The International Monetary Fund estimates that in the past two decades, nearly one-fifth of reported cyber incidents have affected the global financial sector, causing $12 billion in direct losses to financial firms. Not only has the EU taken notice, but it is also on the verge of taking action.

With January 17, 2025 as the effective date for compliance with the Digital Operational Resilience Act (DORA), financial institutions in the EU will be expected to put in place rigorous measures to test and demonstrate compliance with new rules for cybersecurity risk-management, incident reporting, operational resilience testing and third-party risk monitoring. In the DORA regulation, this is referred to as Threat Led Penetration Testing (TLPT). TLPT involves simulating real-world cyberattacks to assess an organization’s defenses against sophisticated threats. The goal is to assess a financial services environment and make sure that all potential doors through which an attacker may enter are closed, and that when a door closes, another is not left, or becomes, open.

At the highest level, this sets standards for resilience and security that are both comprehensive and continuous. From an operational standpoint, accomplishing this comprises activities that scope specific and urgent organizational risks, undertake purpose-driven testing and collaborative defensive validation, and practice emerging threat vigilance.  This column will outline the tasks required for organizations subject to DORA to confidently and demonstrably understand, address and anticipate threats specific to each and every business. 

Understanding Threats

It’s hard to defend yourself, if you have no idea what you’re up against, and history and countless news stories are evidence that trying to defend against all manner of digital threat is a fool’s errand. As such, the first step to approaching DORA compliance is profiling not only the threat actors that target the financial services sector, but specifically which actors, and by what Tactics Techniques and Procedures (TTPs), you are likely to be attacked. 

However, first before you can determine how an actor may view and approach you, you need to know who you are. So, the first profile that must be built is of your own business.  Not just financial services, but what sector/aspect, what region, and finally what is the specific risk profile based on the critical assets in organizational, and even partner, infrastructures.

The second profile begins with the current population of known actors that target the financial services industry.  It then moves to narrowing to the actors known to be aligned with the specific targeting profile. From there, leveraging industry standard models such as the MITRE ATT&CK framework, a graph is created of each actor/group’s understood goals and TTPs, including their traditional and preferred methods of access and exploitation, as well as their capabilities for evasion, persistence and command and control.

Finally, the two detailed profiles are merged to map the attack graph for each actor to the organizational profile with regards to assets, infrastructure and “trophy targets.” The end result is critical to inform and define a detailed testing plan that will identify the scenarios in which an actor would likely follow TTPs to critical assets in each individual environment. Now that you have the map, it’s time to take the journey.

Addressing Threats

With a clear understanding of the actors in play and the organization-specific threats established, the organization will undertake a series of offensive (Red Team) and defensive (Purple Team) exercises to test the ability of the operational infrastructure to repel attacks, the security infrastructure to quickly respond to and stop compromise, and the business to continue with minimal-to-no disruption. 

On the offensive side is Red Teaming. In a focused and purpose-driven manner, a Red Team will map the threat intelligence profile to specific assets and environmental dynamics, and test them to determine any assets that that are vulnerable to the TTPs within the profile. To be clear at the outset, and particularly for DORA, the process undertaken for Red Team, as well as Purple Team, is not one-size-fits-all.  To be thorough in meeting the required rigor in DORA, the process should be multi-phased, and each process should be tested and followed from end-to-end with each actor profile individually. 

The best Red Teams are driven and directed by actor/attack understanding and the trophy targets that represent the greatest organizational risk.  Based on the map of actor and organization, the team will deploy a combination of tests that include both human and technology elements, from social engineering and physical security, to applications, networks, and clouds.  They strive to assess the vulnerability – both individually and collectively – of the links in the likely attack chain, and the viability of reaching the trophy target.

Whereas Red Teams are “blind” activities without full knowledge or communication, Purple Teams are done with eyes and ears wide open.  Purple Teams conduct “live fire” walkthroughs that allow Red Teams and Blue Teams (internal defensive security teams) to openly play out attack situations and determine the extent to which defense can rapidly detect and negate offensive attempts.

Additionally, assessing the level of preparedness and resilience should not be limited to technology, but extend to the people and process infrastructure that would be required to respond in a crisis.   This is done with Tabletop simulations to determine the strength and adaptability of organizational stakeholders (internal and external), orientation and business processes with regards to incident response.

Of course, as with any compliance-related activity, results not only matter, but are required.  In terms of activities and outcomes, documented remediation capabilities/measures, validated resilience and a readiness roadmap must be produced. This is both for adhering to and demonstrating compliance with DORA requirements, but also for establishing mechanisms for, and discipline in, continuous organizational improvement. However, it doesn’t end there. In fact, it should never end.  

Anticipating Threats

Everything changes, and with change comes new innovations and motivations – both for financial service businesses and the actors who target them.  Even with a level of confidence in current posture and plans, threat surveillance must be a continuous activity to accommodate for as-yet-unknown or entirely new risks that arise without notice.

Testing should be a combination of planned, periodic and/or on demand assessment of the organizational attack surface and the threat environment.  Asset infrastructure should be under constant surveillance for any changes in composition, connectivity and activity that may change the condition for exposure. 

Applications and resources should undergo comprehensive testing both on a regular basis, but also to accommodate for any updates, new associations, or newly discovered vulnerabilities in software or components.

There also should be vigilance around changes in actor profiles or the landscape. This includes new TTPs, tooling/infrastructure, or new actors that have emerged on the scene. DORA compliance is no small undertaking, and requires the right partner to ensure not only compliance, but an environment of readiness and continuous improvement. However, the end result is an investment that will continue to pay – and defend – dividends.