TLPT – Threat-Led Penetration Testing

Faced with increasingly sophisticated threat actors, traditional security testing methods are no longer enough. This is where Threat-Led Penetration Testing (TLPT) comes in, full-scale attack simulations that help assess an organization’s ability to withstand real-world cyberattacks.

What are TLPTs?

A TLPT is an exercise orchestrated by a team of security experts, called a “Red Team,” that simulates a complex computer attack carried out by a malicious actor.

TLPTs make it possible to:

• Detect and counter intrusions, even those using new and advanced techniques.
• Limit damage in the event of a successful compromise.
• Maintain business continuity during and after a cyberattack.

Unlike traditional penetration testing that focuses on discovering security vulnerabilities, TLPT takes a more realistic and holistic approach.

The Red Team operates in a “black box”, without prior knowledge of the internal configuration of the systems and uses a wide range of techniques to carry out its attack, drawing inspiration from the modus operandi of today’s cybercriminals.

How do the TLPTs take place?

A TLPT generally takes place in several distinct phases:

Definition of scope and objectives

The organization and the Red Team collaborate to define the scope of the test, specifying the systems to target and the objectives to achieve.

This step helps to frame the exercise and ensure that it meets the specific needs of the organization.

Reconnaissance and information collection

The Red Team conducts a thorough reconnaissance phase to gather information about the organization, its information systems, networks, and security processes.

This phase may include open-source information (OSINT) research, social media analysis, systems mapping, and exploration of potential vulnerabilities.

Simulated attack

The Red Team simulates a real attack by employing an arsenal of sophisticated techniques, such as:

• Social engineering: Psychological manipulation of employees to encourage them to disclose confidential information or install malware.
• Phishing: Sending deceptive emails or text messages that trick users into clicking on malicious links or entering sensitive information.
• Software Vulnerability Exploitation: Identifying and using known or unknown vulnerabilities in software and operating systems to gain unauthorized access.
• Physical intrusion: Physical access to the organization’s premises to steal data or install malicious devices.

Analysis and reporting

Once the simulated attack is complete, the Red Team analyzes the results obtained in detail.

This analysis helps identify exploited security vulnerabilities, attack vectors used and areas for improvement for the organization’s security posture.

A full report is then written and delivered to the organization, detailing the findings of the exercise and recommendations for strengthening security.

TLPT & DORA

What is the DORA regulation?

The DORA Regulation aims to strengthen the cybersecurity of the European financial sector.

Coming into force in November 2022, it requires financial entities to:

• Implement a cyber risk management strategy.
• Identify and assess their cyber risks.
• Take measures to prevent and limit cyberattacks.
• Test and exercise their ability to respond to cyberattacks.
• Report major cyber incidents to authorities.

The DORA Regulation applies to a wide range of financial entities, including banks, insurers, investment funds and market infrastructure operators.

Financial entities will have to comply with DORA by 2025 or 2026.

Article 26 of DORA on TLPT

Article 26 of the Digital Operational Resilience Act (DORA) addresses a crucial issue in financial cybersecurity: the detection of critical vulnerabilities within information and communications systems (CIS).

To do this, it highlights the use of advanced testing based on threat-led penetration testing (TLPT) , a formidable approach to testing the robustness of CIS against sophisticated cyberattacks.

Who is affected by TLPT?

The obligation to carry out these tests does not apply to all financial entities. Only the largest financial entities, identified as “systemic” by the competent authorities, are required to comply.

This measure aims to protect the most critical elements of the financial sector against targeted and large-scale cyberattacks.

To identify these “systemic” entities, the European authorities have defined precise criteria, such as:

• The number of clients and the size of the financial markets in which the entity operates.
• The degree of interdependence with other financial entities.
• The importance of critical services provided.
• The entity’s capacity to absorb major disturbances.

In France, for example, the largest banks and credit institutions, critical market infrastructures and essential payment service providers are among the entities likely to be considered “systemic”.

When should TLPTs be carried out?

Article 26 imposes a regular rhythm for these advanced tests, with a minimum frequency of once every three years. This periodicity ensures that CIS remains protected in the face of constantly evolving cyber threats.

It is important to note that competent authorities may require more frequent advanced testing if they consider that the level of risk incurred by a financial entity warrants it.

How should these TLPTs be conducted?

Article 26 does not go into the technical details of implementing advanced testing. However, he highlights the importance of using threat-led penetration testing (TLPT) methods.

These methods simulate real cyberattacks, carried out by highly qualified IT security experts, to detect vulnerabilities to which CIS could be exposed.

What are the objectives of TLPTs within the framework of Article 26 of DORA?

The main objective of these advanced tests is to detect critical vulnerabilities in CIS that could be exploited by cyberattackers. By identifying these vulnerabilities upstream, financial entities can take corrective measures to neutralize them and thus minimize the risk of major intrusions.

