Basically, TLPTs and red teaming in general are available to any company that has already invested in IT security. These tests are the best answer to the questions: Is my company safe from cyberattacks? How will my blue team respond in an emergency?
TLPTs are particularly relevant for the insurance and financial sectors. According to EU Regulation 2022/2554 (DORA), many companies in these sectors are required to conduct TLPTs. We offer assistance in preparing for these tests as well as in conducting them.
//Threat-Led
Threat-Led
Penetration Testing
Simulated cyber attacks based on real threat scenarios: Find out how secure your systems really are with threat-led penetration tests (TLPTs)!
//
Threat-Led Penetration Tests (TLPTs) – realistic testing of your entire IT infrastructure
The limitations of traditional penetration tests
Normal penetration tests have one problem: they are often very limited in their scope and the time available. They are well suited for assessing the security of a single system, but cannot provide any information about the overall security of a company. Vulnerabilities can be overlooked because there is no time for in-depth analysis or because certain systems and components are defined as out of scope. This can lead to a false sense of security.
The difference between TLPTs and classic penetration tests
Red teaming or TLPTs are the best approach for assessing the overall security of a company. TLPTs are tests with a very broad scope that are not limited to specific systems. The testers use all means at their disposal to circumvent security measures – from phishing campaigns to physical access. In addition, these tests take a “threat-led” approach: based on threat intelligence gathered in advance, the attack methods most likely to be used against your company and industry are carried out. This makes these tests the best way to stay one step ahead of malicious attackers. In addition, TLPTs will become mandatory for several industries under the EU DORA Regulation.
//
How you benefit from TLPTs
//
Our experts know both sides – how attackers operate and what challenges defenders face.
In our work in digital forensics, we unfortunately see it all too often: companies are completely encrypted, despite extensive security measures and expensive EDR solutions. Unfortunately, the devil is in the details: an unconsidered attack vector can lead to disaster. That's why we recommend that especially our larger customers conduct regular red teaming exercises: only a comprehensive and realistic attack can uncover such gaps.
//
Process of a threat-led penetration test
Step 1: Joint planning
Step 2: Conducting the test
Step 3: Follow-up
//
Step 1: Joint planning
The first step is to plan the test together between us, the red team, and a white team on your side. The white team should consist of key decision-makers who observe the test and manage risk. They are the only people within the company who know that a test is taking place. During the test, they can observe the reactions of the blue team and other departments.
Together, and based on a previous threat intelligence report, we determine the scope and objectives of the test. We also take into account the requirements of the financial supervisory authority and follow the requirements of the TIBER-DE framework.
//
Step 2: Conducting the test
Conducting the test can be roughly divided into two phases. The test begins with an information gathering phase, in which the red team learns as much as possible about the company being tested – be it externally accessible systems, available access data from data leaks, or potential access to buildings.
Based on this information and the predefined objectives, various attacks are then carried out in the second phase. Not only the success of the attacks is evaluated, but also the response of the blue team. Which attacks were noticed? Were they contained in time? The white team has a controlling function here and, together with the red team, ensures that the attacks do not cause any real damage.
Once the defined objectives have been achieved or a specified period of time has elapsed, the test is terminated.
//
Step 3: Follow-up
After the test, it is often a good idea to carry out purple teaming. This means bringing the red team and blue team together around one table. Here, the attack and defense measures can be discussed, particularly interesting scenarios can be played through again, and mutual feedback can be exchanged.
In addition, the red team writes a detailed report listing all vulnerabilities found, reactions observed, and recommendations for action to increase security.
//
Preparation for TLPTs
In addition to conducting TLPTs, we also offer preparation for them. In joint workshops, we evaluate the status of your IT security measures, develop necessary measures, and test specific scenarios. This allows you to improve your IT security in the long term and put yourself in a good position for future tests by regulatory authorities.
//
FAQ: Frequently asked questions about threat-led penetration testing
Who should perform TLPTs?
Will a TLPT affect my operations?
No. Before the test begins, clear rules and objectives are agreed upon, which the testers must adhere to. Exploits are carried out in consultation with the white team and, as far as possible, in a non-destructive manner. The aim is to demonstrate, not to destroy.
How is the security of my data guaranteed?
Our testers are bound by NDAs and take their responsibilities very seriously. Upon agreement, we are prepared to work on provided systems so that critical data obtained never leaves your systems.
For whom are TLPTs mandatory?
The EU's DORA Regulation requires all financial and insurance companies in the EU, as well as their IT service providers, to establish a risk-based, proportionate testing program for their IT and communication systems.
In addition, some of these companies are required to conduct extended testing in the form of TLPTs. The selection for this depends on quantitative criteria such as the impact on the financial sector and is made in Germany by BaFin.
(Source [German])
In addition, some of these companies are required to conduct extended testing in the form of TLPTs. The selection for this depends on quantitative criteria such as the impact on the financial sector and is made in Germany by BaFin.
(Source [German])
//
We are ready – are you?
Let's test your systems together and close any security gaps!