Digital Operational Resilience Testing (part of DORA) – What to Expect?

A crucial infrastructure company overseeing gas storage and distribution faces a serious cybersecurity threat. So, they involve a penetration test team to assess the company’s security posture. They uncovered a critical remote code execution (RCE) vulnerability in the company’s main website connected to their Active Directory system. This vulnerability can provide attackers with unauthorized access to the SCADA system and give them control over gas storage facilities.

The pentesters quickly identified and patched the vulnerability, preventing potential catastrophic consequences, such as disruptions to the gas supply or even dangerous safety incidents. This incident underscored the essential role of proactive cybersecurity measures and the importance of regular penetration testing to identify and mitigate vulnerabilities before they can be exploited.Regulatory bodies are ensuring organizations are prepared to defend against such risks. The European Union established the Digital Operational Resilience Act (DORA) to enhance cybersecurity and operational resilience in the financial sector.

This article will delve into Digital Operational Resilience Testing, a key component of DORA. You will learn about the reasons behind this regulatory framework, the testing process, and how it benefits your organization.

What is DORA?

The Digital Operational Resilience Act (DORA) is a regulatory framework established by the EU to strengthen financial institutions’ cybersecurity and operational resilience. DORA mandates comprehensive threat-led penetration testing (TLPT) to ensure these institutions can withstand, respond to, and recover from cyber threats. By implementing DORA, the EU aims to protect the financial system from disruptions caused by cyber incidents, thereby safeguarding the stability and integrity of financial services.

Key components of DORA operational resilience testing

1. Governance and risk management: This focuses on establishing clear policies, roles, and responsibilities for managing ICT (Information and Communication Technology) risks. It ensures leadership actively oversees and prioritizes operational resilience.
   
2. ICT risk management: Here, the focus is on identifying, assessing, and mitigating risks specific to IT systems and processes. This includes vulnerability assessments, penetration testing, and security incident response planning.
   
3. Incident management testing: This involves testing the organization’s ability to detect, respond to, and recover from cyber incidents. Regular drills ensure a smooth and effective response during real-world situations.
   
4. Threat-led penetration testing (TLPT): Unlike traditional pentesting, TLPT simulates real-world attacker tactics to identify and exploit vulnerabilities as cybercriminals would. This provides a more realistic picture of your security posture.
   

Third-Party risk management: DORA recognizes the importance of managing risks associated with third-party vendors who provide critical services. This includes assessing their security practices and ensuring they meet DORA compliance standards.

Steps in the DORA operational resilience testing process

The Digital Operational Resilience Act (DORA) mandates a comprehensive testing process for financial institutions. Here’s a breakdown of the key steps:

1. Preparation and planning:
   • Define the scope and objectives of the testing program.
   • Identify critical systems, processes, and third-party dependencies.
   • Establish roles and responsibilities for testing activities.
2. Risk assessment:
   • Identify potential threats and vulnerabilities across IT infrastructure.
   • Analyze the likelihood and impact of each risk scenario.
   • Prioritize risks based on severity and exploitability.
3.  Implementation of testing:
   • Conduct vulnerability scanning and penetration testing.
   • Simulate cyberattacks through Threat-Led Penetration Testing (TLPT).
   • Test incident response plans and communication protocols.
   • Assess the effectiveness of third-party risk management practices.
4. Evaluation and analysis:
   • Analyze test results to identify weaknesses and areas for improvement.
   • Evaluate the effectiveness of existing security controls.
   • Assess the organization’s overall operational resilience posture.
5. Reporting and remediation:
   • Create comprehensive reports documenting test findings and recommendations.
   • Develop a clear action plan for remediating vulnerabilities and improving resilience.
   • Track progress towards achieving DORA compliance requirements.

Understanding of TLPT as a key step for DORA

TLPT, or Threat-Led Penetration Testing, involves a team of ethical hackers simulating the tactics of real cybercriminals. They’ll strategically target your systems, processes, and even your employees, mimicking genuine attack scenarios. That’s the core idea behind TLPT. It’s a security assessment that goes beyond just identifying vulnerabilities – it considers the entire attack landscape, giving you a more complete picture of your security posture.

Why does the EU require TLPT (Threat-Led Penetration Testing)?

Russian and other foreign hackers are a real threat to businesses and the government sector—one that can’t be underestimated anymore. The European Union mandates Threat-Led Penetration Testing (TLPT) through the Digital Operational Resilience Act (DORA) to strengthen the cybersecurity posture of financial institutions.

What is the difference between Threat-Led Penetration Testing and Penetration Testing?

Main missions for Red Team in the Threat-Led Penetration Testing

• Living off the land – simulate an attacker who leverages legitimate tools and resources already available within the target organization’s environment to achieve their goals. This might involve exploiting misconfigurations in internal tools, compromising low-privileged accounts to gain a foothold, or abusing legitimate functionalities for malicious purposes.
• Social engineering – successfully compromising a user account through social engineering techniques and leveraging that access to move laterally within the network or achieve other objectives.
• Cloud-based attacks – gaining unauthorized access to sensitive data stored in the cloud, compromising cloud workloads, or disrupting cloud-based services critical for the organization’s operations.
• Escalate privileges and move laterally (Insider Threat Simulation) – simulate an insider threat scenario where a compromised user account with limited privileges is used as the initial access point.
• Advanced Persistent Threat (APT) simulations – simulate a long-term, targeted attack campaign mimicking the tactics, techniques, and procedures (TTPs) of a sophisticated APT group. This might involve a multi-stage attack leveraging various techniques like social engineering, watering hole attacks, and zero-day exploits to achieve a specific objective, such as stealing intellectual property or disrupting critical infrastructure.

