Threat-Led Penetration Testing (TLPT) for DORA Compliance

Maintaining security for your financial institution has never been more challenging. Cyber threats are evolving all the time, with new vectors and threat actors appearing. Attack methods have become more sophisticated, thanks largely to the use of AI to scale up hacking attempts and refine phishing attacks. 

Financial organizations are seriously rethinking traditional cybersecurity measures, which can’t stand up to today’s advanced cyber threats or ensure compliance with updated regulations. The Digital Operational Resilience Act (DORA), in particular, obligates key infrastructure such as financial institutions to meet certain levels of resilience. 

Among DORA’s many requirements lies a clause mandating regular threat-led penetration testing (TLPT), which is a method of testing critical ICT functions and services to see how well they would stand up to an attack. It’s seen as the gold-standard for demonstrating resilience, hence its inclusion in the DORA framework. 

Like every cybersecurity technique, there are right ways and wrong ways to go about threat-led penetration testing for DORA. In this blog, we’ll explain what’s involved in successful TLPT, share best practices and useful tools, and guide you to overcoming challenges and effectively implementing TLPT to meet your DORA requirements. 

Understanding TLPT and Its Role in DORA Compliance

Threat-led penetration testing for DORA involves simulated cyberattacks that are based on real-world threat intelligence to make them as close as possible to a genuine attack, using the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) framework to standardize testing.

It covers a number of key objectives, including identifying security vulnerabilities; enhancing detection, mitigation, and response strategies by probing their effectiveness; improving your ability to withstand and recover from attacks; assessing third-party risks that could undermine resilience; and aligning your organization with DORA and TIBER-EU frameworks. 

In contrast, conventional penetration tests generally follow predetermined scenarios. Your organization might pass this test with flying colors, but that doesn’t mean you’d be able to thwart a genuine attack. Real cybercriminals are continually adapting and upgrading their tactics, techniques, and procedures (TTPs) to get around advanced defenses. DORA and TLPT incorporate adaptive intelligence-led testing to ensure that you’re prepared for the worst, not a classroom situation. 

By monitoring your detection, response, and mitigation strategies in a controlled environment, you can discover vulnerabilities, security gaps, delays in response, and other issues that could expose you to a serious incident. This way, you can resolve them before malicious actors exploit them with a real attack. 

Key Components of a DORA-Compliant TLPT Program

Successful threat-led penetration testing for DORA involves meeting specific requirements, most of which are included in the TIBER-EU framework. The most important elements in TLPT for DORA are:

• Basing the test on threat intelligence 
• Risk-based scoping
• Red team engagement 
• Blue team involvement
• Control validation 

Threat Intelligence Gathering

Accurate, up-to-date threat intelligence is the foundation for effective TLPT for DORA. Open-source cyber threat intelligence (CTI), insights from national cybersecurity authorities and financial sector threat intelligence groups, and dark web monitoring are critical to understanding the real-world threat landscape. By assessing relevant threat actors and reviewing recent trends in TTPs, you can ensure that simulated attacks mimic actual attack vectors. 

Risk-Based Scoping

Carefully balanced risk-based scoping ensures that TLPT aligns with your organization’s risk profile and DORA compliance requirements. This involves considering the impact of any attack on your customers, financial stability, and regulatory compliance, so you can define which systems, assets, and financial services are essential for operational resilience. If you rely on third parties for critical services, include their ICT as well. 

Red Team Engagement

Every test should be spearheaded by an independent Red Team that has the expertise to craft customized advanced persistent threat (APT) scenarios that mirror the TTPs of real-world actors, without causing operational damage. Your Red Team should comprise experienced and skilled ethical hackers who are familiar with DORA requirements, and ideally have industry certifications like CREST CRT or OSCP.

Blue Team Involvement

The Blue Team is your internal defense team. Their job is to detect and respond to the test. They shouldn’t receive any advance warning or know that it’s a test, so that they react just as if it were a real cyberattack. The goal is to evaluate their real-time ability to spot anomalies, trigger alerts, and escalate and contain threats. 

Control Validation

Throughout the test, you’ll assess security controls, detection mechanisms, and incident response procedures. This includes evaluating the performance of controls like firewalls, IDS/IPS, endpoint security, SIEM solutions, encryption, MFA, and access controls, to validate whether they are adapting to new and evolving threats.

TLPT Execution Phases for DORA Compliance

For threat-led penetration testing for DORA to be effective, you need to follow a structured process. This includes: 

• Planning and scoping
• Gathering threat intelligence
• Simulating the attack
• Assessing detection and response 
• Reporting on the test and remediating security gaps

Phase 1: Planning and Scoping

Thorough preparation is vital for a successful test. In the first phase, define objectives for your test and prioritize critical functions, assets, and third-party dependencies to serve as testing targets. Make sure that your testing scope aligns with DORA and TIBER-EU guidelines and you receive compliance validation. It’s also important to set Rules of Engagement (RoE) which establish acceptable risk thresholds and testing boundaries. 

