"We always work with code names"
The financial sector will have to deal with new European legislation from 2025. Then the 'Digital Operational Resilience Act' (DORA) comes into force and large insurers are obliged to carry out threat-driven hacking tests. This testing is based on DNB's voluntary TIBER programme. What do these tests entail? And why does DNB actually 'interfere' with the cyber resilience of insurers?
Rob Wassink is TIBER Test Manager at DNB. When he joined the company more than three years ago, DNB was already conducting the TIBER tests for the 'financially critical infrastructure', including the largest banks. This was such a success that since 2019 the tests have also been done voluntarily at pension funds and insurers. Wassink calls it "very powerful" to see how open insurers dare to be among themselves. "It is not easy to admit that there is a vulnerability in your organization. Yet insurers dare to share that in a trusted group. Fortunately, because insurers can learn so much from each other."
Cyber threat to financial sector
In the summer of 2022, De Nederlandsche Bank (DNB) reassessed the threat landscape for Dutch financial institutions. Members of the Dutch Association of Insurers could then request which cyber risks they should take into account. Insurers who have not yet done so can still receive the so-called Financial Threat Landscape for the Netherlands , via j.schaffers@verzekeraars.nl.
From defence to attack
Wassink knows what he's talking about. Before joining DNB in 2019, he worked for a long time in the insurance business. "In recent years I have learned a lot. My focus was more on risk-based defense. This produces a completely different result than when you look at the cyber threat and analyse possible attack scenarios, as we do in the TIBER programme. With our TIBER Cyber Team, we pay attention to hacker groups from organized crime, but also to groups that work for foreign governments and pose a threat to Dutch society. What kind of data are they looking for? How do they attack? And what are hidden treasures for hackers?"
According to Wassink, insurers have been increasingly adjusting their security measures to the threat posed by various hacker groups in recent years. "In the TIBER program, we share this threat information so that we can also strengthen each other in this way."
Trust is crucial
When asked why DNB 'interferes' with the cyber resilience of the financial sector, Wassink answers with one word: trust. "DNB attaches great importance to trust. It is essential for financial stability, which is a core task of DNB. That trust is damaged if an insurer is hacked and is therefore out of circulation. Of course, the sector itself takes responsibility for preventing this. We facilitate that cooperation. In this way, we ensure that all tests are carried out at a high level. In addition, we offer a safe environment to share information with each other. And to learn. Together with the financial sector, we are working to stay one step ahead of the hackers."
Publication of sensitive data
He gives an example. "Recently there was a big hack at a health insurer in Australia. Among other things, those hackers had access to medical data. They demanded money. When they didn't get that, they published very sensitive data from which it could be deduced who underwent which procedures. That is of course downright shocking."
Wassink calls it "good that insurers are increasingly aware of what sensitive data they have in their hands, so that they also know how vulnerable they are. That means that they can really do something about it to become more resilient. Just being compliant with rules is not enough. You also have to test your measures and practice what you can do if things do go wrong."
"Together with the financial sector, we try to stay one step ahead of the hackers"
The odd one out
The team that Wassink is part of helps the sector with those tests and practice. It consists of only nine people. "That is still possible, because we work closely with experts from the institutions."
In fact, DNB's TIBER programme works so well that the European Central Bank adopted the method of testing in 2018. "At the moment, sixteen central banks in Europe are working with TIBER tests and have a team like us. These TIBER Cyber Teams (TCTs) work together and supervise the tests in their own country. In these threat-based redteam tests, three attack scenarios are simulated, which provide valuable insights that are also shared among themselves."
He emphasizes it emphatically. "We are not part of DNB supervision. For insurers, we are therefore often the odd one out. Well DNB, no supervision. It is necessary to create a familiar environment where information can be shared. We also do not share test results with the regulator. This is done by the institution itself, after the test. After all, it's their data. To guarantee confidentiality, we work in a separate room in the DNB building and always use code names for the institutions. Think golden goat or crazy canary."
"I'm not a hacker"
In his own words, Wassink is 'not a techie pur sang and not a hacker'. "We don't hack ourselves. The institution has this done by ethical hackers who are hired from a security provider. DNB's TIBER framework is the guiding principle that enables us to carry out these types of tests with the highest quality. With our team, we are on top of it. I ensure that the testing process runs smoothly, while a colleague of mine checks whether the threat situation fits the setting that is undergoing the test."
That sounds exciting and to a certain extent it is, says Wassink. "Every TIBER test is like a real attack in the 'live' production environment. If data is 'stolen' during the test, it will come across lifelike to the attacked institution. Only a handful of people from the company undergoing the test are aware. There is always a board member in that team. He or she knows the risks, of course, but sometimes only then sees the impact of the dangers that the organization runs for the first time. And realizes where hackers can still get to despite all the security measures. That often works as an eye-opener. Suddenly an organization sees that it has to defend itself very specifically against 'real' attackers. Beautiful of course. That's exactly what we do it for!"
