The Role of Threat-Led Penetration Testing in DORA

DORA and Threat-Led Penetration Testing.

Here’s what sets TLPT apart:

  • Tailored Threat Intelligence: TLPT isn’t a generic test. It’s based on bespoke threat intelligence specific to the financial entity being tested. This intelligence shapes the simulated attack, mimicking how real adversaries would behave.
  • Live Environment Testing: TLPT is conducted on live production systems, the same systems that are in daily use. This ensures that the test is as realistic as possible, though it also introduces additional risks that must be carefully managed.
  • Regulatory Oversight: Financial entities subject to TLPT are often those deemed systemically important—those whose disruption could significantly impact the financial system. These entities are selected by regulatory bodies based on their risk profile, ICT maturity, and critical role in the financial ecosystem.

Key Phases of TLPT Under DORA.

  1. Preparation Phase: This involves setting the scope of the test, selecting the red team (the offensive testers), and choosing threat intelligence providers. The institution works closely with the TLPT authority to ensure everything is in place before testing begins.
  2. Threat Intelligence Gathering: The threat intelligence provider gathers detailed intelligence on potential adversaries, the systems in use, and the most likely attack vectors. They then use this intelligence to shape the test, ensuring it reflects real-world risks.
  3. Red Teaming (Attack Simulation): The red team, made up of highly skilled penetration testers, executes the simulated attacks. Over a period of at least 12 weeks, the team uses sophisticated techniques to breach the institution’s defences. The goal is to replicate the actions of real attackers, staying under the radar and avoiding detection for as long as possible.
  4. Closure and Remediation: The red team compiles a report detailing the vulnerabilities they identified and how they exploited them once the simulation is complete. The financial entity then addresses these weaknesses and may conduct further testing to ensure all gaps are fully closed.

DORA requires financial institutions to conduct Threat-Led Penetration Testing (TLPT) at least once every three years, with more frequent testing necessary for high-risk organisations. To ensure impartiality and provide fresh perspectives on the institution’s defences, an independent, external red team must conduct every third test.

Red Teaming: A Closer Look.

Red teaming is a key element of TLPT, and it goes beyond the traditional “penetration testing” concept. While traditional penetration testing typically involves finding and reporting on vulnerabilities, red teaming is about mimicking real-world adversaries and pushing a system to its limits to see how well it can withstand a coordinated, stealthy attack.

Red teams use the same TTPs that sophisticated cybercriminals would employ. This could include anything from exploiting zero-day vulnerabilities to using social engineering tactics.

Unlike conventional tests, which focus on identifying technical vulnerabilities, red teaming simulates a full-scale attack, testing not just technical defences but also organisational responses. This means red teams will look for weak points in processes, employee behaviour, and even physical security.

The goal of red teaming is to identify not just technical vulnerabilities but also weaknesses in an organisation’s people and processes—often the weak links in cyber security.

Here is a diagram illustrating the Red Teaming Process Flow, with each phase of the red teaming process represented visually, including the arrows showing the flow from one stage to the next. This diagram helps clarify the steps involved, from planning and reconnaissance to reporting and analysis.

Purple Teaming: Collaboration for Stronger Defences.

While red teaming focuses on adversarial simulation, DORA also encourages purple teaming, a more collaborative approach to cyber security testing.

Purple teaming brings together both the red team (attackers) and the blue team (defenders, usually the institution’s internal security team) to work together. The idea is simple: by sharing knowledge and collaborating throughout the test, both teams can learn from each other and improve the organisation’s overall defences.

During purple teaming exercises, the blue team (defenders) observes the red team’s attack in real time. They witness the tools, techniques, and strategies used and respond as they would in an actual cyberattack scenario.

The red team provides feedback to the blue team during the process, explaining how they managed to bypass defences and how the blue team could improve detection and response times.

This collaboration is essential because it transforms a testing exercise into a continuous improvement process. Rather than merely identifying weaknesses, purple teaming facilitates immediate learning and strengthens defenses in real time. This method aligns seamlessly with DORA’s goal of fostering resilience, not just identifying gaps.

Here is the Purple Teaming Process Flow diagram, showing the collaborative stages between the red and blue teams, with feedback loops to highlight the interaction and learning that takes place throughout the process. The diagram demonstrates the six key phases, from preparation and attack simulation to defense improvements and knowledge sharing.

Proportionality and Frequency of Testing.

One of DORA’s key features is its emphasis on proportionality, meaning the frequency and intensity of testing should match the risk profile of each institution. For institutions that play a crucial role in the financial system, TLPT may need to occur more often than every three years. Furthermore, DORA mandates that every third test be conducted by external testers, ensuring impartial evaluations and fresh insights.

Another key aspect of DORA is pooled testing. Financial entities that share third-party ICT service providers can undergo TLPT together, ensuring these critical providers are thoroughly tested. This approach is particularly valuable in today’s interconnected financial ecosystem, where many institutions depend on the same cloud service providers or IT infrastructure. By testing shared services collectively, institutions can effectively address shared risks without duplicating efforts.

Managing Risk in Threat-Led Penetration Testing.

Running penetration tests on live systems inherently carries risks. If not carefully managed, these tests can disrupt business operations or cause downtime. DORA recognises these risks and requires stringent risk management protocols throughout the testing process.

  • Pre-Test Risk Assessments: Institutions must assess potential risks before starting the test, identifying critical systems and ensuring that safeguards are in place.
  • Kill Switches: These are built-in mechanisms that allow the institution to stop the test immediately if there’s any risk of serious disruption.
  • Post-Test Analysis: After the test, institutions must analyse the results, implement any necessary fixes, and evaluate whether re-testing is required to ensure all vulnerabilities have been fully addressed. This process is crucial for verifying that the systems are secure and resilient to future threats.

Building Resilience for the Future with Threat-Led Penetration Testing.

DORA represents a new standard for cyber security in the financial sector, particularly through its focus on Threat-Led Penetration Testing. By mandating TLPT for systemically important financial institutions, DORA ensures that these entities are not just checking boxes but building real, tested defenses against cyberattacks.

Red teaming and purple teaming exercises give financial institutions the tools and insights they need to stay ahead of cyber threats, ensuring that they can respond swiftly and effectively in the face of real-world attacks.