TLPT in the Financial Sector Under DORA: Assessing the Current Status of TIBER

DORA

This blog post addresses the need to integrate Threat Led Penetration Testing (TLTP) into the ICT risk management framework and Digital Operational Resilience strategy as outlined in the Digital Operational Resilience Act (DORA).

Financial Background

As part of the Digital Operational Resilience Testing Framework, the DORA provides for two primary forms of security testing:

  • Security testing of all ICT systems and applications that support critical or important functions.
  • Advanced testing of ICT tools, systems and processes based on threat-driven penetration testing (TLPT).

The core requirements for TLPT are set out in Articles 26 and 27 of the DORA. The more detailed provisions are regulated in a separate regulatory technical standard (RTS). The basic principles have already been worked out and can be read in the final report by ESAs:  Final Report on draft RTS specifying elements related to TLPT. In the next step, the RTS will be published in the Official Journal of the EU.

In the following analysis, we examine the key aspects of the second component - threat-driven penetration testing.

What is the TLPT and how does it differ from TIBER?

The TLPT is designed to enable financial institutions to realistically assess their ability to defend against and respond to cyberattacks, thereby ensuring the resilience and security of critical financial systems.

TLPT is a test method introduced with DORA. It is essentially based on the TIBER-EU framework.

TIBER-EU is a framework adopted by the European Central Bank. TIBER can be used for companies in all critical sectors, not just the financial sector. Many EU member states have implemented their own national standards to implement this framework.

TIBER framework is not a legal act, but a standard for voluntary participation.

And this is also the biggest difference between TIBER and TLPT.

TLPT is regulated in a legal act, so it also has a completely different legislative basis. And it will be mandatory for certain financial companies. Those that have to carry out TLPT will be informed of this by their supervisory authorities.

In terms of content, there are also minor differences between TIBER-EU and TLPT. For example, the organisational structure of TLPT participants. DORA introduces a new role called TLPT authority. Also, the Purple Team Test will be mandatory as part of the project.

The good news is that TIBER-DE and TIBER-AT already have stricter requirements than TIBER-EU and contain only minimal differences compared to TLPT. This means that TIBER service providers can continue to provide almost identical support.

It can be expected that the national TIBER frameworks will be adapted to TLPT. TLPT is regulated in DORA. DORA, in turn, is an EU regulation - it is binding in all its parts and applies directly in every member state. This means that the national frameworks are no longer needed, as DORA applies to all EU member states. Also, for those that have not yet implemented their own TIBER framework.

What is different with a TLPT test instead of a regular pentest?

TLPT differs from conventional penetration tests by incorporating threat data and coordinating with the authorities on relevant attack scenarios. This creates dynamic threat scenarios that are more flexible and realistic than the fixed approaches of conventional tests.

TLPT is based on scenario-based attacks that are orientated towards current threat actors. This ensures that the tests reflect realistic threat scenarios and uncover relevant vulnerabilities.

In addition, the focus is on risk-based tests that focus on critical systems and vulnerabilities. This enables targeted identification of security vulnerabilities in the areas that are most important to the company, minimising the risk of major attacks.

The scope of TLPT

The scope of TLPT includes several or all systems and applications that support critical functions and services. These tests are performed on running systems, with the exact scope being determined by the financial institutions and validated by the competent authorities.

To prepare for these tests, financial institutions must identify all relevant ICT processes, systems and technologies that support their critical functions and services, including those managed by external ICT service providers. If third-party providers are involved, the financial institution must ensure their participation in the testing process.

Upon completion of the tests, both the financial institution and the external auditors must submit documentation to the competent authority confirming that the tests were carried out in accordance with the required standards. The competent authorities will review the documentation and issue a certificate.

TLPT participants and their tasks

The most important participants in the TLPT are:

  • The TLPT Cyber Team (TCT) consists of TLPT Authority staff responsible for overseeing all operational aspects of TLPT-related activities. This team may also include functions such as test managers.
  • The threat intelligenceprovider mimics the activities of a hacker to gather information by using multiple trusted sources.
  • The control team, also known as the ‘white team’, manages the TLPT from the perspective of the financial institution conducting the exercise. Its responsibilities range from sourcing external vendors and conducting risk assessments to overseeing day-to-day test operations and risk management. The head of the control team must have the necessary authority within the financial institution to oversee all aspects of the test without compromising its confidentiality.
  • The Blue Team consists of employees who are tasked with defending the financial entity against simulated or actual cyber threats without knowing that they are being tested.
  • During the active Red Team testing phase, the testers (Red Team) utilise a range of tactics, techniques, and procedures (TTPs) to rigorously test the financial institution's live production systems.
Test methodology and co-operation with authorities
Sources: BaFin and Final report on Regulatory Technical Standards specifying elements related to TLPT

As far as the TLPT cyber team (TCT) is concerned, the DORA leaves it up to the Member States to designate the competent authorities and their tasks. Therefore, the implementation of the TLPT may vary from one Member State to another.

In Germany, for example, the tasks have been divided between the Deutsche Bundesbank (the national central bank) and BaFin (the Federal Financial Supervisory Authority). BaFin is the competent supervisory authority and is responsible for the supervisory tasks in connection with the TLPT. Operational support for the TLPT is the responsibility of the Deutsche Bundesbank.

Test methodology and co-operation with authorities

How SEC Consult Can Support Your Business

Since the launch of the TIBER framework, SEC Consult has successfully guided numerous clients through the process of conducting these critical tests. Leveraging our extensive experience and expertise, we confidently assist in designing tailored test plans and executing threat-based penetration tests in full alignment with DORA standards. By partnering with us, you'll not only meet DORA compliance requirements but also enhance your ICT infrastructure's resilience against cyber threats.

More On The Topic

Back