Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

Article 5Note: This article is based on the final draft from the ESAs and is not yet adopted. Risk management for TLPT

  1. During the preparation phase referred to in Article 8, the control team shall conduct an assessment of the risks associated with the testing of live production systems of critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity, including potential impacts on the financial sector, as well as on financial stability at Union or national level, and shall review it throughout the conduct of the test.

  2. The control team shall take measures to manage the risks referred to in paragraph 1 and in particular shall ensure that, for each TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems:

    1. the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider and external testers provide copies of certifications that are appropriate according to recognised market standards for the performance of their activities;

    2. the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider and external tester are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence;

    3. the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider provides at least three references from previous assignments in the context of penetration testing and red team testing;

    4. the external testers provide at least five references from previous assignments related to penetration testing and red team testing;

    5. the staff of the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider assigned to the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems shall:

      1. be composed of at least a manager with at least five years of experience in threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; as well as at least one additional member with at least two years of experience in threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;;

      2. display a broad range and appropriate level of professional knowledge and skills including intelligence gathering tactics, techniques and procedures, geopolitical, technical and sectorial knowledge as well as adequate communication skills to clearly present and report on the result of the engagement.

      3. have a combined participation in at least three previous assignments in threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; in the context of penetration testing and red team testing;

      4. not simultaneously perform any blue team tasks or other services that may present a conflict of interest with respect to the financial entity, ICT third-party service providermeans an undertaking providing ICT services; or an ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; involved in TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems to which they are assigned;

      5. be separated from and not reporting to staff of the same provider providing external testers for the same TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

    6. for external testers, the staff of the red team assigned to the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems shall:

      1. be composed of at least a manager, with at least five years of experience in penetration testing and red team testing as well as at least two additional testers, each with penetration testing and red team testing of at least two years;

      2. display a broad range and appropriate level of professional knowledge and skills, including, knowledge about the business of the financial entity, reconnaissance, risk management, exploit development, physical penetration, social engineering, vulnerabilitymeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; analysis, as well as adequate communication skills to clearly present and report on the result of the engagement;

      3. have a combined participation in at least five previous assignments related to penetration testing and red team testing.;

      4. not be employed by, nor provide services to, a provider that simultaneously performs blue team tasks for a financial entity, ICT third-party service providermeans an undertaking providing ICT services; or an ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control; involved in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

      5. be separated from any staff of the same provider simultaneously providing threat-intelligence services for the same TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

    7. the testers and the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall carry out restoration procedures at the end of testing, including secure deletion of information related to passwords, credentials and other secret keys compromised during the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, secure communication to the financial entitiesas defined in Article 2, points (a) to (t) of the accounts compromised, secure collection, storage, management, and disposal of data collected;

    8. in addition to the restoration procedures at the end of testing as referred to in point (g), testers shall carry out the following restoration procedures:

      1. command and control deactivation;

      2. scope and date kill switch(es);

      3. removal of backdoors and other malware;

      4. potential breach notification;

      5. procedures for future back-up restauration which may contain malware or tools installed during the test;

      6. monitoring of the blue team activities and information to the control team of any possible detections; and

    9. testers and the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider are prohibited from the following activities:

      1. unauthorised destruction of equipment of the financial entity and of its ICT third-party service providersmeans an undertaking providing ICT services;, if any;

      2. uncontrolled modification of information and ICT assetsmeans a software or hardware asset in the network and information systems used by the financial entity; of the financial entity and of its ICT third-party service providersmeans an undertaking providing ICT services;, if any;

      3. intentionally compromising the continuity of critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity;

      4. unauthorised inclusion of out-of-scope systems;

      5. unauthorised disclosure of test results.

  3. The control team shall keep record of the documentation provided by the testers and the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers to evidence compliance with the points (a) to (f) above, including detailed curriculum vitae of the staff of the external tester and of the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider employed for the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

    In exceptional circumstances, financial entitiesas defined in Article 2, points (a) to (t) may contract external testers and threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers that are not meeting one or more of the requirements listed in points (a) to (f) of paragraph 2, provided that they adopt appropriate measures to mitigate the risks relating to the lack of compliance with such points and record them.

  4. In the performance of risk assessment and management, the control team shall at least consider the following types of risks related to:

    1. granting access to threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider and external testers, where applicable, to sensitive information and confidential information on the financial entity;

    2. lack of compliance of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems with Regulation (EU) 2022/2554 and with this Regulation resulting in lack of the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554, including where due to breaches of confidentiality on the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems or to lack of ethical conduct;

    3. crisis and incident escalation;

    4. active red team phase, including risks related to interruption of critical activities and corruption of data due to the activities of the testers and potential impacts on third parties;

    5. blue team activity, including risks related to interruption of critical activities and corruption of data due to the activities of the blue team and potential impacts on third parties;

    6. incomplete restoration of systems affected by the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

Table of contents