/Rectangle%20239.png?width=13&height=13&name=Rectangle%20239.png){kind=small}
What would happen if a globally critical banking institution crashed due to a cybersecurity incident? Chances are the entire financial ecosystem would be affected, and a crisis would be installed.
Preventing a scenario like this is the objective of the Digital Operational Resilience Act (DORA), which focuses on raising the cybersecurity posture and resilience of the financial sector in Europe through a series of measures, one of which is the implementation of periodic Threat-Led Penetration Tests (TLPT).
Large banks, insurance companies, investment firms, payment service providers and other crucial financial institutions must be fully aware of what TLPTs are, how they should be performed, and how they can be leveraged to address technical vulnerabilities. Let’s go over the details.
First things first: what is DORA?
The Digital Operational Resilience Act is a European Union (EU) regulation that aims to strengthen the IT security of financial entities and to ensure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.
DORA came into force on the 16th of January 2023 and applies from the 17th of January 2025. It covers 20 different types of financial entities and ICT third-party service providers.
Read more about DORA and the NIS 2 Directive in this article.
What is TLPT?
Threat-Led Penetration Testing is a large-scale Red Team exercise, described by DORA as being specifically designed for the financial sector, that simulates a comprehensive attack on an organisation’s assets, systems and processes, in order to identify and help fix security vulnerabilities. This test ultimately leads to the improvement of the cybersecurity resilience of critical financial entities, whose disruption might cause global systemic failure.
The most relevant information about TLPT is summarised in the table below:
|
|
DORA’s Threat-Led Penetration Testing (TLPT) |
|
Target |
Mandatory for global systemically important financial institutions* like:
*Institutions that meet specific criteria defined by DORA. |
|
Scope |
The entire attack surface: physical, human and digital surface. It should cover several or all critical or important live production systems of a financial entity |
|
Stakeholders |
|
|
Stages |
|
|
Framework |
TIBER-EU compatible |
|
Timeframe |
6 – 12 months |
|
Results |
There are four main deliverables:
|
|
Frequency |
At least every 3 years |
What would a cyberattacker do? Alter Solutions’ TLPT techniques
The threat intelligence phase
Our Lead Pentester and Lead Red Teamer, Yann Gascuel, explains how a more advanced Red Teaming exercise like TLPT is carried out, after the objective and scope have been defined with the client in the preparation phase. “The idea is to mimic what an actual attacker would do. We start with the threat intelligence phase, where we try to get as much information as possible, learn which technologies are used by the company and who are the users with the most privileges – anything that can be used for phishing”, he explains.
Newcomers are usually also easy targets, because they’re not fully aware yet of the security protocols. “That’s why we also use LinkedIn as a threat intelligence source, to get information on employees that might be vulnerable targets. Plus, we use some specific tools that look into DNS records, and we also look into evidence of data leaks”, our Lead Pentester adds.
After gathering all this information, our experts prepare a Targeted Threat Intelligence (TTI) report, summarising what was learned on the target and creating threat scenarios for the actual test. “That’s when we ask ourselves what an attacker would try to do. He/she will probably try to balance the risk of being arrested with increasing the chances of succeeding in the attack, so we try to think like that and outline different potential attack scenarios.”
The Red Team test
Depending on what is found during the threat intelligence phase and which attack scenarios are planned, the techniques employed to initiate a TLPT vary a lot. But our Lead Red Teamer provides a few examples: “As an initial intrusion we may use phishing or perform a physical intrusion. When we are inside, the course of action will also depend on what we find. It can involve exploring technical vulnerabilities, combining that with social engineering or even the use of keyloggers [a type of surveillance technology that records everything a user types on a keyboard]”.
Throughout the whole exercise, the client’s Blue Team is completely unaware a TLPT is taking place, which means they are also being tested for their defensive capabilities. According to the TIBER-EU framework, detecting the Red Team is an objective set out for the Blue Team, rather than a failure of the offensive side.
Another important thing to keep in mind regarding the testing phase is that the way Alter Solutions’ Red Team operates is compliant with data protection laws like GDPR. “We use hardened and encrypted laptops, so if someone steals it, they won’t be able to access the data we have on our clients”, our expert verifies. “We also use encrypted communication channels for every exchange that might be critical, and after the end of the exercise we delete all the data we have and send the client a document certifying we did it”, he adds.
According to DORA, the testing phase has to last, at least, 12 weeks – it all depends on the scale, scope and complexity of the TLPT exercise planned for that specific organisation.
The secret(s) to ensure minimal business disruption
That’s the million-dollar question in any Red Team exercise: how does the testing team balance realistic threat simulation with minimal operational disruption? Our Lead Pentester reveals the secret: “It’s a combination of experience and communication. When we’re performing an attack, we have experience to know which vulnerabilities may be risky to explore and whether they may cause something to crash – we know, for example, when a specific kind of old servers don’t support an attack. That comes with experience, so when we identify a risk like that we communicate with the client and decide together if we should do it or not”.
In fact, during the TLPT exercise itself, this is the only scenario where Red Team-client interactions may occur. “There are no or very few interactions with the client during this period. It only happens if we detect risks that may cause some disruption. In that case, we contact the client to keep them on the loop, but otherwise no communication is established.”
The closure phase
After the exercise is completed, within four weeks we’ll write and deliver to the client the official Red Team test report. “That’s where we describe the attacks that were performed, the successes, the failures, what was detected, and other details. That’s very helpful for the client to know what the weaknesses of the organisation are, and what needs to be addressed”, Gascuel stresses.
The final step of our collaboration in the TLPT process is to perform a replay exercise where the Red and Blue teams work closely to go over the offensive and defensive actions taken during the exercise. “Everyone stands to win: the Blue Team learns what to do in a real attack scenario, and our testers learn how they can be detected in a situation like that, so they can be more difficult to detect in an upcoming exercise.”
What’s next and what’s to gain?
The final step of the TLPT process is, according to DORA, the financial entity’s responsibility. It consists in writing a remediation plan containing a description of the identified vulnerabilities, proposed remediation measures, a root cause analysis, among other things.
If that plan is correctly implemented, then the benefits for that specific organisation (and for the financial sector as a whole) are clear:
- Cyber resilience is increased
The financial entity is capable of fixing vulnerabilities in its infrastructure, systems and processes before cyberattackers have a chance to take advantage of them. - Client data is better protected
With less weak spots for malicious actors to exploit, financial institutions’ customer data is better shielded and, consequently, clients’ trust levels increase. - Compliance with DORA is assured
Performing periodic TLPTs is a crucial step towards not only protecting the global financial ecosystem, but also avoiding regulatory penalties and fines, as well as financial and reputational damages that may come from a harmful cyberattack. - Security teams keep developing skills
Especially during the Purple teaming exercise, the Blue team has a chance to go over each detail of the TLPT exercise and learn how to stop the Red Team or potential real attackers.
Conclusion
DORA’s Thread-Led Penetration Testing is a step forward in the way financial institutions approach cybersecurity assessment. It is also the closest we have ever been to ensuring the highest levels of protection in the banking and financial sectors, especially across Europe.
These large-scale Red Team exercise requires meticulous planning, coordination between multiple stakeholders, and collaboration with experienced cybersecurity partners that can help every step of the way. Our pentesters and red teamers can contribute with not only their experience in working with multiple financial institutions over the years, but also with the way they interact with the client, establish clear communication channels and manage risks.
The benefits of performing TLPTs are crystal clear: they must be looked at not only as a compliance exercise, but also as an opportunity to strengthen financial entities’ cyber resilience, improve vulnerability management, detection and response capabilities, ultimately contributing to a more secure and stable financial ecosystem.
