attacks an integral part of the TIBER EU framework?
J.D.: Systemically relevant companies, in particular, are usually already heavily hardened from a technical standpoint. However, employees remain an important and popular gateway for an attacker, as the individual security behavior of employees can only be controlled to a limited extent.
If individual security behavior can only be controlled to a limited extent – why should it still be tested?
J.D.: A social engineering audit makes it possible to close security gaps caused by human weaknesses in a targeted manner. On the one hand, technology and processes can support employees, while on the other, it is possible to determine precisely in which areas and how employees should be trained in terms of awareness.
What are the main threats to companies in the area of Social Engineering?
J.D.: “Classic” attack vectors such as tailgating/piggybacking and phishing or business email compromise are still very popular. The more professional the other side is, the more likely it is that complex attacks with several combined (physical, human and technical) attack vectors will be used.
What are the typical weak points in this area?
J.D.: There is no such thing as a single weak point. As a rule, it is not individual security measures that fail and allow us to compromise the company. Rather, it is often the exploitation of a lack of coordination between the individual security measures – e.g. employees, processes, and physical and structural conditions – that makes an attacker more likely to succeed. It should be mentioned at this point that “a lot helps a lot” can also be counterproductive when planning defensive measures.
Can all attack vectors be tested realistically?
J.D.: No. For legal and ethical reasons, various important attack vectors cannot be tested. In particular, in-depth-attacks against key individuals that invade privacy are excluded. This applies, for example, to so-called “honey trapping”, the use of eavesdropping devices or the observation of individual target persons outside their workplace.
What are the current trends in cyberattacks and red teaming?
J.D.: Internal threats, e.g. through the recruitment of internal employees or the targeted infiltration of “moles”, represent an increasing danger. Attacks on service providers and suppliers of the target company are also becoming increasingly popular (supply chain attacks). In principle, these threats can also be mapped in an audit. However, this requires extremely careful and long-term test planning. In addition, such an audit can be very time-consuming, especially on the customer side.
Physical Assessments – the Underestimated Risk
How important is the audit of physical security in the context of TIBER Projects?
J.D.: The fact that physical security is an essential component of integral IT security can already be seen from the fact that regulatory requirements such as TIBER, NIS etc. generally provide for an audit in this area. Systems and networks with particularly sensitive data are usually not connected to the internet, which is why a qualified attacker inevitably has to plan for a physical attack vector. Due to the knowledge and resources required, the most dangerous attacker groups often use human and physical attack vectors.
What methods do you use to get into a building or secured area?
J.D.: Basically, creativity is key! There is nothing that doesn’t exist. Thorough OSINT Research, on-site reconnaissance and preparation are particularly important. These phases can therefore take several weeks, while the actual physical penetration test often only takes a few minutes.
What has been the most challenging physical security assessment so far?
J.D.: Every operation has its own pitfalls. When it comes to covert penetration, infiltrating a small business, where everyone knows each other can be just as challenging as breaching the headquarters of a major bank. Operations in the vicinity of high-security buildings, which are structurally highly hardened and protected by armed security personnel, certainly pose a particular challenge. Underground facilities are also a challenge, as the choice of specific attack vector is naturally very limited.
Do you manage to get into every building?
J.D.: There are some real tricky ones, but with a little creativity we usually succeed. Often, it’s simply a question of how much effort you put in or are allowed to put in for a client.
Of course, there are occasionally special objects where covert penetration within the usual test limits is simply not realistic – and we are glad that this is the case due to the criticality! Here, in consultation with the customer, we rely on alternative test scenarios in order to be able to assess the potential risk of individual attack vectors with reasonable effort and help to harden the object even more by proposing targeted measures.
What added value does a Physical Assessment offer if an intrusion is unsuccessful?
J.D.: In any case, valuable insights can be gained both during the preparation and during the actual physical penetration test as to how the physical security of buildings – even those that are already very secure – can be further improved. The “success” usually only plays a subordinate role when it comes to gaining knowledge about possible vulnerabilities and how to eliminate them.
A Look into the Future of TIBER and DORA
How will TIBER-EU tests and the legal requirements develop over the next few years?
Renato Venzin: That is difficult to predict. There have been repeated adjustments in recent years, with DORA and TIBER also influencing each other. The Regulatory Technical Standards (RTS) for DORA were published at the beginning of this year and are now binding. Therefore, no major adjustments to DORA are expected in the near future. There have also been changes to TIBER this year in order to align the standard with the DORA TLPT. The two frameworks will probably continue to be improved based on the experience gained from past tests, but I don’t expect any major changes in the near future.
What are the biggest future challenges for Red Teams in TIBER projects?
Renato Venzin: Participation in TIBER projects requires that Red Team members are always up-to-date in terms of attack techniques and threat scenarios. In view of the rapid pace of technical development and the constantly changing threat environment, this involves a great deal of effort. TIBER also stipulates that new attack techniques must be developed and refined, which also involves a great deal of effort. However, this is also one of the exciting aspects that I personally really appreciate about TIBER.
Oneconsult in TIBER/DORA Projects
Does Oneconsult have experience with TIBER/DORA Projects?
Renato Venzin: Oneconsult has many years of experience in the implementation of extensive Red Teaming Projects. We have already carried out complex large-scale projects in various countries, including TIBER and TIBER-related projects. We have been able to prove that our concepts and methods work very well in such projects. Of course, we continue to learn in every project and through continuous training, and we are constantly implementing the knowledge gained in future projects.
In which areas does Oneconsult have specific expertise?
Renato Venzin: Our primary expertise has always been in carrying out technical and physical attack simulations. This makes us a competent Red Teaming Provider. We also have expertise in the field of threat intelligence and have already been involved in similar projects in this area. Open Source Intelligence (OSINT) and on-site physical target and vulnerability reconnaissance are then an everyday part of all our Physical Access Assessments.
The Administrative Side of DORA and TIBER
How can I find out whether my company is affected by DORA or TIBER?
Renato Venzin: In principle, it is the task of the supervisory authority (Germany: Deutsche Bundesbank) to inform the relevant institutions if they have to carry out such tests. ICT service providers and other service providers that are affected should be informed by the relevant institutions.
However, if you do not fall under the scope of DORA / TIBER, other regulations (e.g. NIS1, NIS2) may apply to your institution that make Red Teaming necessary or useful. It may also make sense for all other, larger financial institutions to carry out red teaming projects based on TIBER.
I have to carry out a TIBER or DORA-TLPT-Project – what are the next steps?
Renato Venzin: The first step is for the responsible authority to explain to you what the next steps are.
Basically, the first steps are as follows:
- Scoping the critical functionalities and the scope of the test
- Procurement of the service providers who are to carry out the tests (see also: TIBER-EU Guidance for Service Provider Procurement and Requirements for testers for the carrying out of TLPT – DORA)
In principle, however, there are certainly important key points:
- No other person should be involved without consultation with the competent authority / service provider.
- From the very first moment, a pseudonym should be used for the project and the tests, which should be used accordingly in all appointments, correspondence, etc.
If you have any other questions or uncertainties, we will be happy to help you at any time and can also assist you with the planning and initial setup of the tests.
Which authority is responsible for my company regarding TIBER/DORA?
Renato Venzin: It depends:
For TIBER
- Germany: Deutsche Bundesbank
- Austria: OeNB
- Switzerland & Liechtenstein: not defined
For DORA:
