We are delighted to see the release of ART (Advanced Red Teaming), a voluntary red teaming framework created by De Nederlandsche Bank (DNB).
ART’s goal - to help financial entities and companies servicing them test their security posture against realistic threats more regularly - is on point.
If the EU is going to maintain resilience against advanced threats, many of which are nation-state-backed, offensive security will have to become the new normal.
ART is a Dutch framework, but as we have previously seen with TIBER-NL, it will likely become a valuable tool for any European financial entity. Frameworks like ART are especially relevant when collaboration and standardisation seem to be progressing EU-wide with regulations such as the Digital Operations Resilience Act (DORA).
We like the fact that ART is modular and voluntary. While the DNB supervises testing, ART is not mandated by the DNB or any other institution. Instead, it is designed to help companies do more regular red teaming and focus on specific areas that they may perceive to require further assurance.
More regular red teaming is only ever a good thing. At least in our opinion.
The DNB has done a great job creating an easy-to-understand framework, which we recommend reading at the link below.
In this blog post, we review the official ART framework and analyse its place in the wider red teaming space based on decades of experience with European financial entities.
ART vs TIBER-EU
ART does not set out to replace TIBER-EU, the European framework for threat intelligence-based red-teaming.
TIBER-EU is a mandatory testing framework for EU-wide critical financial institutions (FIs) and third parties, including large banks, payment processors and insurance companies.
ART takes TIBER-EU methods and processes and makes them available to more companies through a more widely applicable and flexible framework.
Critically, ART is a voluntary framework for red teaming designed for important financial institutions and third parties. However, we feel that the framework could also be adopted by other industries.
There is no reason why ART should be restricted to the financial vertical, as we discuss below.
With ART, there is no pass or fail
Essentially, ART opens the door for more institutions to structured red teaming exercises at their own pace and budget, along with a structured playbook for institutionally recognised red teaming. All outside of mandatory compliance.
Optional modules, in addition to some core mandatory modules and reporting requirements, make ART much more flexible than TIBER-EU, and therefore, it is suitable for organisations with a wide range of budgets, requirements, and security maturity.
Compared to TIBER-EU, ART can be completed in a shorter (or longer) period. It also makes various mandatory parts of TIBER-EU optional, such as having a threat intelligence provider.
The screenshot below, taken from the official ART framework guide, shows the core differences between the two.
Types of Companies That Should Use ART
In our opinion, you could call ART “TIBER-EU Lite” or “DORA-Lite.”
Paraphrasing the guidance in the ART framework, ART’s core use case seems to be for financial institutions that:
- Are not ready for a TIBER-EU test (or a threat-led penetration test, also known as TLPT).
- Are ready for a TIBER-EU test/TLPT but not classified as vital.
- Do TIBER-EU/TLPT testing but want to do something in between mandatory tests.
However, ART is not strictly limited to the financial sector. It is also useful for non-FIs that provide services to the financial services industry (FSI) and find themselves in the same situations described above.
Speaking at the launch of ART, Steven Maijoor, Chair of the European Securities and Markets Authority (ESMA), highlighted the flexibility of the ART framework, saying that it could be used:
“Whether you operate in the financial sector, or elsewhere – like the healthcare or the telecom sector, or the government.”
According to the official framework, ART can be adapted to more or less any industry, but only as long as the following conditions are met:
- The test must be conducted in secrecy.
- Only a very limited group (the Control Team) should be aware of the test.
- The test must be performed on the organisation’s live systems.
- The test must always include at least one scenario involving ethical hacking.
- The scenario must always be based on threat intelligence.
Same goes for geography. While ART is currently an initiative of the DNB in the Netherlands, there is nothing stopping other countries from adapting ART themselves.
How Long Should An ART Test Take?
Our understanding is that an ART test should take a total of six to nine months. For comparison, this is roughly 30% less time than a typical TIBER-EU test would take.
Specifically, ART tests have three phases:
- Preparation. This involves engagement scoping and procurement of test providers.
Average duration: 4-6 weeks.
- Test. When the actual red teaming, purple teaming and optional threat intelligence and gold teaming take place
Average duration: 6-8 weeks.
- Closure. Where remediation is planned.
Average duration: Between 2 and 8 weeks.
ART Test Modules
One of the most impressive aspects of ART is its modular nature.
So long as an entity includes the mandatory elements of the ART framework, it can choose different modules to fit its budget and security maturity level.
Roughly half of every ART test will be made up of optional modules.
Choosing which optional modules to do is up to the entity itself and takes place during scoping. In practice, this decision will be a product of collaboration between the Test Cyber Team (TCT) and the Control Team Lead (CTL), possibly based on a previous threat intelligence assessment.
For example, under ART’s test phase, there are:
- Three mandatory modules (Internal Threat Intelligence + Generic Threat Landscape (GTL), one scenario assumed compromise, Purple Teaming (PT) fundamentals).
- 10 optional modules, including end-to-end simulation, Full TI and Gold Teaming.
Provided the managing authority concurs, any module mix can still be officially registered as an ART.
In our opinion, this level of customisation is a fantastic development. Being able to tailor testing based on what is there to be tested and what resources are available means that FIs can get more value from red teaming than they otherwise would.
Why Should Organisations Perform an ART Assessment?
If ART is not mandatory, and there is no support from an institution such as DNB, why would an organisation want to conduct an ART assessment? Why not conduct a standard red team assessment that is not aligned with any framework?
This is a common question that we get when we scope non-regulated engagements. In our opinion, the use of frameworks like ART provide every party with clear expectations about the execution of an engagement.
Frameworks provide guidelines around the duration of the assessment, the processes involved, the quality of the testing, etc.
Adhering to ART would give organisations greater assurance when they commission a red team type of assessment. Using ART would also help put an organisation on a path to regular, repeatable assessment by, for example, creating metrics for improvement.
The ART framework can help ensure a standardised test regardless of whether an organisation uses the same provider they worked with during a previous test or a different one. Common frameworks like ART can give everyone a playbook to adhere to.
Similarly, during the procurement process, a framework like ART can help to define the boundaries and compare providers like-for-like.
Choosing An ART Testing Provider
ART allows FIs and other organisations to test against realistic physical intrusion, incident response, and network and application security tests.
This kind of offensive testing needs a trusted partner.
SECFORCE meets and exceeds the red team requirements needed to deliver TIBER-EU and ART tests. We are certified to CREST standards and have extensive experience in red teaming.
Contact us to learn more.