It is important to know that during a TLPT, the Red Team can identify security vulnerabilities and encounter evidence of the hacker group’s activities. The Red Team may inadvertently encounter an attacker’s activities by exploiting vulnerabilities, causing anomalies. The power of TLPT lies in proactive vulnerability detection, making your system more secure against any attacker, not just the current one.

What is included in Threat-Led Penetration Testing

• Vulnerability assessments and scans: These techniques identify known weaknesses in systems, applications, and network configurations.
• Network compromise assessment: Tests the security posture of the network infrastructure, including firewalls, intrusion detection systems, and network segmentation.
• Gap analyses: Uncovering areas where security controls might be lacking or not functioning as intended. Сreate a plan to improve the security of the entire IT infrastructure.
• Scenario-based tests: Simulate specific attack scenarios based on real-world threats and attacker behaviors. The key is realism. The scenarios should mirror how real attackers operate, pinpointing the weaknesses most likely to be exploited in an actual attack. This targeted approach helps identify and fix the most critical security risks.
• Penetration testing: Ethical hackers utilize their expertise to simulate real-world attacker tactics, techniques, and procedures to actively exploit vulnerabilities and weaknesses across systems, networks, and applications.

The most crucial potential harms TLPT exposes are data breaches, where sensitive information like customer records or financial data could be stolen. This can lead to severe financial losses, reputational damage, and regulatory fines. Additionally, disrupted operations due to system outages or ransomware attacks can significantly impact business continuity and productivity. By proactively addressing these vulnerabilities identified through TLPT, you significantly reduce the risk of these potentially devastating consequences.

Benefits of Threat-Led Penetration Testing

TLPT offers a range of significant benefits for organizations looking to strengthen their security posture:

• Superior threat detection: TLPT prioritizes vulnerabilities based on real-world attacker tactics, giving a more accurate picture of your organization’s security posture.
• Enhanced security posture: TLPT helps you focus resources on areas with the greatest impact by identifying control gaps and prioritizing risks.

Proactive approach: TLPT adopts a proactive strategy, uncovering vulnerabilities before malicious actors can exploit them.

DORA challenges and considerations

The Digital Operational Resilience Act (DORA) significantly benefits financial institutions and the overall financial system. However, implementing DORA also presents challenges that require careful consideration. Here’s a breakdown of some key points:

Challenges:

• Complexity: DORA’s wide scope and technical requirements can overwhelm organizations, especially smaller ones with limited resources.
• Cost: Implementing DORA compliance measures requires technology, personnel, and expertise investment.
• Integration: Aligning existing security practices with DORA’s framework and integrating them with third-party systems can be complex.
• Third-party risk management: Effectively assessing and managing security risks associated with third-party vendors can be a significant hurdle.
• Skilled workforce: Finding and retaining personnel with the expertise needed to implement and maintain DORA compliance can be challenging.

Considerations for success:

• Phased approach: Break down DORA implementation into manageable phases, prioritizing critical systems and processes first.
• Cost optimization: Seek cost-effective solutions by leveraging existing tools and outsourcing where feasible.
• Streamlined processes: Automate testing procedures and integrate DORA compliance into existing workflows.
• Third-party collaboration: Work closely with your vendors to ensure they meet DORA requirements.
• Skills development: Invest in training and upskilling your IT and security teams.

How can UnderDefense help to acquire DORA?

UnderDefense understands the challenges associated with DORA compliance. We offer a comprehensive suite of services to help you navigate the process:

• DORA gap analysis: We identify areas where your current practices fall short of DORA requirements. Our experts will thoroughly assess your existing cybersecurity and operational resilience measures, pinpointing specific gaps and vulnerabilities that must be addressed.
• Compliance roadmap: We develop a customized plan to achieve and maintain DORA compliance. This roadmap will outline steps, timelines, and resource allocations to ensure your organization meets all regulatory requirements.
• DORA-compliant testing services: We conduct vulnerability assessments, penetration testing, and incident response drills aligned with DORA. Our pentesters simulate real-world attack scenarios, objectively evaluating your security posture and resilience against cyber threats.
• Third-party risk management solutions: We assess and manage security risks associated with your vendors to ensure they meet DORA standards and do not introduce additional risks to your organization.
• Ongoing support: We provide guidance and expertise to ensure your DORA compliance program remains effective. Our team will work with you continuously, offering regular reviews, updates, and training to adapt to evolving threats and regulatory changes.

Conclusion

The Digital Operational Resilience Act (DORA) is a significant step in fortifying financial institutions’ cybersecurity posture. By mandating rigorous testing procedures, DORA ensures these institutions are prepared to withstand cyberattacks and other disruptions.

However, effective cybersecurity goes beyond simply ticking compliance boxes. A critical component of DORA’s testing framework is Threat-Led Penetration Testing (TLPT). It’s a strategic security assessment that provides a realistic picture of your organization’s security resilience by understanding how attackers operate. This comprehensive approach empowers you to:

• Prioritize security investments.
• Improve threat detection, realize visibility gaps, and the importance of 24/7 security monitoring MDR.
• Ultimately, enhance overall security resilience.

Integrating TLPT into your security strategy means you comply with DORA and significantly elevate your organization’s cybersecurity posture. This proactive and comprehensive approach ensures that you are not just meeting regulatory requirements but are genuinely prepared to protect your critical assets and maintain operational resilience.

FAQ