Choosing from evils
But testing doesn't solve everything, Wassink continues. "Sometimes the solution is not as clear-cut as you would like. We have just done a test at a large financial institution. The scenario was a ransomware attack in which all of the company's data was encrypted. 'The hackers' came in successfully and were able to place the ransomware . The 'bad choice' was whether or not to pay. If you pay, you finance criminals. Not paying means that you may not be able to provide services for a longer period of time. What are you doing? Do you choose principled or pragmatic? In this case, the testing team has chosen to put the questions to the directors involved. They were demonstrated what the impact of an attack is and how quickly you have to decide under pressure. That made an impression. The case taught us that you want to make these kinds of trade-offs before the attack. Especially in times of stress and under time pressure, it helps to have a script ready for predictable scenarios."
"We never use the real names of the institutions, but talk about Golden Goat or Crazy Canary"
Testing makes you better
Wassink is firmly convinced: testing and practice will make you better. "We regularly see that after an audit the basic hygiene seems to be in order, but that 'hackers' later in a test still run off with the crown jewels. Painful, but also understandable. Basic hygiene and defending against advanced attacks complement each other. After each test, an improvement plan is therefore drawn up."
He makes the comparison with a fire drill. "After such an exercise, everyone knows what to do. A continuous test cycle therefore helps enormously. It keeps people on their toes, without burdening them too much. Then, when something happens, everyone knows what to do. And just as important: they have the right mindset and skills."
Test more insurers
DNB has been working on the TIBER tests for six years now. The interest of insurers is increasing. "We currently only have the vital institutions in scope in the TIBER programme. Both from the banks and from pension funds and insurers. That is nice and logical to start with, but we are now also looking at the ring around these vital institutions. It is important that medium-sized insurers and major suppliers also prepare for a real attack. Because despite all the preparation, it can happen that a real cyber attack on an organization is successful. Together we can work on making the impact as minimal as possible," concludes Wassink.
Text: Miranda de Groene - Photography: Ivar Pel
"It is important that medium-sized insurers and major suppliers also prepare for a real attack"
Well prepared for a cyber attack
DNB's TIBER Cyber Team has made a visualisation, a 'talking plate', of the test steps that an organisation can go through itself in order to prepare for a TIBER test and thus for a real cyber attack. After all, good preparation is half the battle and stands or falls with a good basis: the security organization must be in order.
Security organization
The security organization is often set up under the direction of the security function, the (chief) information security officer. It starts with basic hygiene, appropriate measures whereby the security operating center (SOC) ensures 7x24 hour monitoring and effective incident response. Threat intelligence helps the organization to prevent security incidents. DNB sees cyber threats increasing, while basic hygiene is not always in order.
Security testing
Subsequently, security tests increase the resilience of the security organization, so that the impact in the event of a real cyber attack must be limited. Each test provides insights into vulnerabilities. These learning points must be picked up. Repetition of testing is important, because new vulnerabilities are discovered daily and hackers continue to develop.
However, security tests are only instructive if the type of test is tailored to the maturity level of the organization.
In the 'talk plate' it can be seen that it starts with technical testing, usually on IT infrastructure. The more mature the organization becomes, the more often entire systems, employees and processes are tested for vulnerabilities. Testing based on relevant cyber threats makes the test even more realistic.
The different types of security tests:
1. Vulnerability scanning: anything that deviates makes you vulnerable. There are tools that (automatically) scan all components in the network and check whether they still have the required technical configuration.
2. Penetration testing: the word says it all, pen tests go a step deeper than vulnerability scanning. But they are often executed with a limited scope of IT systems, precisely to find out what a hacker can do with that scope.
3. Awareness testing: make employees and management aware of the practices of hackers. Let them experience how they can give access to important systems and information. This increases safety awareness in the organization.
4. Tabletop exercises: a crisis exercise for management trains the organization in managing a crisis. The skills of the management are tested in this step at strategic, tactical and operational level.
5. Purpleteam testing: blue (defensive organization) with red (the attacker) makes purple (purple). The red team shows how a cyber attack can be carried out, the blue team watches.
6. Redteam testing: this involves testing the security of the entire organization. The building, the processes, the technology and the employees must form a strong front against all types of attacks.
7. TIBER: this type of cyber threat-based redteam testing is supervised by DNB's team. Test results are not shared with the regulator and vital institutions participate on a voluntary basis.
More info? Look at TIBER: together against cybercrime.
Questions and/or comments? Mail to Rob Wassink.
Was this article useful?