Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

Article 9Note: This article is based on the final draft from the ESAs and is not yet adopted. Testing phase: Threat intelligence

  1. Following approval of the scope specification document by the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority, the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall analyse generic and sector-specific threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; relevant for the financial entity. The threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall identify cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; and existing or potential vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; concerning the financial entity. Furthermore, the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall gather information on, and analyse concrete, actionable and contextualized target and threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; concerning the financial entity, including through consulting the control team and the test managers.

  2. The threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall present the relevant threats and targeted threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;, and propose appropriate scenarios to the control team, testers and test managers. The proposed scenarios shall differ with reference to the identified threat actors and associated tactics, techniques and procedures and shall target each and every critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; in the scope of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.

  3. The control team lead shall select at least three scenarios to conduct the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, on the basis of all of the following elements:

    1. the recommendation by the threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider and the threat-led nature of each scenario;

    2. the input provided by the test managers;

    3. the feasibility of the proposed scenarios for execution, based on the expert judgement of the testers;

    4. the size, complexity and overall risk profile of the financial entity and the nature, scale and complexity of its services, activities and operations.

  4. No more than one of the selected scenarios may be non-threat-led and may be based on a forward looking and potentially fictive threat with high predictive, anticipative, opportunistic or prospective value given the anticipated developments of the threat landscape concerning the financial entity.

    For pooled TLPTs(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, without prejudice to the scenarios targeting directly the critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entitiesas defined in Article 2, points (a) to (t) involved in the test, at least one scenario shall include the ICT third-party services provider’s relevant underlying ICT systems, processes and technologies supporting the critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entitiesas defined in Article 2, points (a) to (t) in scope.

    Where the test is a joint TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems involving an ICT intra-group service providermeans an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control;, without prejudice to the scenarios targeting directly the critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entitiesas defined in Article 2, points (a) to (t) involved in the test, at least one scenario shall include the ICT intragroup services provider’s relevant underlying ICT systems, processes and technologies supporting the critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entitiesas defined in Article 2, points (a) to (t) in scope.

  5. The threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; provider shall provide the targeted threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report to the control team, including the scenarios selected according to paragraphs 2 to 4. The threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report shall include the information set out in Annex III.

  6. The control team shall submit the targeted threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report to the test manager for approval. Where the targeted threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; report is complete and ensure the performance of an effective TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority shall inform the control team lead of its approval thereof.

Table of contents