Threat-Led
Penetration Testing

A Red Team exercise for financial institutions

Threat-Led Penetration Testing (TLPT) is a highly sophisticated type of Red Team exercise that Alter Solutions provides to help financial entities assess and improve their cybersecurity resilience and comply with the EU’s DORA regulation.

 

Talk to an expert

Pentesters and Red Teamers in the midst of performing a Threat-Led Penetration Test for a financial institution

Alter Solutions is a qualified Information Systems Security Audit Provider, a certification issued by the French National Cybersecurity Agency (ANSSI), one of the most prestigious cybersecurity authorities in Europe.

 

This certifies the competence and reliability of our auditors to carry out security audits for all scopes:

  • Organisational and physical audit
  • Architecture audit
  • Configuration audit
  • Code audit
  • Intrusion testing / Pentesting
The PASSI qualification is a security VISA issued by the ANSSI (French National Cybersecurity Agency)

What is TLPT?

Security auditor analysing a company's system and processes

Specifically designed for the financial sector, Threat-Led Penetration Testing is a large-scale Red Team exercise that simulates a real attack on assets, systems and processes, based on the current threat landscape, in order to assess the cybersecurity posture and resilience of key organisations in our financial system.


These entities are more likely to be targeted by cyberattackers looking to cause systemic failure, which is why they need a more advanced type of security audit, that companies from other sectors don’t.


TLPT is required at least every 3 years by the Digital Operational Resilience Act (DORA), which affects many financial entities, namely credit and payment institutions. These tests are compatible with the TIBER-EU framework, created by the European Central Bank to provide guidance on threat intelligence-based ethical Red Teaming.

“Threat-Led Penetration Testing (TLPT) means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.”
– DORA’s definition (Article 3(17))

TLPT’s main stakeholders

TLPT Cyber Team

The internal team within the TLPT authority/regulator that oversees the test and makes sure it follows the TLPT rules.

Control Team

The financial entity’s internal team who manages the TLPT process from the inside.

Blue Team

The internal defensive security team responsible for protecting the financial entity from cyber threats. It must not be aware that a TLPT is taking place.

Threat Intelligence Provider

External experts responsible for gathering and analysing threat data and scenarios, based on reliable sources.

Red Team

The testers – external and/or internal to the financial entity – who actually perform the TLPT.

The 5 stages of TLPT

The DORA regulation defines five main steps in the testing process that must be completed:
#1
Preparation

The client must complete a series of tasks before reaching out to a TLPT service provider, like defining communication channels within the control team, selecting a threat intelligence provider, preparing a scope specification document, among other things. Then, if the company decides to rely on external testers, they jointly define objectives and analyse risk management measures, before moving on to the next stages.

#2
Threat Intelligence

Alter Solutions’ team tries to gather as much information as possible about the company, the selected target/scope, and identifies cyber threats and vulnerabilities that could potentially affect the financial entity. Then, they propose different attack scenarios to the client – at least three should be selected to move forward. This phase can last one to two months.

#3
Red Team Test

This is the actual attack phase, where the TLPT is carried out for, at least, 12 weeks, depending on the scale, scope and complexity of the organisation.

The previously approved attack scenarios may be executed in sequence or at the same time.

#4
Closure

Within 4 weeks from the end of the red team testing phase, the test provider must submit a detailed report of the exercise to the client. Then, a replay exercise must take place withing 10 weeks, where both the testers and the client’s Blue Team go over the offensive and defensive actions of the TLPT, for learning purposes. Lastly, all the parties involved must provide feedback to each other on the TLPT process, and the financial entity must submit an official report summarising the TLPT findings.

#5
Remediation plan

Within 8 weeks from the official closure notification, the financial entity shall provide a remediation plan to the TLPT authority, containing a description of the identified vulnerabilities, proposed remediation measures, a root cause analysis, who’s responsible for each measure within the organisation, and the risks of not implementing that plan.

Threat Intelligence expert working on the Targeted Threat Intelligence Report

Consult the DORA regulation here to read the details of each of the TLPT stages

Who is required to perform TLPT?

While DORA targets the entire financial sector, TLPTs are mandatory only for financial entities with:
Services/activities that impact the financial sector
Financial stability concerns, at a national or European level
A specific risk profile, related to their maturity level and technological features involved
This includes all global systemically important financial institutions*, namely:
  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Central securities depositories
  • Central counterparties
  • Trading venues
  • Insurance and reinsurance undertakings

 

*Institutions that meet specific criteria identified in the DORA regulation.

