An ART test to prepare your organisation for a cyber attack
In 2024, De Nederlandsche Bank (DNB) launched the Advanced Red Teaming (ART) framework for the financial sector. As with TIBER, ART uses red teaming to test how well prepared your institution is for a real-world cyber attack. The threat intelligence relevant to you and the findings from the test will help you as you work to improve your cyber defences. What exactly ART is, how it works and how it differs from TIBER is described in ART: the new ethical hacking framework.
This article is for CISOs or senior managers who are wondering whether their organisation is ready for an ART test and how best to prepare for it.
Preparatory steps
An ART test can assess all aspects of your institution's information security. The step-based approach below (Figure 1) shows these aspects and the preparatory steps we recommend you take to get the most out of your ART test. Once you have completed these steps, the modular ART framework provides an efficient and realistic way to test your cyber resilience.
© DNB
Board
In your role as CISO, you first need board-level support to implement the steps. This is shown in the 'Governance' block. In practice, freeing up capacity and scheduling the required resources involve relatively long lead times. At least one board member is actively involved in the execution of the ART test, as opposed to those involved or responsible for cyber defence, who should not know anything about the test in order to maximise the learning experience.
Maturity
We first advise you to ensure the maturity of your security organisation (see box 'security organisation'). Ensure that basic hygiene is in place in accordance with ISO27001 or a similar standard for information security management. The level 1 legislation for the Digital Operational Resilience Act (DORA) and the associated level 2 legislation, in the form of the Regulatory Technical Standards (RTS) can also provide guidance. A security operations centre (SOC) needs to be in place to detect cyber attacks. Threat intelligence can be partially purchased from an external security provider.
Cyber resilience
In parallel with putting the security organisation in order and preparing for red team testing, you can carry out various security tests at regular intervals, as shown in Figure 1. Security testing increases your organisation's resilience, provided that you follow up on the points for improvement resulting from the tests.
More substantive explanations of the steps can be found at: Step-based approach to prepare for a cyberattack.
The ART test
The starting point for developing an attack scenario for a red team test such as ART or TIBER is the generic cyber threat landscape that DNB prepares annually for our Resilience Testing Community. This document is also shared with each institution when it conducts an ART test.
A red team test such as ART (or TIBER) is conducted by ethical hackers employed by a third-party provider of these services. Following the ART test, it will be evident whether your organisation's security processes and controls form a coherent whole, and where improvements are warranted.
DNB's fee
For a red team test to qualify as an ART test, the mandatory steps from the ART framework must be followed and a Test Manager from DNB must be engaged to oversee the test. DNB charges a cost-covering fee for sharing the generic cyber threat landscape and overseeing the test. This is separate from the fee your institution pays to the security provider that performs the ART test. Following the test, we can provide your institution with an attestation if the requirements of the ART framework have been met.
More information
To read more about different types of red team test frameworks, please see DNB oversees cyber resilience tests | De Nederlandsche Bank. If you have any questions, please contact us at tct@dnb.nl.