The Monica Talks Cyber Show

How To Build Cyber Readiness and Defense

November 03, 2020 Monica Verma Season 1 Episode 12
The Monica Talks Cyber Show
How To Build Cyber Readiness and Defense
Show Notes Transcript Chapter Markers

In this episode Chris Kiønig from Watchcom talks with Monica Verma about the EU standard and framework called TIBER - Threat Intelligence Based  Ethical Red Teaming. 

- What's the goal and purpose of the framework?

- How to implement and build resilience and ensure financial stability during external events such as cyber attacks?

- What's are the challenges, for example with regards to budgets, real attack simulations, GDPR, etc?

If you are in financial sector or any other sector that is critical to society and provide critical infrastructure and services, this episode is for you.

Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Monica Verma  0:00  
You are tuning into the podcast series we Talk Cyber with Monica, your platform for engaging discussions and expert opinions on all things cyber. For more information, check out MonicaTalksCyber.com. And let's hop right into today's episode. 

Good morning, good afternoon, good evening, wherever you're tuning in from today, and welcome to today's episode, We Talk Cyber with Monica. I'm your host, Monica Verma. And today we'll be joined by yet another spectacular guest. We'll be talking with him about the EU framework called TIBER, what that really means and how it can help businesses be better prepared and postured to defend themselves against cyber threats and cyber attacks. So we'll be talking with the Strategic Security Advisor, Chris Kiønig from Watchcom. Hi, Chris.

Chris Kiønig  0:47  
Thank you for having me on your podcast!

Monica Verma  0:50  
Lovely to have you, Chris. So as I mentioned today to our guest that we will be talking a bit about how to help organizations help and be prepared actually be ready for cyber attacks and defending and with regards to that we have a framework that is adopted already in EU and also being adopted in Norway. What is the framework called and just explain a bit about it.

Chris Kiønig  1:13  
The framework is called TIBER EU. And it's kind of a work that's been done within EU to secure financial stability within the EU. What we have seen over the years is that the APTs (Advanced Persistent Threats) and the other advanced attackers, they're aiming themselves at the financial industry. It's simple because that's where the money is, ah, nobody does kind of the physical bank robberies anymore. They do digital bank robberies. So I think, it started out in 2013 with something called TLPT, Threat-Led Pen-Testing. Pen testing has been done for many years, especially in regards to the financial sector, they wanted to add another dimension to traditional pen testing or security testing, and that is the threat intelligence part. The TIBER stands for as we said that Threat Intelligence Based Ethical Red Teaming, [I] might need to explain the difference between a red team and a traditional pen test. A traditional pen test focuses mainly or solely on kind of the technical vulnerabilities, while a red team test or a red team exercise as I would like to call it is more simulating a cyber attack on the entity. So, but when doing so you are doing that on live systems with the testing online financial system. Well, that was they saw a challenge in getting acceptance of the financial sector. So they have developed this framework. The TIBER framework consists of, of course, the standard, but also supporting documents. And what's good about the standard is the procurement guide, because the procurement guide is a supporting document helping the financial institutions to evaluate the partner or the supplier who is going to conduct kind of advanced cyber attacks on their live financial systems. What we also think is, it kind of sets out the standard. And the goal of doing a TIBER exercise is, of course to uncover weaknesses. But the main goal is improvement and knowledge sharing, both from the financial institution but also for the partners as well.

Monica Verma  4:03  
Right. So what you're suggesting is that you have the financial sector, and the organizations in the finance sector [that] are able to evaluate their partners that will be red teaming for them, so that by doing it live on their systems, right, to be able to understand how better they're postured to defend themselves in case of a real cyber attack that happens. So it's real life, real-time simulation of a cyber attack. 

Chris Kiønig  4:30  
Yeah.

Monica Verma  4:30  
So where does the threat intelligence come into the picture here?

Chris Kiønig  4:33  
The threat intelligence that's kind of the first phase to doing a thorough Threat Intelligence, before doing kind of the technical security testing is to kind of mimic and make the exercise as real as possible. In the other countries that TIBER is operational, is the national bank or the main bank, who has that part. They also have a part in the TIBER test. They are then called the cyber team. And they will provide the TI provider with a threat intelligence report based on their findings and their partners. So we didn't talk about that, you can divide the Threat Intel part at one partner and the Red Teaming at another partner. And then the partner takes that Threat Intel, uses their knowledge, their tools, doing OSINT (Open Source Intelligence), FININT (Financial Intelligence). In other areas of investigation, and that the Threat Intel report is the foundation for the red teaming partner. And it's the foundation of development of the attack scenarios.

Monica Verma  5:58  
So just to put it all together, how I understand that and for the audience to understand as well, the National Bank is responsible for providing a report on the different Threat Intelligence actors and providers out there, which can then be used as the foundation for the organizations and businesses to choose whichever they fit deem for their organization. And then the red teaming, the red team could be another service provider, they don't have to be, but they could be same.

Chris Kiønig  6:24  
They could be same.

