Dr. Antje Winkler
Partner | Offensive Security
DORA Resilience Testing
Threat-Led Penetration Testing
Comprehensive Threat Simulation in Accordance With DORA
The Digital Operational Resilience Act (DORA) requires companies in the financial sector to strengthen their operational resilience in order to address an increase in threats in the cyber landscape. Threat-Led Penetration Tests (TLPT) allow for the targeted identification of potential vulnerabilities by simulating realistic cyber attacks.
As part of the TLPT, established security mechanisms are tested according to defined threat scenarios. In addition to identifying security issues in individual systems, the test particularly focuses on the technical and organizational cyber defense measures of the customer. This helps companies better understand their security posture and evaluate the effectiveness of their existing security measures.
As part of the TLPT, established security mechanisms are tested according to defined threat scenarios. In addition to identifying security issues in individual systems, the test particularly focuses on the technical and organizational cyber defense measures of the customer. This helps companies better understand their security posture and evaluate the effectiveness of their existing security measures.
Our Offer for You
We are performing threat-led penetration tests in accordance with the DORA regulation and TIBER framework. These standards define various threat scenarios that portray different types of attackers. The respective scenario determines the starting point for the threat-led penetration test and outlines the means and methods of the simulated attacker:
Nation State Group
This scenario describes threats posed by state-sponsored actors. These groups possess extensive resources, expertise, and technological capabilities to carry out targeted attacks on critical infrastructures, government institutions, or companies.
Nation State Groups often focus their attacks on strategic, political, and military objectives, particularly in critical infrastructure sectors. Key aspects of these attacks include not only targeted sabotage through malware and ransomware but also espionage, as well as access to sensitive communication channels and data. The attackers often attempt to remain undetected for as long as possible while maintaining their access to the target infrastructure.
Organized Crime Group
The attacker scenario "Organized Crime Group" refers to threats posed by criminal organizations that often have economic motives and seek financial gains.
Criminal groups are known to employ various cyber attack methods. Some gain financial advantages through targeted manipulation of specific systems or by selling stolen data. Others use malware or ransomware to render business-critical systems inoperable, extorting ransom payments afterwards to restore inaccessible data and systems. Some groups sell the acquired access on relevant marketplaces to others, allowing the initial access and its exploitation to be carried out by different groups.
Insider
In this approach, we assume the role of an attacker who conducts cyber attacks from within a company. Insiders are malicious actors who belong to the organization itself or one of their service providers. They already have access to systems within the company.
The primary goal of malicious insiders is personal enrichment through fraudulent activities. This typically occurs through the misuse of the employee's or service provider's own permissions. Consequences include, among others, the creation of unauthorized accounts and payment transactions, unauthorized access and manipulation of legitimate accounts, or the application for and approval of unauthorized loans. To prepare the fraudulent scheme and identify lucrative targets, insiders often browse internal customer databases.
Scenario X
In addition to the scenarios described above, a specifically tailored scenario can also be developed based on the Threat Intelligence Report that is provided for the engagement.
The aim of the so-called "Scenario X" is to offer a means to define additional scenarios that are adapted to the current threat landscape, alongside the ones already defined. This is intended to ensure that the threat-led penetration test reflects the latest developments in the cyber security field.
Threat-Led Penetration Testing Approach
The objective of the threat-led penetration test is to simulate the impact a cyber attack would have on the target company under real-world conditions. To minimize potential effects on business processes and IT systems, close coordination of the testing activities is of high importance.
Involved Parties
The following roles are defined for carrying out the threat-led penetration test:
- TIBER Cyber Team - The TIBER cyber team within the German Federal Bank is responsible for monitoring the test and ensuring that the test complies with the requirements of the TIBER EU framework.
- Threat Intelligence Provider - The threat intelligence provider examines the spectrum of possible threats based on an OSINT analysis prior to the active analysis.
- White Team / Control Team - The white team manages the campaign and is in regular contact with the red team. It consists of one or two people who have knowledge of the company's infrastructure. The central task of the white team is to ensure that potential disruptions can be resolved without major delays.
- Blue Team - The blue team represents the defender that protects the customer's infrastructure against attacks. The purpose of the test is to check the prevention, detection and response capabilities of this team without their knowledge.
- Red Team Provider - The experts of BDO Cyber Security GmbH act according to the agreed rules of engagement and represent the attacker as the red team.
Testing Process
In accordance with DORA and TIBER, a threat-led penetration test comprises the following phases:
The detailed testing activities that are conducted in each phase follow our approach for red teaming campaigns.
Methodology and Frameworks
There are many established methodologies and frameworks that guide threat-led penetration tests, ensuring that the results are consistent and compliant with regulations such as the Digital Operational Resilience Act (DORA):
- The MITRE ATT&CK Framework (Adversarial Tactics, Techniques & Common Knowledge) outlines tactics, techniques, and procedures based on real-world observations of cyber attacks documented by security experts.
- Threat-Led Penetration Testing is an evolution of the Threat Intelligence-based Ethical Red Teaming (TIBER) framework, which is used for red teaming campaigns in the financial and banking sectors and is applied in conjunction with the DORA regulation.
- The Lockheed Martin Cyber Kill Chain details an attacker’s approach through a series of progressive stages, describing the consequences of actions taken during a cyber attack.