Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing

TL;DR: The Digital Operational Resilience Act (DORA) sets a new standard for cybersecurity in the EU financial sector, with Threat-Led Penetration Testing (TLPT) being a key requirement to assess defenses against real-world cyber threats. The deadline for complying with DORA is January 17, 2025.

This blog explores how organizations can strategically prepare for and execute TLPT to meet DORA compliance while strengthening overall cybersecurity resilience.

In the rapidly evolving landscape of financial services, the Digital Operational Resilience Act (DORA) sets a new standard for cybersecurity and operational resilience for businesses conducted within the European Union. One of the core components of DORA is the requirement for Threat-Led Penetration Testing (TLPT), a rigorous assessment that tests an organization’s defenses against real-world cyber threats. At Bishop Fox, we understand the complexities involved in achieving DORA compliance, especially when it comes to TLPT.

In this blog post, we’ll explore how organizations can effectively prepare for and execute TLPT to meet DORA requirements and strengthen their overall cybersecurity posture.

Understanding DORA and TLPT

DORA aims to uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector, as well as critical third parties which provide ICT (information communication technologies) services to them, such as cloud computing services, software solutions, or data analytics services. DORA creates a regulatory framework on digital operational resilience, whereby all financial entities under this regulation need to make sure they can withstand, respond to, and recover from ICT-related disruptions and threats.

Among its requirements, TLPT stands out as a critical exercise where organizations simulate cyberattacks to evaluate the effectiveness of their defenses. Unlike traditional penetration testing, TLPT is more comprehensive, involving external providers who simulate sophisticated threat scenarios targeting both digital and human attack surfaces.

Under DORA the following organizations are required to perform TLPTs by default and must conduct them at least once every three years: any financial entity operating within the EU in core financial services subsectors and playing a systemic role, such as central counterparties (CCPs) and central securities depositories (CSDs), as well as certain credit institutions, payment institutions, electronic money institutions, trading venues, and insurance and reinsurance undertakings, subject to fulfilling certain criteria or crossing quantitative thresholds. These tests are not just about compliance; they’re about preparing for the real-world threats that could cripple an organization if left unchecked.

DORA’s TLPT requirements are grounded in two critical components: threat intelligence and operationalization. These aspects help shape a TLPT that reflects real-world attack scenarios and are aligned with the specific threat landscape an organization faces. These are detailed further in the recommended framework below.

Approaching TLPT for DORA Compliance: A Strategic Framework

To successfully navigate the TLPT process under DORA, organizations should adopt a strategic approach, similar to that of the TIBER-EU framework, that encompasses several key phases.

1. Preparation Phase: Laying the Groundwork

Scope Definition: The first step in any TLPT is defining the scope. DORA mandates that the scope should include critical business functions, key systems, and applications that, if compromised, could severely impact the organization’s operations or financial stability. It is essential to work closely with internal stakeholders and external providers to identify these critical assets and ensure they are included in the scope.

Threat Intelligence Gathering: Once scope is defined, organizations should seek to gather relevant threat intelligence, leveraging both internal threat intelligence feeds and external insights. To comply with DORA’s TLPT requirements, threat intelligence gathering should not be limited to a general understanding of potential threats. Instead, it requires a comprehensive approach inclusive of establishing comprehensive threat actor profiles and attack graphing to ensure that simulated attacks accurately mirror current threats.

• Threat actor profiles: Contains a high-level description of potential attackers, their general intent and goals, and detailed information about their methods—such as initial access techniques, exploitation tools, evasion strategies, and persistence methods. Profiles can also be enriched with references to MITRE ATT&CK IDs, mapping TTPs commonly used by adversaries.

• Attack graphing: Identifies the most vulnerable points in the organization’s infrastructure – mapping out potential attack paths across the organization’s architecture, pinpointing vulnerable systems, and highlighting at-risk data. This meticulous charting helps anticipate where a breach might occur and what assets could be targeted.

By combining threat actor profiles with attack graphing, organizations can perform operation planning that clearly defines TLPT objectives, roles, responsibilities, and execution timelines. Operation planning also ensures alignment with risk management policies and sets clear rules of engagement for an offensive testing team.

Coordination and Planning: Coordination between the Threat Intelligence provider, Control Team, and offensive security team is vital during this phase. By combining threat actor profiles with attack graphing, organizations can perform operation planning that clearly defines TLPT objectives, roles, responsibilities, and execution timelines. Operation planning also ensures alignment with risk management policies and sets clear rules of engagement for an offensive testing team.

In addition, developing a detailed test plan that aligns with DORA requirements and internal risk management policies ensures that the testing is controlled and within acceptable risk thresholds.

