TLPT - Threat Led Penetration Test

The specialists of Digital Security Institute have been involved in organizing multiple TLPT and Tiber tests. It is an intensive process of "running and standing still" that takes place in secret. Large institutions have internal employees who can take on the function of Control Team (or White Team). If you do not have this luxury, there is a lot involved in planning and organizing a TLPT (in addition to you normal business that has to continue). We can support you in the various phases of the test

A Threat Led Penetration Test is a highly realistic simulated attack on your organization. The test should take place on live production systems, with as few employees in the organization as possible knowing about the test (in order to be able to test the normal detection and response mechanisms). The test scenarios are chosen based on your established Critical & Important Functions and on collected threat information (Threat Intel). The supervisor is strongly involved in every phase of the test.
‍
In summary a TLPT covers three phases: 

1. Preparation: After a notification is received, test plans must be delivered to the supervisor within three months, including a risk analysis of testing on live production systems (which support critical and important functions). After approval by the supervisor, Threat Intel and Test suppliers are contracted and a scope document must be delivered (within 6 months). This phase is essential for a good preparation of the test, and also to ensure that the right conditions are met.

‍2. Test phase: After approval of the scope document (by the supervisor), the test phase starts with Threat Intelligence. The Threat Intel team can take sector threat information as a starting point (such as the One Financial Threat Landscape for the Netherlands). Next to this, specific threats for your organization are analyzed. The threat intel takes about 4 weeks. After this, a test plan has to be drawn up and the active test phase starts. The active test phase is proportionate to the scale, activity and complexity of the financial instituation, but has to last in any case, for at least 12 weeks.

‍3. Closing: This is the phase in which the organization learns a lot from the test performed. The testers (red team) write the test report, with the steps performed. The "defenders" (the own SOC/CSIRT team) also write a report with their detection and response activity. Both teams come together to replay the test in the "Purple team" phase. Finally, the financial institution submits a remediation plan, with a description of the findings, root cause analyses and action plans to resolve them. If the test has been performed according to all requirements, the supervisor will provide an attestation (which is valid in all EU member states)

‍‍

Digital Security Institute can support you in the preparation and guidance of a TLPT. As an independent, external party, we can perform the work in a discreet manner, in close consultation with you. We can be an external part of your control team, or support it where necessary.