The financial sector has become a prime target for cyber threats. As digital transformation accelerates, financial entities have become increasingly reliant on Information and Communication Technologies (ICT) for their operations.
However, this reliance also exposes them to significant risks, including data breaches, ransomware attacks, and operational disruptions. The Digital Operational Resilience Act (DORA) aims to ensure that financial entities not only manage these risks effectively but also maintain the ability to recover swiftly from any disruptions.
We have previously explored DORA’s essential components. One of the most crucial mandates is the requirement for Threat-Led Penetration Testing (TLPT), a specialised form of penetration testing designed to simulate realistic cyberattacks. This mandate is specifically detailed in Articles 26 and 27 of the DORA regulation, which outline advanced digital operational resilience testing procedures.
But what sets TLPT apart, and how does it go beyond conventional pen testing to meet DORA’s high standards?
DORA and Threat-Led Penetration Testing.
Under DORA, penetration testing takes a highly advanced form known as Threat-Led Penetration Testing. This is a far more rigorous test than traditional penetration testing because it’s driven by real-world intelligence. The tests simulate attacks based on the actual tactics, techniques, and procedures (TTPs) used by cybercriminals, giving financial institutions a much clearer picture of how they would fare against the latest threats.
Here’s what sets TLPT apart:
- Tailored Threat Intelligence: TLPT isn’t a generic test. It’s based on bespoke threat intelligence specific to the financial entity being tested. This intelligence shapes the simulated attack, mimicking how real adversaries would behave.
- Live Environment Testing: TLPT is conducted on live production systems, the same systems that are in daily use. This ensures that the test is as realistic as possible, though it also introduces additional risks that must be carefully managed.
- Regulatory Oversight: Financial entities subject to TLPT are often those deemed systemically important—those whose disruption could significantly impact the financial system. These entities are selected by regulatory bodies based on their risk profile, ICT maturity, and critical role in the financial ecosystem.
Key Phases of TLPT Under DORA.
TLPT follows a structured process similar to the well-known TIBER-EU framework. The TIBER-EU framework is an initiative by the European Central Bank aimed at strengthening the cyber resilience of financial institutions by simulating sophisticated cyberattacks through threat-led penetration testing. It offers a structured approach to testing an organisation’s defences, using real-world threat intelligence to replicate the tactics, techniques, and procedures of actual attackers.
Below are the key phases of TLPT:
- Preparation Phase: This involves setting the scope of the test, selecting the red team (the offensive testers), and choosing threat intelligence providers. The institution works closely with the TLPT authority to ensure everything is in place before testing begins.
- Threat Intelligence Gathering: The threat intelligence provider gathers detailed intelligence on potential adversaries, the systems in use, and the most likely attack vectors. They then use this intelligence to shape the test, ensuring it reflects real-world risks.
- Red Teaming (Attack Simulation): The red team, made up of highly skilled penetration testers, executes the simulated attacks. Over a period of at least 12 weeks, the team uses sophisticated techniques to breach the institution’s defences. The goal is to replicate the actions of real attackers, staying under the radar and avoiding detection for as long as possible.
- Closure and Remediation: The red team compiles a report detailing the vulnerabilities they identified and how they exploited them once the simulation is complete. The financial entity then addresses these weaknesses and may conduct further testing to ensure all gaps are fully closed.
DORA requires financial institutions to conduct Threat-Led Penetration Testing (TLPT) at least once every three years, with more frequent testing necessary for high-risk organisations. To ensure impartiality and provide fresh perspectives on the institution’s defences, an independent, external red team must conduct every third test.
Red Teaming: A Closer Look.
Red teaming is a key element of TLPT, and it goes beyond the traditional “penetration testing” concept. While traditional penetration testing typically involves finding and reporting on vulnerabilities, red teaming is about mimicking real-world adversaries and pushing a system to its limits to see how well it can withstand a coordinated, stealthy attack.
Red teams use the same TTPs that sophisticated cybercriminals would employ. This could include anything from exploiting zero-day vulnerabilities to using social engineering tactics.
Unlike conventional tests, which focus on identifying technical vulnerabilities, red teaming simulates a full-scale attack, testing not just technical defences but also organisational responses. This means red teams will look for weak points in processes, employee behaviour, and even physical security.
The goal of red teaming is to identify not just technical vulnerabilities but also weaknesses in an organisation’s people and processes—often the weak links in cyber security.
Purple Teaming: Collaboration for Stronger Defences.
While red teaming focuses on adversarial simulation, DORA also encourages purple teaming, a more collaborative approach to cyber security testing.
Purple teaming brings together both the red team (attackers) and the blue team (defenders, usually the institution’s internal security team) to work together. The idea is simple: by sharing knowledge and collaborating throughout the test, both teams can learn from each other and improve the organisation’s overall defences.
During purple teaming exercises, the blue team (defenders) observes the red team’s attack in real time. They witness the tools, techniques, and strategies used and respond as they would in an actual cyberattack scenario.
The red team provides feedback to the blue team during the process, explaining how they managed to bypass defences and how the blue team could improve detection and response times.
This collaboration is essential because it transforms a testing exercise into a continuous improvement process. Rather than merely identifying weaknesses, purple teaming facilitates immediate learning and strengthens defenses in real time. This method aligns seamlessly with DORA’s goal of fostering resilience, not just identifying gaps.
Proportionality and Frequency of Testing.
One of DORA’s key features is its emphasis on proportionality, meaning the frequency and intensity of testing should match the risk profile of each institution. For institutions that play a crucial role in the financial system, TLPT may need to occur more often than every three years. Furthermore, DORA mandates that every third test be conducted by external testers, ensuring impartial evaluations and fresh insights.
Another key aspect of DORA is pooled testing. Financial entities that share third-party ICT service providers can undergo TLPT together, ensuring these critical providers are thoroughly tested. This approach is particularly valuable in today’s interconnected financial ecosystem, where many institutions depend on the same cloud service providers or IT infrastructure. By testing shared services collectively, institutions can effectively address shared risks without duplicating efforts.
Managing Risk in Threat-Led Penetration Testing.
Running penetration tests on live systems inherently carries risks. If not carefully managed, these tests can disrupt business operations or cause downtime. DORA recognises these risks and requires stringent risk management protocols throughout the testing process.
- Pre-Test Risk Assessments: Institutions must assess potential risks before starting the test, identifying critical systems and ensuring that safeguards are in place.
- Kill Switches: These are built-in mechanisms that allow the institution to stop the test immediately if there’s any risk of serious disruption.
- Post-Test Analysis: After the test, institutions must analyse the results, implement any necessary fixes, and evaluate whether re-testing is required to ensure all vulnerabilities have been fully addressed. This process is crucial for verifying that the systems are secure and resilient to future threats.
Building Resilience for the Future with Threat-Led Penetration Testing.
DORA represents a new standard for cyber security in the financial sector, particularly through its focus on Threat-Led Penetration Testing. By mandating TLPT for systemically important financial institutions, DORA ensures that these entities are not just checking boxes but building real, tested defenses against cyberattacks.
Red teaming and purple teaming exercises give financial institutions the tools and insights they need to stay ahead of cyber threats, ensuring that they can respond swiftly and effectively in the face of real-world attacks.
Ultimately, DORA is about more than just regulatory compliance—it focuses on creating a more resilient and secure financial system. As institutions adopt these testing frameworks, they must view them not merely as obligations, but as opportunities to strengthen trust, foster transparency, and prepare for a future where cyber threats are met with confidence rather than fear. By embracing these measures, financial entities can enhance their defenses and build long-term resilience against evolving cyber risks.