DORA and Threat-Led Penetration Testing (TLPT)
"Threat-led penetration tests (TLPT – Threat-Led Penetration Testing)" describes a framework that replicates the tactics, techniques, and procedures of real attackers, perceived as genuine cyber threats, and enables a controlled, customized, knowledge-based (Red Team) test of the critical live production systems of the financial company." DORA, Art. 3 (17), translated.
Traditional penetration tests, while effective at uncovering vulnerabilities, typically focus on narrow scopes and are confined to IT assets, often overlooking the broader business implications of a security breach.
Our Threat-Led Penetration Testing (TLPT) goes beyond these confines, providing a comprehensive view that includes potential impacts on business processes and involving a wider range of stakeholders. This approach ensures a holistic assessment of your organization's resilience, not just a snapshot of technical vulnerabilities.
What does that entail?
Consider TLPT as an extensive Red Teaming Engagement designed to thoroughly evaluate an organization. This process is methodically broken down into manageable phases, starting with Threat Intelligence to pinpoint relevant attack vectors. These insights then guide the development of varied Red Team Attack scenarios, each tailored to test different aspects of the organization's defenses:
​
-
Physical Attack Surface: Assessing the security of physical boundaries, including the potential for unauthorized access through public areas.
-
Human Attack Surface: Evaluating susceptibility to social engineering tactics, notably through various forms of phishing.
-
Digital Attack Surface: Analyzing and probing the organization's digital presence and cybersecurity measures.
​
The Red Team's mission is to reach predefined objectives using any necessary means within a live operational environment, ensuring a realistic and comprehensive assessment of the organization's defensive posture.
How long does a TLPT take?
Regulatory bodies typically outline a comprehensive timeline for Threat-Led Penetration Testing (TLPT) engagements, spanning 6 to 12 months.
This duration encompasses regulatory involvement, from initial approval to concluding activities, and includes stipulated deadlines for interactions and report exchanges between the Red and Blue teams. Importantly, the active phase of Red Teaming is mandated to extend no fewer than 12 weeks, ensuring a thorough and meaningful assessment process.
How often do you need to carry out a TLPT?
A TLPT is due every 3 years.
How do I chose a service provider?
Selecting a provider for Threat-Led Penetration Testing, especially within live production environments, demands careful consideration.
Article 27 of the Digital Operational Resilience Act (DORA) sets forth specific requirements for providers qualified to conduct such tests.
Exploit Labs proudly meets the criteria outlined in the TIBER-EU Procurement Guidelines, making it a suitable choice for DORA-compliant penetration testing.
The TIBER framework, serving as a reference for DORA, provides a reliable benchmark for evaluating a provider's capability and compliance, ensuring that Exploit Labs is well-equipped to meet your cybersecurity assessment needs.
Are you only available as a Red Team Provider?
Exploit Labs is equipped to meet both Red Teaming and Threat Intelligence roles within the framework of DORA, showcasing a versatile capability in cybersecurity assessments.
Additionally, our team has the expertise to support the White Team or Control Team, ensuring comprehensive coverage of your security posture. However, it's our policy to avoid dual roles in a single engagement, meaning we either serve as your Red Team or assist the White Team, but not both simultaneously, to maintain clear boundaries and objectivity in our assessments.
Who has to perform a TLPT?
Applicability of Dora is not easily answered due to exceptions, however generically speaking DORA applies to:
​
-
Credit institutions
-
Payment institutions
-
Account information service providers
-
Electronic money institutions
-
Central securities depositories
-
Central counterparties
-
Investment firms
-
Cryptoasset service providers*
-
Trading venues
-
Trade repositories
-
AIFMs
-
Management companies
-
Data reporting service providers
-
Insurance and reinsurance undertakings
-
Institutions for occupationnel retirement provision
-
Credit rating agencies
-
Administrators of critical benchmarks
-
Crowdfunding service providers
-
Securitisation repositories
Do we have to execute a TLPT?
If DORA is applicable for your entity, running a TLPT become mandatory by January 2025.
How is the regulator involved?
Regulators play a pivotal role in the Threat-Led Penetration Testing (TLPT) process, appointing two members to the TCT (TIBER Cyber Team) who are responsible for overseeing the entire operation.
This oversight includes defining the scope of the test, selecting the service provider, and guiding both the execution and the remediation phases. The regulatory authority has the power to intervene at various stages, making adjustments or even pausing the activities if necessary to ensure the objectives are met effectively and securely.
Get Ahead of 2025: Engage in a Streamlined Red Team Exercise
Many organizations are proactively conducting Red Team Exercises or Threat-Led Penetration Tests outside regulatory frameworks to gear up for the official requirements. These preparatory engagements offer significant benefits:
​
-
Flexibility in Timing: Conduct the exercise according to your own schedule, allowing for thorough preparation and response planning.
-
Supportive Environment: Perform tests in a non-adversarial setting to foster learning and improvement without the pressure of regulatory scrutiny.
-
Reduced Complexity: Enjoy the core benefits of red teaming with less procedural and bureaucratic overhead.
-
Efficiency: Complete the engagement within a shorter period, making it a practical choice for fast-paced operational environments.
-
Valuable Insights: Acquire crucial experience, such as identifying your critical functions, which will be invaluable for the official engagement.
​
Considering a preparatory Red Team Exercise? Reach out to us to discuss how we can tailor an exercise to suit your readiness goals and help you smoothly transition to meet DORA's 2025 requirements.