One of the most demanding requirements of DORA is the mandatory Threat-Led Penetration Testing (TLPT) for certain financial entities. This advanced form of testing simulates real-world attack scenarios to evaluate operational resilience.
What is TLPT?
TLPT goes beyond traditional penetration testing by:
- Simulating tactics, techniques, and procedures (TTPs) of real threat actors
- Testing across the entire kill chain
- Evaluating detection and response capabilities
- Assessing impact on critical business functions
Who Must Conduct TLPT?
TLPT is mandatory for:
- Significant financial entities identified by supervisors
- Entities using critical or important functions
- Entities with material third-party dependencies
Smaller financial entities may be subject to simplified testing requirements.
TLPT Framework
DORA TLPT follows the TIBER-EU framework, which includes:
Phase 1: Preparation
- Scope definition
- Threat intelligence gathering
- Scenario development
- Control team establishment
Phase 2: Testing
- Red team executes simulated attacks
- Blue team (security operations) responds
- White team (control team) oversees
- Testing conducted without prior warning to blue team
Phase 3: Closure
- Debrief and lessons learned
- Remediation planning
- Report to supervisory authorities
- Implementation of improvements
Testing Frequency
TLPT must be conducted:
- At least every three years
- After major changes to ICT infrastructure
- When required by supervisory authorities
Selecting a Testing Provider
Red teams must:
- Be independent from the entity being tested
- Have appropriate certifications and expertise
- Follow ethical hacking standards
- Maintain confidentiality
Preparation Steps
- Asset Inventory: Document all critical systems and data
- Threat Assessment: Identify relevant threat actors and scenarios
- Internal Readiness: Ensure detection and response capabilities are functional
- Legal Framework: Establish contracts and liability agreements
- Communication Plan: Define escalation and notification procedures
- Business Continuity: Ensure safeguards for critical operations
Common Testing Scenarios
- Ransomware attacks
- Data exfiltration
- Supply chain compromise
- Insider threats
- Business email compromise
- DDoS attacks
What Gets Tested?
TLPT evaluates:
- Prevention: Security controls and access management
- Detection: Monitoring and alerting capabilities
- Response: Incident management and containment
- Recovery: Business continuity and restoration
- Communication: Internal and external notification
Post-Test Actions
After testing:
- Analyze findings and prioritize remediation
- Update security controls and procedures
- Enhance detection rules and monitoring
- Train staff on identified gaps
- Update incident response playbooks
- Report to management and board
- Submit required documentation to supervisors
Cost Considerations
TLPT is resource-intensive. Budget for:
- External red team services
- Threat intelligence
- Internal preparation time
- Remediation activities
- Potential business disruption
Benefits Beyond Compliance
While TLPT is mandatory, it provides valuable benefits:
- Realistic assessment of security posture
- Identification of unknown vulnerabilities
- Validation of incident response capabilities
- Enhanced security awareness
- Board-level visibility into cyber risk
Integration with Overall Resilience Testing
TLPT should be part of a broader testing program including:
- Vulnerability assessments
- Configuration reviews
- Business continuity exercises
- Disaster recovery testing
- Tabletop exercises