What is Tiber-EU Framework?

  • March 1, 2023
  • By Cyberarch Admin

The financial services industry is one of the most essential sectors driving the national economy of a country. Unsurprisingly, cyber threat actors have been relentlessly targeting financial entities such as banks, investment management firms, stock exchanges, payment institutions, credit agencies and regulatory bodies. The objective is to gain access to the personal and sensitive data stored in these entities which are of high value on the dark web.

Financial institutions need to comply with security standards and regulations to protect consumer data and their own reputation. Various frameworks define cybersecurity standards for the financial sector; however, most of them do not take a proactive approach. This is where the TIBER-EU framework is effective. 

What is TIBER-EU Framework?

Threat Intelligence-Based Ethical Red Teaming for the European Union (TIBER-EU) is a framework developed by European Central Bank. According to them, TIBER-EU is aimed at delivering a “controlled, bespoke, intelligence-led red team testing of entities’ critical live production systems.” 

In addition, the framework has the following objectives:

  • To improve the protection, detection and response capabilities of entities
  • To enhance the resilience of the financial sector
  • To provide assurance to the authorities about the cyber resilience capabilities of the entities under their responsibility

 It is a non-compulsory framework that is developed as a new industry standard for critical financial entities to gather intelligence and build cyber resilience and red-team assessments of their strength and weakness. Moreover, it helps in gaining insights into the existing cyber security defence mechanism against malicious actors in real-time. 

TIBER-EU History

TIBER-EU was developed by combining the efforts, resources, intelligence, analysis and insights of the ECB, UK (CBEST), TIBER-NL (Netherlands) and EU national central banks. Since 2018, the framework is used in more than 13 European countries including the UK.

The magnitude of losses and disruption a successful cyber attack on financial institutions can cause paved the way for the inception of the TIBER-EU framework. An intelligence-driven framework such as that of TIBER-EU is necessary to identify hacking attempts and thwart them fast. The new industry standard framework will hopefully strengthen national economies by equipping them to fight against sophisticated cyber attacks. 

TIBER-EU Testing Process

The TIBER-EU testing process consists of a controlled or simulated cyber attack that follows the tactics, techniques and procedures of a real cyber-criminal. Entities should enable the red teams to execute penetration testing in the most brutal forms and target critical functions, people, processes and systems. It helps in detecting possible vulnerabilities, threats and the extent of damage a real cyber attack could do.

TIBER-EU penetration testing consists of three phases namely; Preparation, Testing and Closure. They are explained below.

  • Preparation

The preparation stage involves establishing the scope of the engagement and deciding the red team that will carry out the test.

  • Testing

The red team will start the simulated attack using tactics, techniques and procedures with no warning to people, processes and systems. However, these attack tests are carried out as per national and local laws. 

More specifically, the testing methodology involves the following stages:

  • Reconnaissance – The stage involves the collection of as much data about the target as possible. It is regarded as the critical step which provides all information about the people, technology and environment around the target. This stage also includes decision-making regarding the tools to be used. 
  • Weaponization – The second stage is where the red team analyses the gathered information more thoroughly and learns more about the infrastructure, employees and the other facilities available. A clear picture emerges in this stage about the specific target and the operational approach to be taken. 
  • Delivery – This is the execution stage where the complete operation becomes active for the first time. The red team will carefully plant hardware Trojans, utilize social engineering tactics, phishing attacks and break through the vulnerabilities and continue to persist to find exploitation opportunities. 
  • Exploitation – The exploitation stage sees the red team get inside the servers, apps, systems and networks through various means. This stage is followed by the control and movement stage discussed in the next pointer.
  • Control and Movement ­– In this stage, the red team compromise less important systems and further moves on to compromise high-value systems. Moreover, the red team try to gain more access within the system and find more targets.
  • Action – The final stage involves completing the actions that achieve the set objectives in the first stage.



The result includes a detailed report about the vulnerabilities, security strengths and weak areas, and the extent of damage caused will be communicated to entities. Both technical and educational aspects will be shared to help in the development of a remediation strategy. The information collected will be shared with the threat intelligence community too.

Financial entities and other business organisations with branches at multiple locations in the EU can carry out red team penetration tests in one place and take the learning and applications for all the rest of the places. One of the objectives of the framework is to standardise the way entities perform intelligence-driven red team tests across the EU. At the same time, each jurisdiction can adapt it flexibly to meet the specific requirements. 

The Potential of TIBER-EU 

TIBER-EU has the potential to redefine the way in which the financial industry can utilize cyber resilience against cyber attacks. It is important to leverage the features of the framework effectively. The TIBER-EU aims to grow further through collaboration across EU entities. Much needs to be done to involve more countries, resources, training and materials for the members. 

As per the TIBER-EU framework developers, it can be used by “payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector.”

Thus, financial sector entities adopting the TIBER-EU framework can make cybersecurity initiatives strong. At the same time, it will give more confidence to consumers and other stakeholders that their data is safe in the financial industry. 

If you require assistance with TIBER-EU framework based activities, Cyberarch has the capabilities to execute them effectively. Please do not hesitate to contact us for further information or support.

Recent Articles

Got hacked? Speak to our security consultant.

Get in Touch
Scroll Top