These advanced tests also make it possible to:

Evaluate the effectiveness of existing security measures

TLPT tests make it possible to test the robustness of the security measures put in place by financial entities and to identify areas for improvement.

Strengthen cybersecurity awareness within financial entities

The TLPT testing process can help raise awareness among employees of financial entities about cyber risks and good security practices.

By observing the techniques used by testers, employees can better understand the threats CIS faces and adopt more secure behaviors.

Improve collaboration between financial entities and competent authorities

Advanced testing results can be shared with relevant authorities, improving the overall understanding of cyber threats to the financial sector.

This collaboration can promote the implementation of more effective and more coordinated protection measures.

Auditors eligible to carry out TLPTs

Section 27 of the Digital Operational Resilience Regulations (DORA) imposes strict requirements on testers who carry out threat-led penetration testing (TLPT) for financial entities.

These requirements aim to ensure that TLPTs are conducted in a rigorous, impartial, and professional manner, in order to provide an accurate assessment of the robustness of financial entities’ IT systems to cyber threats.

Skills required for testers

• Technical Expertise: Testers must have in-depth knowledge of relevant information technologies, including operating systems, networks, applications and security protocols.
• Penetration Testing Experience: They must have significant hands-on experience conducting TLPT, using a variety of penetration testing techniques and tools.
• Knowledge of cybersecurity threats: They must have a clear understanding of current cybersecurity threats, such as malware, code injection attacks, and denial of service attacks.
• Communication Ability: They must be able to effectively communicate test results to non-technical stakeholders, using clear and concise language.

Independence and confidentiality

• Crucial independence: To ensure impartiality, testers must be independent from the financial entity being tested and its third-party service providers. This helps avoid any conflict of interest and ensures that tests are conducted objectively.
• Protection of confidentiality: Testers must respect the confidentiality of the information they access during testing. This includes personal data, financial information, and trade secrets. Non-disclosure agreements (NDAs) and other data protection measures should be in place.

Rigorous testing methodology

• Detailed planning: TLPTs must be conducted in accordance with a documented methodology that is approved by the financial entity being tested. This methodology should define the scope of testing, the techniques to be used, the evaluation criteria and the schedule.
• Realistic Scenarios: Testing should be based on realistic scenarios that reflect the most likely threats and vulnerabilities facing the financial entity.
• Extensive testing: Testers should perform extensive testing of all relevant systems and applications, including web interfaces, APIs, and back-end systems.
• Full Documentation: The results of TLPTs must be documented in a detailed report that includes the identified security vulnerabilities, supporting evidence, mitigation recommendations, and an analysis of the potential impact of the vulnerabilities.

Role of financial entities

• Rigorous selection of testers: Financial entities must implement a rigorous selection process to identify and select testers who meet regulatory requirements.
• Supervision and monitoring: They must closely supervise TLPTs to ensure that they are carried out in accordance with the approved methodology and that deadlines are respected.
• Vulnerability Action Plan: They must develop an action plan to address security vulnerabilities identified during TLPT, setting priorities, and assigning responsibilities.
• Continuous improvement: They should use TLPT results to continually improve their cybersecurity posture and update their testing programs accordingly.

Choose Ziwit as your TLPT auditor

Ziwit, as a qualified and certified tester, presents itself as an informed choice for financial entities keen to strengthen their cybersecurity posture and meet the regulatory requirements of the Digital Operational Resilience Regulation (DORA).

Here are some key points that make Ziwit a trusted partner for your Threat-Led Penetration Testing (TLPT):

Proven expertise in cybersecurity

Ziwit has a team of highly qualified and experienced cybersecurity professionals with in-depth knowledge of the latest threats, vulnerabilities, and attack techniques.

This expertise ensures that your TLPTs will be conducted with rigor and precision, providing a reliable assessment of the resilience of your IT systems.

Rigorous compliance with DORA requirements

Ziwit undertakes to scrupulously comply with the requirements of Article 27 of DORA regarding TLPT testers. This involves complete independence from your financial entity, impeccable data confidentiality, rigorous testing methodology and full documentation of results.

Methodical approach and realistic scenarios

Ziwit takes a methodical approach to TLPTs, clearly defining objectives, test scenarios and evaluation criteria. Scenarios are designed to reflect real-world threats your financial entity faces, ensuring the relevance and usefulness of test results.

Full range of testing services

Beyond TLPT, Ziwit offers a full range of cybersecurity testing services to meet your specific needs. This may include penetration testing, vulnerability assessments, security audits, and identity and access management testing.

Commitment to continuous improvement

Ziwit emphasizes the continuous improvement of its services and skills. The team stays up to date with the latest threats and vulnerabilities, adopting new technologies and testing methodologies to ensure your TLPTs are always cutting edge.