2. Execution Phase: Testing the Defenses

Operationalization complements threat intelligence and operation planning by focusing on how the gathered information is put into practice. Operationalization can include conducting Tabletop Exercises to rehearse and improve incident response, Red Teaming activities to assess the effectiveness of security controls through simulation of real-world attacks, and Purple Teaming exercises to strengthen detection and incident response through collaborative engagements between offensive and defensive teams.

By operationalizing threat intelligence, organizations can simulate not only what a threat actor might do but how their teams will respond, test detection capabilities, and fine-tune their defenses.

Tabletop Exercises: Tabletop exercises offer a controlled environment to simulate TLPT scenarios without the risk of disrupting live operations. These exercises are an ideal way to explore complex attack scenarios, refine response strategies, and improve coordination across teams for organizations who may not quite be ready for a full Red Teaming engagement.

Red Teaming: The Red Team’s role in TLPT is to simulate real-world attacks on the organization’s digital and human attack surfaces. This type of offensive security engagement involves conducting reconnaissance, exploiting vulnerabilities, and attempting to breach the organization’s defenses without alerting the Blue Team (defensive team). It’s essential to target a broad range of attack surfaces, including network infrastructure, applications, and social engineering vectors, to assess the organization’s overall resilience.

Purple Teaming: Following the Red Teaming activities, Purple Teaming comes into play. This type of engagement involves a collaborative effort between the Red and Blue Teams to review the attacks, understand the detection gaps, and enhance defensive measures. Unlike the covert nature of Red Teaming, Purple Teaming is transparent and focuses on learning and improving the organization’s detection and response capabilities.

3. Closure Phase: Reporting and Remediation

Comprehensive Reporting: The final phase of TLPT involves documenting the findings. This includes a detailed report outlining all identified vulnerabilities, their potential impact, and recommended remediation actions. The report should also highlight the effectiveness of the organization’s detection and response strategies and provide insights into areas for improvement.

Remediation Planning: Based on the findings, organizations should develop a remediation plan that prioritizes actions based on the severity of the vulnerabilities. It’s crucial to engage with stakeholders to ensure that remediation efforts align with business objectives and regulatory requirements.

Continuous Improvement: TLPT is not a one-time exercise. To maintain compliance and enhance resilience, organizations should incorporate lessons learned from each TLPT into their broader cybersecurity strategy. Regular reviews and updates to the threat models and attack scenarios are necessary to keep pace with the evolving threat landscape.

Best Practices for TLPT Under DORA

To ensure a successful TLPT and achieve DORA compliance, organizations should consider the following best practices:

• Engage Qualified External Providers: DORA requires that TLPT be conducted by qualified external providers. Choosing providers with proven experience and expertise in conducting threat-led penetration testing in the financial sector is crucial.

• Align Testing with Business Objectives: Ensure that the TLPT aligns with your organization’s business objectives and risk appetite. This alignment helps prioritize resources and focus efforts on the most critical areas.

• Foster a Culture of Collaboration: Successful TLPT requires collaboration between various stakeholders, including internal teams and external providers. Foster a culture of open communication and collaboration to maximize the benefits of TLPT.

• Prepare for the Unexpected: TLPT can uncover unexpected vulnerabilities or weaknesses. Being prepared to respond and remediate these findings promptly is essential to maintaining resilience and compliance.

How Bishop Fox Addresses DORA Compliance & Threat-Led Penetration Testing

At Bishop Fox, we understand the importance of integrating both threat intelligence and operationalization to satisfy DORA’s rigorous TLPT requirements. Through comprehensive threat actor profiling, detailed attack graphing, and strategic operation planning, we provide organizations with the intelligence they need to anticipate and prepare for realistic cyber threats. Additionally, we offer Red Teaming, Purple Teaming, and Tabletop Exercises to operationalize this intelligence, ensuring that testing not only identifies vulnerabilities but also strengthens defenses in real-time.

While DORA encourages the separation of roles between threat intelligence providers and offensive security teams to ensure objectivity, it’s crucial to work with providers who can either offer both services or collaborate effectively with external partners. At Bishop Fox, we are well-positioned to either fulfill both aspects of DORA compliance or collaborate with your intelligence providers to deliver a seamless TLPT experience that meets regulatory requirements and enhances your cybersecurity posture.

If you are ready to embark on your TLPT journey, contact us today to learn how we can help.

Here are a few key resources to get you started:

• FAQ Guide: Acquiring DORA TLPT with Bishop Fox
• Financial Services Datasheet
• The Offensive Security Blueprint for Financial Services Report
• How Attackers View Financial Services Blog
• Cybersecurity Compliance and Frameworks