Member of a financial institution's security team monitoring the network traffic

The rules of TLPT

Pentester preparing the initial intrusion of a Threat-Led Penetration Test
A TLPT must fulfil several requirements defined by DORA, such as:
  • Be carried out at least every 3 years
  • Cover several or all critical or important functions of a financial entity
  • Be performed on live production systems
  • Cover the entire attack surface: physical surface (on-premises intrusions), human surface (threats targeting people, like social engineering), and digital surface (every digital asset that can be impacted by a cyberattack)
  • Apply effective risk management measures to mitigate potential impact on data, assets, services or operations

The importance of Threat-Led Penetration Testing

_-2-1 _-2
Maximise cyber resilience

Organisations get a realistic assessment of their ability to respond to cyber threats, which enables them to address specific vulnerabilities and adjust their security strategies in line with the actual methods used by attackers.

Group 615-1 Group 615
Enhance data protection and client trust

By covering all the weak spots in their security strategies, financial institutions are able to better shield customers data and, therefore, reinforce trust.

Group 640-1 Group 640-2
Ensure DORA compliance

The DORA regulation requires critical financial entities to perform TLPT, so an organisation that succeeds in doing so stands out for its commitment and active participation in fighting cybercrime and protecting the global financial infrastructure.

Group 646-3 Group 646-1
Avoid financial and reputational damages

Non-compliance with the DORA requirements can lead to significant regulatory penalties and fines, not to mention all the financial and reputational damages that can come from a data breach or cyberattack.

Group 642-1 Group 642-2
Promote security teams’ learning

Internal security teams (Blue teams) can learn a lot from a Red Teaming exercise like TLPT and improve their vulnerability management and incident response capabilities for future occasions.

Group 612 Group 612-1
Secure the global financial ecosystem

If all global systemically important financial institutions enhance their security posture, then the overall financial sector is as protected as it can be.

Red Team expert working on a risk analysis report

Red Teaming

Our experts can also provide you with more realistic support through our Red Team
Learn more

We are certified

Why Alter Solutions?

Group 639-1 Group 639
18 years of experience

Alter Solutions was founded in Paris, in 2006, and has since focused on digital transformation. We operate in 8 countries across Europe, America and Africa, and we have been security partners for companies in the manufacturing, service, finance, insurance, transport, and technology sectors for over 10 years.

Group 640-May-02-2024-02-48-12-6081-PM Group 640-4
Flexibility and customer-centric approach

We provide a level of service tailored to the client's needs, going all the way to a 24/7 protection. We have a strong track record across different sectors and technologies, and our approach to IT services is technology agnostic – what's right for each customer is what counts.

Group 616-1 Group 616
Privacy as a core value

Both yours and your customers’ data is safe with us. Our experts operate within the European Union (EU), meaning we fully comply with the General Data Protection Regulation (GDPR).

Group 638 Group 638-1
Key certifications

We hold relevant security certifications like PASSI, ISO 27001, and CSIRT. Our experts are also certified with OSCP, OSCE, GXPN, and CRTM.

Our Articles

Our Case Studies

FAQ

We have over 10 years of experience performing different types of pentesting and red teaming exercises for the banking, finance and insurance sectors. We have a deep understanding of the TIBER-EU framework, and we complement that with great knowledge in defensive cybersecurity approaches.

Our vast experience also allows us to minimise operation disruption when performing a TLPT exercise, because we know the risks that come with exploring specific vulnerabilities and we keep an open line of communication with the client to decide what to do in such circumstances.

Yes. To protect client data, Alter Solutions guarantees the following measures:

  1. Use of hardened laptops, so that in case of theft or intrusion the data we have on our clients won’t be accessible.
  2. Use of encrypted communication channels for every exchange that might be critical. For example: information gathered during the threat intelligence phase; final report with the detected vulnerabilities; users’ personal data.
  3. Deletion of all the client data after the TLPT exercise is completed. We send the client a document certifying that we deleted all the information gathered during the testing process.

They vary a lot from exercise to exercise, depending on what is found during the threat intelligence phase. A few common strategies that could be used to initiate a Threat-Led Penetration Test are social engineering (e.g. phishing attacks), physical intrusions, or the exploitation of technical vulnerabilities.

Not in the way it is performed, but merely on the time spent on the threat intelligence phase. Remember that TLPT is specifically designed for critical financial institutions, so it won’t ever have to be adjusted to small or medium companies. If entities like those are looking for a comprehensive security audit, then the conventional Red Teaming or Pentesting approaches are more fit.

Mostly the initial steps of the preparation phase, where the client has to select the threat intelligence provider and the testers (internal, external or both), define communication channels and processes, and prepare the scope specification document.

In the end, the remediation plan is also the financial institution’s responsibility – the TLPT provider simply provides the test report with recommendations to fix technical vulnerabilities, but then the client decides how to put that into practical terms.

Yes, but the members assigned to each team must be different and act independently. If the financial institution uses internal testers, then the threat intelligence provider must be external.

Request a meeting

Fill in our contact form and our dedicated cybersecurity team will get back to you within 24 hours.

You can also e-mail us with more information about your project and requirements.

 

hello.brussels@alter-solutions.com