Monica Verma  6:26  
Now they don't have to be right, because we start with the threat intelligence, which will then feed into defining the attack scenarios for the red team to basically simulate in real time for their organizations to be able to find out how good their posture is in defending this kind of cyber attacks. Are we talking really just technical cyber attacks, or could these cyber attacks, the real simulation of these cyber attacks could also involve some kind of social engineering, or what could be the part of it?

Chris Kiønig  6:56  
Yes, social engineering and also physical access. We did a pre-TIBER test in Denmark, we found from the Threat Intel report that one of the APTs, they like to kind of put together their own hacking devices. And they [are] specialized and trained in entering buildings. And the goal is to place these devices on the inside.

Monica Verma  7:27  
Right, right.

Chris Kiønig  7:28  
Over the network. And yeah, what we did, we bought some stuff on eBay. With a modem and a SIM card. Because this happened in Denmark, we went to Denmark, and we entered the building and placed our device.

Monica Verma  7:46  
I am hoping Pre-COVID? Right, this was pre COVID. You didn't go during the COVID period.

Chris Kiønig  7:51  
This was pre-COVID.

Monica Verma  7:52  
Pre COVID. Right.

Chris Kiønig  7:55  
And that made that device from home to our infrastructure, which were set up for the red teaming and by that we, yeah, we got access to a lot of stuff.

Monica Verma  8:09  
Fasntastic, right.

Chris Kiønig  8:11  
So the TIBER and the red teaming - A TIBER test consists of the cyber team, the management in the bank, the blue team, which is the bank's defense line, the red team, which is kind of the attackers. And at the end, you also have what you call a purple team. But we will get back to that in regards to the output of the TIBER test.

Monica Verma  8:38  
If I can put this all together. One thing that I hear [and] understand from it, that this can actually be costly. I mean, you have to collaborate with the external service provider for Threat Intelligence, you have to collaborate with external service provider for red teaming, whether same or different. What are the challenges that [this] can bring from organization, especially if they are SMBs?

Chris Kiønig  9:04  
Ah, the challenges - The larger financial institutions, they are used to doing red teaming, they probably have their own red teams. But what I see is for the smaller financial institutions and private banks, which already have limited budgets for red teaming is actually being performed like a real threat actor. So you might have some overtime, you might call in extra people into your SOC (Security Operations Center). Well, somebody might be taken off their vacation. I think, it's going to be very interesting, especially for Norway, which is kind of a small country. We have some national institutions but also a lot of smaller banks. And I think that the National Bank of Norway and the financial authorities, they need to adapt the demands in the TIBER framework. So we will have a TIBER-NO which should be adapted to Norway, [in Sweden] TIBER-SE, in Denmark TIBER-DK. It could be quite a bit of burden if you don't have your internal resources if you don't have threat hunters, if you dont have those things in place. So and if you look at when conducting a TIBER test, it's actually just the white team, which should know about the TIBER test.

Monica Verma  10:35  
Right.This is the management? This is the management and only very few people, handful of people who know about this. So everybody else is basically in the dark. Because it's a real simulation of a real cyber attack, right?

Chris Kiønig  10:48  
Yes. So the blue team, the defense line, they don't know anything about this. And then also how I understand the test, each TIBER test should have a cover name, like project Hollywood or project Bollywood or so? Yeah, so it actually says that in the standard, so nobody in the organization is supposed [to know] that this happened. But of course, it's kind of coordinated. And the secrecy is really good. But another challenge is for the red team provider and also the white team is to handle questions in regards to GDPR. Potentially, you will have access to a lot of personal information. And also being the center, where should you draw the line befriend, somebody from support by Facebook or so from Denmark, again, we talked towards, that was a pre-TIBER test. So it was a bit more open. So we had some exploring to do but to agree that in the OSINT analysis and the things done there, we drew the line at children, for that case, some legal issues here. And also another thing is if you think of a TIBER test, like a big project, what if we come across criminal activities or other activities? How should we work on that? And probably, if we report on that, we will have kind of a timeout in the TIBER because they have to handle that.

Monica Verma  12:29  
Right. But then how does this TIBER framework basically take into account these challenges? I mean, if you do uncover some kind of criminal activity that's going on, I would assume that should take precedence over testing business' defense, because that is a very serious legal issue that could, then the organization would probably need to take immediate actions against. So how, how does the framework help there?

Chris Kiønig  12:56  
Well, maybe I overlooked something, but we didn't kind of find that addressed direct in the framework. So in our experience, we brought that to the table. So when doing the planning with a with a white team, you really need an experienced partner to go through these events, to kind of agree on, when should we have a timeout? How fast who has the authority to kind of stop the project, etc. And also, in regards to talking to legal and HR, I feel that it's good to kind of involve them.

Monica Verma  13:39  
where do you draw the line on what or who is the part of the white team because it can't, as we talked about these different issues, right, so it can't be just management. It has to be somebody also from communication, maybe somebody from legal?

Chris Kiønig  13:52  
Yeah, that there should be somebody who, like in management, HR should all be a part of it, that that's the minimum for maybe HR and GDPR very important.

