What is DORA TLPT and how BreachLock can help?

Introduction

Faced with increasing risks posted by information systems or the IT infrastructure both internal and external. European regulators adopted rules and recommendation to identify and remediate potential vulnerabilities. Through the Digital Operational Resilience Act (DORA) two types of distinct testing were directed at financial institutions to strengthen their cyber resilience. The mandate to test digital assets introduced by DORA are as follows:

• Digital Operational Resilience Testing: Mandatory for all entities regulated by DORA and to be carried out at least once a year for systems and applications supporting critical or important functions and
• Threat-Led Penetration Testing (TLPT): DORA pen testing is mandatory for most important financial entities designated by competent authorities in each country with TLPT carried out at least every three years.

DORA sets a minimum of requirements but regulated entities like those in the finance industry should wherever possible implement continuous penetration testing to establish benchmarks and goals using proven methodologies to measure progress and security improvement. Article 25 of DORA provides a short list of tests to be followed including penetration tests.

This blog will explore DORA pen testing or threat-led penetration testing why its important associated challenges and working in collaboration with trusted offensive security partners in conducting thorough and effective DORA-compliant pen testing and vulnerability assessments.

What is DORA?

DORA adopted in September 2020 is a landmark regulation by the EU that establishes a unified framework and requirements for the security of network and information systems of companies and organisations operating in the financial sector. It applies to such financial sectors such as credit institutions investment firms payment institutions and critical third-party service providers.

The core objective of DORA is to ensure organisations can withstand respond to and recover from any ICT-related operational disruptions caused by cyberattacks natural disasters IT outages and other unforeseen events.

What is a Threat-Led Penetration Testing (TLPT)?

DORA pen testing or Threat-Led Penetration Tests or TLPT is defined as enhanced security tests reserved for financial entities whose failure would have systemic effects because of a targeted cyber-attack. The incident includes those attackers whose goals are to maximise profits or destablise a part of the financial system.

DORA pen testing emphasizes Threat-Led Penetration Testing (TLPT) as a key tool for assessing operational resilience. TLPT focuses on identifying and exploiting vulnerabilities that real-world attackers are most likely to target.

It’s important to note that resilience tests are intended to raise the level of security or regulated entities whereas TLPTs aim to verify that the testing was performed within approved guidelines and frameworks and that the mitigation of such vulnerabilities and systems are effective.

“Threat -led penetration testing means a framework that mimics the tactics techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat that delivers a controlled bespoke intelligence-led (red team) test of the financial entity’s critical live production systems.”

So DORA pen testing or TLPT is therefore a large-scale Red Team exercise and not simply a penetration test. The test must emulate all the techniques of a real attack and test the entire attack surface of regulated institutions.

Key Aspects of DORA TLPT:

• Risk-Based Approach: DORA pen testing mandates a risk-based approach aligning testing priorities covering several or all critical functions and potential threats. Testing must be performed on live production systems.
• Focus on Critical Functions: DORA pen testing should assess the security of “critical functions” as defined by DORA which are essential services for your operations.
• External Testing: While internal testing is allowed DORA pen testing emphasizes the importance of external penetration testing by qualified third parties like BreachLock for a more objective assessment.
• Reporting: The financial entity must submit to the DORA authorities a summary of relevant findings any action plans needed and reporting demonstrating the test was run in compliance with the regulatory requirements. The authorities will then issue an attestation for DORA TLPT.

Benefits of DORA TLPT for Your Financial Institution

• Improved Security Posture: By identifying and remediating vulnerabilities TLPT helps to improve your overall security posture and mitigate cyber risks.
• Enhanced Operational Resilience: By addressing critical security risks TLPT contributes to a more resilient financial system that can withstand disruptions.
• Compliance with DORA: Conducting DORA-compliant TLPT demonstrates regulatory compliance and can help avoid potential sanctions.

The Challenges of TLPT

The most significant challenge of security testing is scale. DORA’s requirements raise major questions and concerns for larger enterprises especially on how to conduct so many tests on hundreds if not thousands of assets and perimeters across multiple entities repeatedly or continuously throughout the year?

Scaling security testing should be simple but how to streamline tests automate processes and centralize results can be taxing on resources and budget. But there are ways to scale efficiently and effectively using varying solutions.

Automated Testing

Automated on-demand or continuous security testing is advocated by DORA making scalability easier using such tools as continuous penetration testing vulnerability scans and DAST (Dynamic Application Security Testing) or SAST (Static Application Security Testing).

Challenges with automation include:

• Budget Negotiation: Ensuring a budget and resources sufficient for multiple types of testing. Utilising a cyber security provider who specializes in offensive security solutions like penetration testing and red teaming often can be the optimal and most cost-effective solution.
• Understanding Your Attack Surface: Conducting a thorough review of the organisation’s attack surface and all exposed assets will be necessary and can often be conducted through attack surface management or ASM. This will illuminate vulnerable assets and associated weaknesses or critical entry points.
• Integration and Calibration: Possessing in-depth knowledge of not only the organization’s attack surface but the proper technical skills expertise and understanding of compliance requirements. Again a cyber security provider who offers in-house certified experts should be consulted.

How Can BreachLock Help You with DORA TLPT?

At BreachLock we global industry leaders in Penetration Testing Services both human-delivered and continuous pentesting including DORA pen testing Red Teaming and Purple Teaming. We understand the requirements of DORA and maintain in-house certified pentests and expertise to help organizations whether small or large with the ability to scale up or down to meet your security testing needs. This includes:

• Collaborative Scoping & Risk Assessment: We’ll work closely with your team to understand your critical functions and risk profile. This collaborative approach ensures a well-defined scope aligned with DORA pen testing requirements.
• Client-Led System Architecture & Data Flow Walk-through: We guide your team through a walk-through of your systems supporting critical functions focusing on system architecture and data flow. This information is crucial for us to develop an accurate threat model in the next phase.
• Threat Modeling & Prioritization: Based on the walk-through and our expertise in threat intelligence we’ll develop a comprehensive threat model. This model prioritizes potential threats based on their likelihood and impact on your critical functions.
• Expert Penetration Testing & Exploitation: Our experienced penetration testers will leverage the threat model and their expertise to conduct a comprehensive penetration testing engagement exploiting vulnerabilities that pose the most significant risk.
• DORA-Compliant Reporting & Remediation Tracking: We’ll provide detailed reports that document the findings of the TLPT in a clear and concise manner aligned with DORA requirements. These reports will aid in remediation efforts and we can also help track progress.

Conclusion

DORA TLPT is a critical aspect of ensuring operational resilience within the financial sector. By partnering with BreachLock you can leverage our expertise and proven methodology to conduct DORA pen testing and assessments that meet compliance requirements ultimately improving your security posture and meeting regulatory requirements.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover prioritize and mitigate exposures with evidence-backed Attack Surface Management Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References:

• European Union. (2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulation (EU) No 1093/2010 Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010. Official Journal of the European Union.
• European Supervisory Authorities (ESAs). (2023 November). Draft regulatory technical standards (RTS) threat-led penetration testing.
• European Parliament & Council. (2022). Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA). Official Journal of the European Union: https://ec.europa.eu/finance/docs/level-2-measures/dora-regulation-rts–2024-1532_en.pdf