What is Threat Led Penetration Testing and why does DORA require it?
The new DORA directive demands that financial companies test their security regularly, for instance with Treat Led Penetration Testing. What is TLPT and how does it work?
... > DORA > Threat Led Penetration Testing: what is it and why does DORA require it?
Why does DORA require pentesting?
The name of the Digital Operational Resilience Act actually shows why DORA requires pentesting, says Michael Schouwenaar, cybersecurity specialist at Secura: 'The ultimate goal of DORA is to raise the digital resilience of the financial sector in the EU. One of the ways to do that is through testing.'
Articles 24 and 25 of the DORA text specify a few different requirements when it comes to pentesting. 'The Act requires financial institutions to do yearly pentesting. This is something large banks already are required to do, of course. DORA also requires Threat Led Penetration testing once every three years', says Schouwenaar. Designated authorities will oversee these requirements in the different Member States.
What is TLPT exactly?
'Threat Led Penetration Testing, or TLPT, means testing from a realistic perspective', says Schouwenaar, who has extensive experience in pentesting and Red Teaming. 'The goal of TLPT is to test how current threats can impact critical business functions. You use up-to-date and relevant threat intelligence as a basis for these tests. For example: a new form of phishing might be gaining traction. You then define a scenario integrating that threat, in consultation with the competent authority, and test if a company is resilient against this threat. As few people as possible should know about the test in advance.'
The main difference between Threat Led Penetration Testing and normal pentesting is the scope: TLPT covers the entire organization, pentesting generally covers a part.
What is the difference between TLPT and the TIBER framework?
The DORA regulation was largely modeled after the existing TIBER framework, explains Schouwenaar. However, there are a few differences.
- The regulators are defined more specifically in TIBER than in DORA. DORA gives Member States more freedom in this regard.
- Internal testing is not allowed under TIBER, but is allowed under DORA - with a few conditions. Internal TLPT is only allowed two out of three times; the third time an outside party has to perform the TLPT. In all cases, the threat intelligence used for internal TLPT also has to be provided by an outside party.
- Purple Teaming is strongly recommended by TIBER-EU, but is not compulsory. Under DORA purple teaming is compulsory. This means working together with and training the Blue Team, or a company's defenders, is integrated into the DORA regulation. Oftentimes this is done at the end of the exercise.
In the long run TIBER and DORA will be completely aligned.
How is Threat Led Penetration Testing different from normal pentesting?
The main difference between TLPT and normal pentesting is the scope, says Schouwenaar: 'With TLPT the scope is the complete organization. With normal pentesting the scope is generally a system or part of an environment. Normal pentesting focuses on technical aspects; TLPT also takes procedures and people into account. Another difference is that with normal pentesting stakeholders are aware of the test. With TLPT most stakeholders are not.'
The bigger scope means that Threat Led Penetration Testing is more complex, especially if there are many third parties involved. It also takes longer than normal pentesting, says Schouwenaar: 'The execution of TLPT can take as long as three to four months, spread out over a longer period of time.'
TLPT definition of DORA
Article 26.1 of DORA: 'Financial entities [...] shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.'
Do I have to hire a third party for TLPT or can I do it myself?
DORA allows internal testers to conduct Threat Led Penetration Testing of an organization. However, there are a few conditions.
- One in every three TLPT-sessions must be conducted by an outside party. In practice, this means that you need to hire an independent testing party once every ten years or so.
- Any threat intelligence you use for TLPT must be provided by an outside, independent party.
How does Secura conduct TLPT?
TLPT is very similar to Red Teaming, Schouwenaar emphasizes, and this is something Secura has extensive experience in, Schouwenaar says: 'In 2023 we performed around 30 Red Teaming projects, for all kinds of organizations, including financial companies.'
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.