EXCLUSIVE: ‘The art of cyber war’ – Howard Shortt, AIB and Anthony Long, Nettiude in ‘The Fintech Magazine’
The military strategist Sun Tzu famously said ‘if you know the enemy and know yourself, you need not fear the result of 100 battles’. It’s the premise on which the TIBER-EU framework for dealing with cyberthreats might be said to be based, as AIB’s Howard Shortt and Nettitude’s Anthony Long explain
Avoiding cyberattacks is always a game of cat-and-mouse, as financial organisations strive to outrun increasingly sophisticated online criminals.
However, like many things, the issue has been thrown into sharp relief by the COVID-19 pandemic, with hacking attacks rising alongside an explosion of ecommerce and a switch to homeworking.
The UK Government’s Cybersecurity Breaches Survey 2020 found that 46 per cent of businesses experienced cybersecurity breaches or attacks during the year. IBM’s X-Force Threat Intelligence Index 2020 observed that, in the previous year, more than 8.5 billion records were compromised worldwide, a 200 per cent annual rise in reported data exposures.
So, there is little doubt that a new approach is needed to help firms cope with this threat to their reputations and bottom lines. Howard Shortt, who is responsible for threat and vulnerability management at Allied Irish Bank (AIB), says that while new personal and work habits have impacted cybersecurity defence dynamics, in truth, financial organisations’ perimeter defences were already wearing thin.
“There is an expectation that financial services defence is strong, but traditionally that relies on perimeter controls and we’ve seen that dissolve in favour of mobile devices. Your perimeter is now everywhere you have an employee, and protecting it is much harder,” he says.
Enter the new TIBER-EU (Threat Intelligence-based Ethical Red Teaming) framework, jointly developed by the European Central Bank and EU national central banks, and launched in May 2018, which offers extra protection against not just the risk of cyberfraud itself, but also the impact of attacks that do get through.
TIBER mimics real-world threats and measures organisations’ resilience to them, as well as improving defences. Recognising that the skills of today’s cybercriminals mean attacks will inevitably happen, its focus is on making sure firms’ tactics, procedures and standards are in place to enable them to react quickly and minimise the impact.
Shortt, who gained direct experience from the implementation of Ireland’s own version of TIBER – TIBER-IE – in December 2019, adds: “Organisations and regulators needed to know how resilient they would be to these kinds of attacks.”
TIBER testing sees multiple teams work through attack cycles. Red team testers are hired from outside for independence. Blue teams are, as Shortt explains, ‘all your responders inside the network, who can defend you’. Blue teams need to be surprised by what occurs, and take effective actions’. The white teams, meanwhile, are everyone who’s aware that an attack simulation is occurring.
The fact that organisations’ attack surfaces are continually growing, due to increasing demand for online services and mobile applications and shifts towards remote working, makes TIBER even more vital as new complexities and challenges are introduced, says Shortt.
“The last place any bank wants to be is front and centre in the papers as the result of a breach. By conducting these tests, organisations can protect their market share.”
Shortt believes an holistic approach is vital. “Awareness is key, making sure that people know which activities can land them in trouble – like clicking on malicious links and phishing,” says Shortt.
“TIBER tests come at organisations any way they can. While institutions may currently take steps to discover vulnerabilities, to maintain compliance, they do so on a siloed basis; rating vulnerabilities and non-compliance on criticality. TIBER testing combines these into a single attack chain, to try to disrupt a business. Being able to withstand the impac
t of this improves education and awareness, growing the organisation’s defence capabilities.”
Cybersecurity services provider Nettitude helps financial services firms adopt this new approach. Managing principal security consultant Anthony Long believes TIBER is so important, it will soon become compulsory.
“Supervisors are increasingly using TIBER to enhance the resilience of financial services and other financial market infrastructures in Europe, and it is gaining traction, with such testing becoming ever-more frequent,” he says.
And TIBER has helped push fraud prevention up organisational hierarchies.
“Typically, testing only lands in security function’s ‘in tray’, but frameworks like TIBER have put it on the board radar,” continues Long. They need to demonstrate how they take the lessons learned and ensure operational resilience strategies are commensurate with the threat profile.
“TIBER gives assurance to executives, the board and regulators so that, while they will suffer attacks, and won’t be able to cover everything, they can continue their journey in developing capabilities to respond to the ever-evolving threat landscape. It’s important to get on top of this. Firms can undertake their own tests, conducted by certified testers.”
Like anything worthwhile, though, delivering this is not necessarily easy.
“It requires a large amount of preparation and planning, even if you’re well-versed in security best practices,” adds Long.
The three-phase process for the TIBER framework test begins with a preparation phase, including engagement, scoping, procurement, and creating the teams responsible for managing it. The second phase is the testing.
“This consists of threat intelligence and red-teaming activities,” explains Long. “The provider prepares a report, setting out the attack scenarios for the test, and including useful information on the organisation. The red team uses this to develop its attack approach and attempts to breach specified, critical live production systems, people and processes that underpin the organisation’s vital functions.”
The final, closure phase involves remediation planning and results sharing, based on red team observations, and advice on potential improvements
to technical controls, policies and procedures, as well as education and awareness. The organisation can then develop a remediation plan in consultation with the supervisor and/or regulator. However, Long stresses TIBER is not a silver bullet.
“A threat actor with the right level of motivation and tools will succeed. They’re always one step ahead of us,” he says. “We’re only as informed as the last test.”
Nettitude aims to help firms get on with their day-to-day business while it takes care of their threat readiness with a mixture of technical support, specialist detection and response management.
Organisations must shift from seeing cybersecurity as resistance, to focus on limitation and recovery, says Long.
“We need to remember the finance sector relies on trust and credibility, and the risk of cyberattacks threatens that premise daily.
“Financial institutions have always been an attractive target, as holders of financial assets and sensitive information,” he says. “Their traditional cybersecurity methods need to move to deploying capabilities that will limit the extent of any attacks, and enable the organisation to continue functioning at an agreed level, and then be able to recover.
“This is where TIBER tests come into their own, testing critical live services, based on specific real-life attack scenarios, to measure how well people, processes, technologies and physical security controls can withstand a real-life adversary – something traditional penetration testing is not designed to do.”
TIBER’s wider scope for penetration testing encourages that, but it is one piece of a still-incomplete puzzle. Longer term, mandatory reporting requirements will likely be introduced, potentially including a market-wide ‘command centre’ to universally respond to a cyber event, mapped out and implemented by cybersecurity professionals who are used to dealing with such issues, rather than individual companies’ IT staff.
Another benefit of TIBER-EU’s common framework is the fact that it supports organisations operating across member states, providing a common standard that makes regulatory reporting much easier across jurisdictions, according to Shortt.
“That gives us a level of cooperation and next-generation intelligence sharing, across platforms and the industry,” he says.
Proactivity and education are key.
“TIBER tests show the level of good work organisations should do proactively within their own security programmes, so that they are not waiting for the regulator to come knocking on the door,” says Long.
“TIBER and other testing frameworks are changing organisations’ level of interaction with regulators and that’s a good thing, because it allows open, meaningful dialogue and clarity around expectations.
“Framework changes exist to ensure a safe and secure financial system. Operational resilience is top of the agenda and regulators are becoming less tolerant of organisations not meeting expectations. Frameworks like TIBER enable firms to prepare for a greater range of operational scenarios, including issues arising from third parties they outsource systems and processes to.”
And that’s got to be good for everyone… unless, of course, you’re a cybercriminal.