Phase 2: Reconnaissance and Threat Modeling

The next phase is to collect intelligence from a variety of sources so you are fully aware of current cyberattack trends. Then you can use this intelligence for threat modeling, to identify potential attack surfaces and design attack scenarios that reflect the most likely threats and exploit your organization’s vulnerabilities. 

Phase 3: Attack Simulation

In phase three, your Red Team will carry out the simulated attack, using stealth and persistence tactics to bypass detection. They’ll focus on gaining unauthorized access to your systems and then escalating privileges to move laterally through your network and reach critical assets or sensitive data. All the time, the Red Team will use advanced attack techniques to maintain control over your systems and stress your response procedures. 

Phase 4: Detection and Response Analysis

Next, evaluate your Blue Team’s ability to detect, respond to, and mitigate attacks in real time. This includes how quickly they spotted the attack and activated a response plan; the effectiveness of their escalation procedures; communication and coordination with internal and external stakeholders; and whether they were able to contain and mitigate the threat without serious damage or downtime. 

Phase 5: Reporting and Remediation

The final phase involves documenting detailed findings and completing risk impact analysis. This should include prioritized remediation recommendations that cover specific technical fixes like patching vulnerabilities; process improvements like refining your incident response plan; and areas where additional training is necessary. You’ll also need to report to the regulators, according to DORA requirements. 

Best Practices for Implementing TLPT

If you’re looking to go beyond the basics, certain best practices can streamline TLPT and make the most of its potential as a cybersecurity weapon. For a start, carry it out more often than the mandatory once every three years. Run TLPT annually or after significant system changes, to catch emerging issues that could undermine resilience. 

Your Red Team should comprise qualified, independent, and experienced ethical hacking experts, to ensure that tests are unbiased and effective at revealing weaknesses. Additionally, it’s crucial to actually document and implement the lessons you learned. Unless you apply the insights from every test, you won’t improve your security controls or resilience strategies. Your goal is to enhance resilience, not just find vulnerabilities.

Integrating TLPT into your risk management framework helps align it with your broader ICT risk strategies. This keeps your cybersecurity measures in sync with your overall business objectives and evolving threat and regulatory landscapes, and helps you prioritize and mitigate risks more efficiently. 

At the same time, you should collaborate with National Competent Authorities (NCAs) both before and after testing, to clarify regulatory requirements, prevent misunderstandings, and enhance transparency and trust. 

Common Challenges and How to Overcome Them

While threat-led penetration testing is the best way to identify vulnerabilities and enhance resilience, it’s not always easy to implement. For example, many companies lack skilled professionals to conduct advanced penetration testing. But you can hire external experts or partner with specialized cybersecurity firms to run tests, or invest in professional training to build internal expertise. 

Penetration tests have a tendency to scope creep, making them harder to manage and budget. It’s vital to establish clear objectives and boundaries with well-defined responsibilities from the beginning of the process, and set up regular checkpoints to keep tests on track. 

There’s also a risk that penetration testing can impact business continuity and cause system downtime. To mitigate this, plan your testing carefully and schedule it for off-peak or low-traffic hours. A contingency plan and backup systems can also minimize disruption to business operations. 

TLPT Tools and Frameworks to Support Compliance

Fortunately, you don’t have to go it alone. There are solutions to help you plan and implement effective TLPT testing for DORA compliance. For example, the MITRE ATT&CK framework helps you map and understand attacker tactics and techniques, which is essential for thorough threat profiling in accordance with DORA requirements for realistic simulated attacks. 

CBEST, TIBER-EU, and iCAST are valuable testing frameworks that were designed specifically for threat intelligence-based testing. They adhere to DORA’s requirements for robust cyber resilience in the financial sector, providing structured methodologies for simulating real-world cyberattacks. 

In addition, Security Orchestration Tools (SOAR) tools automate detection and response workflows to help streamline the processes of identifying, containing, and mitigating threats. This is critical for meeting DORA obligations related to incident management and reporting. 

DORA-Compliant TLPT Solutions

DORA compliance can be complex and multi-faceted, requiring you to ensure that your cybersecurity and risk management strategies are holistic and comprehensive. Threat-led penetration testing (TLPT) plays a crucial role in verifying resilience in accordance with DORA requirements, by exposing vulnerabilities and revealing specific ways to strengthen the people, processes, and controls involved. 
Financial services organizations need to prioritize TLPT as a key pillar in DORA compliance. It should be integrated into your risk management programs as a critical element for ICT resilience. It should be routine to collaborate with experts to simulate real-world attacks, evaluate detection and response capabilities, and safeguard critical systems. As long as cyber threats continue to evolve, TLPT will need to keep pace to deliver long-term digital resilience.

DORA-Compliant TLPT FAQs