Monica Verma  14:05  
So what I understand from this is that this can provide benefits to the organization obviously, and be able to better prepare themselves and improve their security posture for real cyber attacks. But also the planning, right, how do you plan, how do you budget, whom do you involve? What partners do you choose? And then also having specific clear instructions on if things don't go right, who gets immediately involved?

Chris Kiønig  14:33  
Very critical and the standard also outlines points in regards to after the procurement phase, you kind of move into the planning phase and kind of sketch out quite a few good steps. And that brings us to something which is mentioned in the standard and that's the leg ups. When conducting the red teaming, we work inside kind of working frames and budgets. A potential hacker has as much time as he or she wants. So, and the goal, as I said, is to improve and learn from the exercise. In the planning phase, you actually agree with the white team on leg ups. Okay, we have used so many hours on this attack vector moving so forth, we can document that you are really good prepared to this, okay, we need a leg up that will say that they will help us. So we can go into every step of the attack scenario. And I think that is very important. The goal here is not to kind of show that financial institutions are secure or insecure, exercise as we talked about the whole exercise [is important]. And by going through all the threat scenarios, or capturing all the flags that you set out in the planning phase, the standard also emphasizes the importance of the wrap up. The report, of course, is produced, but they also emphasize the knowledge sharing, both from the red team, the TI team, white team, and the blue team, especially sometimes, the cyber team from the National Bank is also encouraged to participate in what they're talking about as a 360 degree feedback session.

Monica Verma  16:31  
Right? So what could a typical wrap up session look like? What are the key things that would be discussed typically, in such a wrap up session?

Chris Kiønig  16:40  
That's, of course presentation of the findings [and] a walk through all the scenarios. At the end of the test, every teams have knowledge of the test, but they might lack some some bits in regards to what's being done. Typically, the TI provider presents their part, if they have big deviations from the National TI report, that go through their part, they will talk - Okay, what's good, if there was something that was missed, for some reason, they move into the red teaming and what we had good experiences is kind of doing a - have the feedback session presenting the findings and explaining did we achieve our goals? Service providers or third parties involved, if you have an external SOC, etc, it's also important that they participate because the goal here is knowledge sharing, and the results can be reported to a database, [a] knowledge database within the EU. And that is a good thing. So when we have conducted TIBER tests over some years, [then you have] knowledge base for further TIBER tests, where you can go and read on experience.

Monica Verma  18:04  
I have two questions for you based on that, because one thing is, as you say, if you look at a typical red teaming, when you get these findings right out red teaming then basically what happens is, as a result, or a report basically consists of the findings, and also what impact and risk does it have on the business and the business needs to evaluate whether this is a risk they can take or mitigate or avoid or whatever. If you look, on the other hand, the audits that happen, and the purpose of the audits is that auditors come in, they check where your controls are, and they tell you, okay, these things are missing, you need to fix them, then it's not any more question of like, you can evaluate yourself. But then now talking about TIBER, when you have the results here, it's not, I would assume, it's not that something you must fix, because it's more about understanding where your posture lies and how do you improve? So, what is the basis for the business to decide what improvement should they put in place?

Chris Kiønig  19:03  
Okay, that differs somewhere in between the countries that has implemented the TIBER framework, because you are to report and the National Bank can decide, I think, how much involved they will be. The financial sector is mature or one of the most mature sectors within cybersecurity, but the combination here between kind of the technical potential technical weaknesses, but also the OSINT, the phishing mails, so it's kind of more complex findings.

Monica Verma  19:43  
So, what I think also I heard from you, Chris, was that, that Norway needs to somehow kind of modify or adjust the TIBER EU framework for Norway as a country because of the finance sector. Even though there are large banks are also very small, SMB companies and banks in the finance sector. So is it something that the Norwegian National Bank has already come up with? Are they looking into these improvements? Because taking this type of framework from EU directly to Norway might not work, especially with the cost perspective.

Chris Kiønig  20:16  
I totally agree in regards to these suggestions. Because of COVID, the work were kind of postponed. So I think it was in May or something that they announced that they really implement it that they have meant to implement. But now, as I understood the text that I found on the internet, that they are implementing it. They have done the pre study. They went into the market and sent kind of a questionnaire something and I'll choose some financial institutions and asked for their statements in regards to that. And I hope that they will use that information when they are developing TIBER NO. Because TIBER NO will be an adjusted standard from the TIBER EU.

Monica Verma  21:03  
Fantastic, thank you Chris. It was really wonderful to have you on the podcast episode today. So that was today's episode of We Talk Cyber. I'm your host Monica. I'll be coming back with more episodes, so please tune in. 

Thanks for tuning in to We Talk Cyber with Monica. Do not forget to subscribe to We Talk Cyber in your favorite podcast app and YouTube channel Monica Talks Cyber. Take care and continue tuning in.

What's TIBER EU and Why?
Role of Threat Intelligence and Red Team in TIBER
Putting Together - National Banks and the Other Players
Hacking in Denmark
Cyber Team, Blue Team, Purple Team and More in TIBER
The Challenges of the TIBER EU framework
TIBER EU - The Wrap-Up Session
What's TIBER NO?
Outro