Threat-Led Penetration Testing (TLPT) in compliance with DORA regulations: Advanced Red-Teaming Testing for Regulated Financial Institutions

The European regulation DORA (Digital Operational Resilience Act) introduces a new standard for ICT risk management. It requires major financial entities to regularly conduct Threat-Led Penetration Testing (TLPT), intelligence-led threat-based tests that simulate the capabilities of advanced organised cyber attackers (APTs).

The goal is not just to find vulnerabilities, but to validate the entire organization's ability to detect, respond and recover from an attack that matches a realistic and coordinated scenario.

 

What is Threat-Led Penetration Testing and why aren't conventional tests enough?
Unlike a standard TLPT penetration test:
  • Simulates an attack in all its complexity, including penetration, lateral movement, privilege escalation, persistence, and data exfiltration,
  • is driven by actual threat intelligence and sector-specific scenarios,
  • includes a coordination phase with defined scope, rules of engagement, identification of critical systems and test objectives.

From a technical perspective, TLPT requires detailed knowledge of attack vectors and the ability to mimic the methods of real attackers exploiting zero-day vulnerabilities, social engineering, code obfuscation or supply chain attacks.

 

What requirements does DORA set in relation to TLPT?
  • Testing must be performed based on the current threat profile, not as a one-size-fits-all scenario,
  • the test must address critical functions and systems whose failure could compromise the stability of services,
  • organisations must engage external, independent and qualified testers,
  • the results must lead to the implementation of corrective actions and possible retesting.


Institutions subject to DORA regulation will need to comply with requirements on both the frequency of testing and its documentation and reporting to the relevant supervisory authority (e.g. CNB, ECB). The active red-team testing phase must last for a minimum of 12 weeks. This period is necessary to mimic hidden threat actors.

 

What are the requirements for testing teams?
DORA also places emphasis on the quality and qualifications of those performing advanced testing. Testers must meet strict criteria, such as:
  • they must be renowned experts, with proven technical and organisational skills and specific knowledge
  • testers must be certified and have undergone independent audits or attestation of sound risk management in testing
  • they must have adequate liability insurance against damage caused
If an institution would like to use its own internal red team, it must obtain the approval of the regulator and ensure the organisational independence of the internal team (avoiding conflicts of interest). Operational threat information for the scenario must be supplied by an external provider.
 
How does testing work in practice?
  • Reconnaissance - Identification of the target application and connection to the internal network. Gathering information about the target system such as IP addresses, DNS records and other metadata.
  • Footprinting - Analysis of available information about the application and associated systems. Determining available services, versions, and other information.
  • Sniffing - Eavesdropping and collection of transmitted data to identify vulnerabilities leading to data leakage.
  • Scanning - Scanning the network to identify active hosts and ports. Scanning of specific application services such as APIs, GUIs.
  • Enumeration - Identification of user accounts and groups on the system. Determining available features and permissions in an application.
  • Vulnerability Analysis - Scanning and analyzing identified vulnerabilities in the application. Security assessment of the operating system, database, and other components. We will use tools such as qualys, nessus, burp suite and other standard automated and manual tools to identify vulnerabilities.
  • Exploitation - An attempt to exploit identified vulnerabilities to gain unauthorized access or leak information. Simulation of attacks on the application environment.
  • Post-exploitation - Continued exploration of the environment after gaining access. Gathering additional information and attempting to escalate privileges.
  • Reporting - Compiling a detailed report containing identified weaknesses, recommendations for improvement, and evidence of tests performed. Delivering the results of the report to responsible individuals in the organisation.
  • Cleanup - In the event of a successful approach, taking action to minimize potential consequences. Deleting traces of testing and restoring the system to its original state.

Why work with BDO?
BDO provides TLPT services in accordance with the specific requirements of European regulators (e.g. ECB, EBA, ESMA) as well as proven methodologies such as TIBER-EU, CBEST or iCAST. Our methodology combines a red teaming approach, knowledge of the regulatory framework and deep technical know-how - including scenarios that reflect sectoral threats and digital attacks in the European financial space.
 
  • Certified red team with expert experience
Our specialists hold OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and other certifications. They have experience in testing large banks, insurance companies and ICT providers.
  • Knowledge of DORA, NIS2 and TIBER-EU
We understand the regulatory frameworks and can tailor the TLPT test to what is required by legislation and sector oversight. We help with the overall cyber resilience strategy.
  • Independence and credibility
As an independent consulting firm, we do not have proprietary technology and offer a truly objective assessment. Working with BDO sends a clear signal of quality and trust to regulators and clients.


Autor: Marek Kovalčík