Cloud giants embrace threat-led pen testing as DORA nears

As financial services firms across the EU, and beyond, are gradually preparing for the Digital Operational Resilience Act (DORA), coming into force in January 2025, experts scrutinise what impact this will have on QA testing practices at some of the biggest banks and other finance firms across the continent.

Industry insiders increasingly come to the conclusion that DORA will force the finserv space to test more and run deeper tests.

DORA’s goal is to strengthen the cybersecurity and digital resilience of the European financial sector.

The EU wants to ensure that a critical ICT supplier to one of those financial institutions cannot pose a threat that could bring down that institution or lead to a cascade that threatens the entire European financial sector.

“DORA aims to address the risks associated with an industry that has largely become digital throughout the whole sector, and increasingly has a reliance, and a deepening dependency on third-party infrastructure and service providers,” said Stuart English, an analyst and principal consultant at digital consultancy firm Synechron.

The London-based technologist, who is specialised in regulatory change and compliance, stressed that “DORA also introduces new regulatory requirements on these ICT service providers, and direct supervision for those that are designated as a ‘critical third-party provider’.”

Due to go into effect on January 25 of next year, DORA will mandate that any critical third-party vendor providing information communications technology (ICT)-related services will need to undergo threat-led penetration testing to test their cybersecurity and organizational resilience.

Threat-led pen testing

TLPT is a way to stress test an organization’s cyber readiness and organizational resilience. The process lets enterprises view their own organizations through the eyes of bad actors trying to attack them.
In preparation for DORA, English pointed out that Google outlined in a recent blog the steps the digital giant plans to take to help their customers with DORA readiness.

This is relevant since hundreds of financial services firms, such as banks, insurance companies and other finance houses use Google’s cloud services.

Stuart English

“This includes updated contract terms, addressing the key contractual provisions in [Google’s] Article 30, commitment to align with incident reporting requirements, including time frames, and participation in Threat-Led Penetration Testing (TLPT) by facilitating pooled testing by an external tester.”

Particularly pool testing stands out, English added.

And Google is not the only one. Amazon Web Services (AWS) seems to follow the same line.

“Their response also outlined a preference for the use of pooled testing for TLPT as a means to minimize risk and enhance IT resource efficiency,” English said.

AWS also proposed an extension to the timeline for initial major ICT-related incident reporting from four to twenty-four hours to align with other major cybersecurity regulations.

In line with Google and AWS, Microsoft has issues similar guidance.

“It provides guidance on the approach they have taken to strengthen operational resilience and manage concentration risk, incorporating multiple existing and upcoming regulations including DORA,” English said.

“Firms can then search for the areas in their respective business categories most vulnerable to attack,” he explained.


“Google advocates pooled testing as the most effective way to test while managing inherent risks in a multi-tenant environment.”

– Stuart English

Sean Oldham, since November 2013 the chief information security officer at Broadcom, the California-headquartered technology giant, largely agrees with English.

“Hope for the best, prepare for the worst. The best way to defend against attack threats is to think like an attacker,” Oldham stated, warning firms to ramp up their penetration testing efforts.

“The attackers might include a designated internal team, or a third party hired to conduct the attack,” Oldham warned.

“What’s more, TLPT is a common practice undertaken by many enterprises that’s often required by contractual obligation to their customers. It’s an effective, proven strategy for discovering security vulnerabilities.”

Internal and external testers

Oldham stressed it is important to have both internal and external testers.

“I support having a second pair of unbiased eyes to help find vulnerabilities before the bad guys locate them first,” he said.

“I even invite the testers to try and hack our organization using whatever means they can, phishing, IP theft, injecting malware. And if they can’t seem to get anywhere, we’ll go further and give them some breadcrumbs to follow to see if they get anywhere with those hints. Bottom line, we want to create attack scenarios strong enough to offer true tests to our cyber defences.”

As mentioned earlier, the EU wants to ensure that a critical ICT supplier to one of those financial institutions cannot pose a threat that could bring down that institution or lead to a cascade that threatens the entire European financial sector.

Sean Oldham, since November 2013 Broadcom's CISO
Sean Oldham

“That’s why DORA mandates that EU regulators conduct threat led penetration testing every three years on these institutions and their critical ICT providers,” Oldham stated.

One challenge is that organizations still don’t know if they will be considered critical by the EU, since the technical specifications and criteria for what will be considered critical are still not finalized.

“And if they are deemed critical, it’s also unclear exactly what elements of their operations the enterprises will need to submit to TLPT testing,” Oldham noted.

“This uncertainty adds to the potential costs, resources, and overall disruption to businesses that the TLPT may create.”

He concluded that “typically, what I prefer to call ‘smart pen testing’ is limited to specific aspects of an enterprise business. But the EU could decide to widen that focus.”

Oldham noted this could cause significant difficulties for organizations that may not have the resources to respond to the test requirements. “The longer the time required, the more the costs and resources.”


“Questions remain about the scope, timing, and details of the tests.”

Sean Oldham

When it comes to the TLPT testing methodology, Oldham called “the way ahead is opaque. The EU might accept prior penetration tests already performed in lieu of new ones.”

The EU appears to have a clear preference for relying on the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) as the TLPT standard methodology, he pointed out.

“But there are some issues with this approach, beginning with the fact that there is a limited number of certified TIBER testers available to conduct those tests.”

Finally, given the sheer number of tests, it’s possible the EU will allow other TLPT-certified testing organisations, with testing methodologies like TIBER, to perform the tests.

“But again, that is not a certainty. Another possibility is that the EU might accept prior penetration tests already performed in lieu of new ones,” Oldham concluded.

This remains to be seen as the enforcement of DORA will be overseen by national regulators within each EU member state with the power to impose penalties for non-compliance. They will be directly supervised by lead overseers from the European Supervisory Authorities.

Moreover, DORA also encourages voluntary information sharing among financial entities regarding the emerging landscape of cyber threats.


UPCOMING QA FINANCIAL EVENTS

SECURE YOUR SPOT TODAY

READ MORE


Become a QA Financial subscriber – for FREE

News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events

REGISTER HERE TODAY