TLPT/TIBER: Transforming DORA requirements into a lever for cyber resilience
With the entry into force of DORA, THE Threat-Led Penetration Tests (TLPT) are now among the expected exercises for financial entities designated as critics.
Much more than a simple penetration test, an exercise TIBER (and, more broadly, TLPT approaches) allows for produce realistic attacks, based on threat intelligence, in order to assess the capability of detection, response and resilience within a truly critical perimeter.
Drawing on its experience with TIBER exercises (FR, BE, LU and EU), Intrinsec can intervene in this type of mission — within the framework of a TLPT DORA or via a exercise inspired by the TIBER framework — whether for the Threat Intelligence, L'’Red Team execution, or the’support during preparation of the exercise.
1) TLPT / TIBER: what are we talking about?
An exercise TLPT / TIBER is a exercise Red Team driven by Counter Terrorism Intelligence (CTI) : the scenarios, objectives and methods of operation are built from tactics and techniques of real attackers observed in your sector, adapted to your context.
Unlike a pentest, a TIBER exercise is threat-led and scenario-oriented: it uses real threats that could target your organization to simulate a realistic attacker and an end-to-end attack path to critical assets, within a highly governed framework.
It allows testing the entire attack chain, within a strictly controlled framework:
- RECON : collection and preparation (OSINT, external fingerprinting, trust relationships, third parties)
- IN : initial access (credentials, social engineering, exploitation, physical intrusion, etc.)
- THROUGH : controlled progression (lateral movement, elevation of privileges, bypasses)
- OUT : achieving realistic objectives (exfiltration of a flag, (compromise of a critical service, impact simulation)
What the exercise allows us to measure
- The SOC/CSIRT's capacity to detect, qualify and respond to a discreet and prolonged attack
- The resilience of application chains and critical business processes under realistic conditions
- The weaknesses technical, organizational and human exploitable by an advanced adversary
2) DORA: what are the implications for “threat-led” exercises?
DORA strengthens the requirements of digital operational resilience tests, and plans for advanced TLPT-type exercises for certain designated entities, with high expectations regarding realism, governance and documentation.
Within a regulated framework, it is essential that the exercise be conducted in compliance with the applicable framework This allows the relevant authorities to issue the certificate, and to ensure that the exercise is properly framed, controlled and documented.
TLPT exercises also incorporate phases of fence structural:
- A replay workshop, allowing replay certain actions carried out during the exercise in order to understand, during exchanges between Red Team and Blue Team, Why were some actions not detected? and to derive concrete actions from it (improvement of collection, adjustment of detection rules/use cases, etc.); ;
- A phase of Purple Team, For to deepen And complete the exercise (for example by testing sequences that could not be played during the Red Team phase, or by involving the business teams more).
These phases promote an approach of’continuous improvement and encourage to the end of the scenarios.
Key points to remember
- The terms and conditions may vary depending on the competent authorities and the local variation
- The approach TIBER constitutes a recognized operational benchmark for this type of exercise
3) The Intrinsec approach: Dedicated, separate, and coordinated CTI & Red Teams
Our exercises are based on two separate and dedicated teams to these activities:
- A team CTI (Cyber Threat Intelligence), responsible for producing intelligence, qualifying scenarios and directing the exercise according to the real threat; ;
- A team Red Team dedicated, in charge of’end-to-end operational execution (RECON → IN → THROUGH → OUT), in compliance with rules of engagement defined. She also has extensive experience in the bypassing detection mechanisms and work in Purple Team with the Blue Teams (whether it's our SOC or external SOC/CSIRT devices) in order to transform findings into concrete improvements.
This separation allows us to respect the “threat-led” spirit: Intelligence is directing the attack, and the attack produces concrete and actionable lessons.
4) Our tips for preparing for a DORA TLPT exercise
- Control Team (White Team) / piloting team : has make available throughout the exercise (the framework imposes numerous monitoring points, typically a daily meeting during the Red Team phase), with profiles having a good knowledge of the IS (particularly to confirm the impact of flagscapable to anticipate and obtain leg-ups“ if necessary, while preserving confidentiality of the exercise.
- Objectives (“flags”) : to be defined in accordance with the critical functions.
- “Leg-ups” : has anticipate and be able to provide them quickly, while maintaining the confidentiality of the exercise.
- advance preparation : framework, rules of engagement, conditions for stopping, risk management, availability of stakeholders.
- To rely on proven expertise in these exercises : piloting a TLPT requires specific experience to meet the regulator's requirements — both on CTI, Red Team execution and exercise conduct — while maintaining a controlled level of risk.
You wish prepare you for a TLPT (within a DORA framework or via a TIBER/TIBER-like approach), or to obtain information about our offers CTI And Red Team ?
Let's organize an exchange with our CTI / Red Team experts to qualify your context, your objectives and the most suitable format.
