TIBER-EU: How to support advanced Red Teaming activities with Pikered products

July 2024

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is a European framework that provides guidelines on performing advanced cyber posture testing activities. In essence, it aims to establish the roles and key phases for an effective implementation of Red Team Assessments by entities operating in the most critical sectors, referring in particular to the financial field. The adoption of the principles of TIBER-EU takes place on a voluntary basis, and European states have the right to implement this framework at the national level, adapting it with the creation of national guidelines (for example, in Italy there is TIBER-IT) and possibly making it mandatory for certain categories of entities.

The fundamental objective of a TIBER-EU process is to conduct “Intelligence-led” activities, in order to identify the key people, processes and technologies of the target entity. It then involves the application of tactics, techniques and procedures (TTPs) of a malicious actor without informing internal personnel, so as to assess the organization’s ability to detect and respond to a targeted attack.

The TIBER-EU process includes some macro-phases:

  • Threat landscape analysis: gathering information about the target entity’s industry, identifying advanced attack scenarios that could threaten that ecosystem;
  • Preparation: definition of the groups responsible for the different activities and the scope of action, with the collaboration of the management of the target entity;
  • Test: Threat Intelligence analysis of the target entity, aimed at defining simulable attack scenarios and relevant information about the organization. The Threat Intelligence results are then used by the Red Team to formulate and execute attack simulations involving critical systems in production, as well as key people and processes;
  • Closing: The Red Team provides a report that includes details of the approach taken and the results achieved. It should include advice on possible areas for improvement of any kind: from technical controls to policies to be adopted, to training activities. The stakeholders of the entity are then informed of the test, the evidence is discussed and a Remediation Plan is drawn up. The results are finally shared with the competent authorities.

A test of this type involves several actors, among which the main ones are:

  • Tiber Cyber Team: defined by the competent national authority, it oversees the test to ensure that it complies with the dictates of TIBER-EU or its national declination;
  • White Team: the only group within the target organization aware of the test. It is responsible for organizing the test, defining the scope in agreement with the management, researching external teams and communicating between them and the competent authorities;
  • Blue Team: all internal staff of the target entity, excluding the White Team, and in particular those who manage its security and attack response activities. It must not be made aware of the test except in the closing phase, in order to make the test itself realistic;
  • Threat Intelligence provider: a group usually external to the entity, able to carry out advanced Threat Intelligence activities, exploiting multiple sources and creating a report capable of circumscribing the scenarios that can be used in the attack simulation;
  • Red Team provider: usually external to the entity, it deals with the actual attack activity in accordance with the scope and the defined attack scenarios, as well as the drafting of a report and the consequent discussion of the obtained results, in order to allow the entity to create a Remediation Plan.

The role of the Red Team

The Red Team is set up as a group with proven experience in the field of Red Team Assessment, even better if confirmed by professional certifications issued by recognized international bodies. The Procurement Guide provides the requirements to be verified when searching for a Red Team.

The test aims to simulate the behaviour of a real attacker, targeting key people, technologies and processes, in order to maximize the (hypothetical) impact of the attack. This must be done by adopting TTPs calibrated to the organization under consideration, simulating both external and internal attack scenarios, and adopting an opportunistic approach: the Red Team should therefore be able to dynamically modify the attack plans, when obstacles or new information arrive, also acting together with the other actors involved in the test. It is, moreover, an extended duration test, given that the red-teaming phase alone has a recommended duration of 10-12 weeks. Therefore, the scope goes far beyond standard offensive activities, and requires the use of suitable technological tools.

The TIBER-EU framework is technologically neutral: it is therefore the responsibility of the Red Team to identify and propose the right tools for engagement. Due to the advanced nature of this activity, many standard technologies, both commercial and open source, can hardly find an effective application.

The ZAIUX® Suite can help the Red Team by offering advanced features and, where the scope allows, the ability to automate part of the tasks.

ZAIUX Framework: a C2 tool for TIBER-EU

ZAIUX® Framework is a Command-and-Control (C2) tool with advanced defense evasion capabilities. By employing it, a Red Team can simulate an attack from outside the network, exploiting the techniques adopted by our malware to establish a communication channel that remains hidden in most infrastructures, including those guarded by advanced systems such as EDRs and NDRs. Once an initial access has been obtained with the execution of the malware on a machine within the infrastructure, operators can perform a wide range of techniques, both custom and chosen from those ready to use, to move through the network towards the critical targets defined by the Threat Intelligence.

ZAIUX Framework can therefore be used as the main tool to support an engagement in its most advanced stages, i.e. following the penetration of the external attack surface or the White Team’s green light to manually launch the malware. Thanks to it, the Red Team is able to effectively simulate an intrusion at the infrastructure level, trying to achieve objectives in terms of compromise of critical assets, exfiltration of sensitive data, access to administrative privileges.

ZAIUX Evo: maximising the effectiveness of your Red Team

Although a TIBER-EU test involves a long timeframe, entities operating in critical sectors usually have complex and well-guarded infrastructures. Therefore, applying all possible TTPs, from the recognition of vulnerable targets to post-exploitation actions, can prove to be very time-consuming, leaving little room for the Red Team to define ad-hoc solutions and overcome the obstacles it will face. Therefore, a Breach & Attack Simulation (BAS) solution capable of operating with an elusive approach, and therefore similar to an experienced human attacker, can prove to be a useful tool to be employed following the acquisition of an initial access, to test a wide range of techniques and achieve more advanced access and privileges.

With ZAIUX® Evo it is possible to achieve this result in a completely automated way. Through the guidance of AI, our BAS platform can generate and execute adaptive attack paths within a MS Active Directory infrastructure, based on the context in which it operates.

It is therefore possible for the Red Team to automate part of its activities, if the techniques performed by ZAIUX Evo are accepted by the White Team among the TTPs, in the frequent situations in which the main target of an attack is an Active Directory domain. A Red Team could, potentially, launch multiple automated BAS at the same time on the different domains to which it has gained access, while focusing its efforts on other issues.

And at the end of the BAS?

Thanks to the integration of our solutions, it will be possible for the Red Team to migrate to ZAIUX Framework the Implants that will have been generated during one or more ZAIUX Evo BAS, as well as the details on the history of the activities carried out so far, so as to complete the engagement by bringing the added value of their skills.

A Red Team involved in advanced activities, such as TIBER-EU tests, should make sure to use advanced tools, turning to specialized partners.

Discover the products of the ZAIUX Suite and contact us to assess your red-teaming needs!