Article 10 Testing phase: threat intelligence

It is important, for consistency with the TIBER-EU framework, that the TLPT authority closely follows the testing in each of its stages. Considering the nature of the testing and the risks associated to it, it is fundamental that the TLPT authority is involved in each specific phase of the testing. In particular, the TLPT authority should be consulted and should validate those assessments or decisions of the financial entities that may, on the one hand, influence the effectiveness of the test and, on the other hand, have an impact on the risks associated with the test. The fundamental steps on which a specific involvement of the TLPT authority is necessary include the validation of certain fundamental documentation of the testing, and the selection of threat intelligence providers and testers and risk management measures. The involvement of the TLPT authorities, and in particular for validations, should not result in an excessive burden for those authorities and should therefore be limited to those documentation and decisions that directly affect the conduct of the TLPT. Through the active participation in each phase of the testing, the TLPT authorities may effectively assess compliance of the financial entities with the relevant requirements, which should allow those authorities to issue attestations pursuant to Article 26(7) of Regulation (EU) 2022/2554.

As evidenced by the experience of the implementation of the TIBER-EU framework, holding in-person or virtual meetings including all stakeholders concerned (financial entities, authorities, testers and threat intelligence providers) is the most efficient way to ensure the appropriate conduct of the testing. In-person and virtual meetings should therefore be held at various steps of the process, and in particular during the preparation phase at the launch of the TLPT and to finalise on its scope, during the testing phase, to finalise the threat intelligence report and the red team test plan and for the weekly updates, and during the closure phase for replaying testers and blue team actions, purple teaming and to exchange feedback on the TLPT.

To ensure the smooth performance of the TLPT, the TLPT authority should clearly present to the financial entity its expectations with respect to the testing. In that respect, the test managers should ensure that an appropriate flow of information is established with the control team within the financial entity, and with the TLPT providers.

To provide the testers with the information needed to simulate a real-life and realistic attack on the financial entity’s live systems underpinning its critical or important functions, the threat intelligence provider should collect intelligence or information that cover at least two key areas of interest: the targets, by identifying potential attack surfaces across the financial entity, and the threats, by identifying relevant threat actors and probable threat scenarios. To ensure that the threat intelligence provider considers the relevant threats for the financial entity, the testers, the control team, and the test managers should provide feedback the draft threat intelligence report. If it is available, the threat intelligence provider may use a generic threat landscape provided by the TLPT authority for the financial sector of a Member State as a baseline for the national threat landscape. Based on the TIBER-EU framework application, the threat intelligence gathering process typically lasts approximately 4 weeks.

To enable the testers to gain insight and further review the scope specification document and targeted threat intelligence report to finalise the red team testing plan, it is essential that, prior to the red team testing phase of the TLPT, the testers receive from the threat intelligence provider detailed explanations on the targeted threat intelligence report and analysis of possible threat scenarios.