How can financial institutions prepare for a cyber attack? By organising a cyber attack in real conditions to measure the problems in an environment close to reality. Photo: Shutterstock

How can financial institutions prepare for a cyber attack? By organising a cyber attack in real conditions to measure the problems in an environment close to reality. Photo: Shutterstock

A few months ago, experts from the financial regulator CSSF (and the BCL) launched their first cyber attack on a financial institution in the financial centre.

This high-risk exercise follows a European framework called Tiber and was presented this Thursday 13 October on the stage of the 7th PwC Cybersecurity Day.

Should one employee with skills as sharp as their loyalty to the company that employs them detect an intrusion by hackers into their bank's computer systems, and should they warn management (as procedures should provide) and the authorities in the same movement, the first TiberLU would end up before the police and the courts.

The CSSF and the Banque centrale du Luxembourg (BCL) adopted the "Threat intelligence-based ethical red teaming" (Tiber) framework last November. This European scheme makes it possible to launch real-fake cyber attacks against financial or banking institutions, to test the resilience of the market, to enable entities that operate in several jurisdictions to be tested and, above all, to help these same entities measure how ready they are, or are not, to face the reality of a violent digital world, where cyber attacks are increasingly commonplace.

A cyber attack that can last up to a year

"TiberLU is not an exercise that you fail or pass, otherwise institutions would fail every time: there will always be something to find," said CSSF IT inspector and supervisor Jean de Chillou on Thursday morning on the stage of the 7th PwC Cybersecurity Day. "It's not a supervisory tool either and it's on a voluntary basis."

The first test, which "started a few months ago", will be followed by four more tests next year. Some 15 of the country's critical financial institutions have already volunteered, from the world of retail banking, payment services, market infrastructure and other unspecified sectors. These attacks can last up to a year, because they are carried out through a long process of preparation and implementation of the attack scenario, from the attack itself, entrusted to external partners, to debriefing and experience sharing.

In the company concerned, only the management is warned and involved, in order to avoid "escalation" as it is called. They’re notified either the moment this exercise can look like a real cyber attack to the police or judicial authorities or when ethical hackers stumble upon a critical flaw that must be remedied immediately before real hackers, eager for ransom, attack the company. The balance is fragile: it is hard to imagine the future of an IT team that would not notice anything... A whole series of risks have been envisaged by Tiber to avoid any spillover, from the unsecured sharing of documents between different stakeholders in the financial institution, to the arrival of information outside the company, etc.

A test to be carried out every three years soon

The hackers, who are bound to strict secrecy and are not allowed to touch the integrity of a bank or its data, are given "flags" to place in strategic locations to show that they have succeeded in breaking in. They cannot conduct social engineering during the test, or even attack an employee to force them to support their intrusion into the company's computer systems.

Institutions that complete the procedure will receive a certificate that a test has been conducted according to Tiber standards. In two or three years, Tiber will become mandatory for critical financial institutions and will have to be renewed every three years.

The worst thing, admits de Chillou, could be that a real attack occurs at the same time as the real-fake attack. A probability that is impossible to assess and that will require a great deal of agility to respond to the real-real attack.

This story was first published in French on . It has been translated and edited for Delano.