Threat-led penetration testing (TLPT) is a red team exercise that reproduces the tactics, techniques and procedures (TTPs) of known threats or threat groups.
Although the practice of threat-led red teaming has been popular for over a decade (starting with CBEST in 2013), threat-led penetration testing can be a tricky thing to define.
“A threat-led penetration test is not a pen test at all; it's a red team exercise.”
That’s how one offensive security expert we spoke to put it.
Yet because TLPT is not called “threat-led red teaming,” organisations can easily confuse it with a “normal” penetration test or red team exercise.
In this article, we’ve tapped insights from SECFORCE’s offensive security experts to give a straightforward explanation of what threat-led penetration testing is (and what it isn't), why TLPT is used and how a TLPT happens.
What Is a Threat-Led Penetration Test (TLPT)?
Threat-led penetration testing is a red team exercise that is informed by threat intelligence.
TLPT is not penetration testing.
Penetration testing is a way to test the security of a particular system or application. It involves testers looking for and exploiting vulnerabilities. System owners in the testing organisation know a test is taking place, and testing often happens in non-production environments.
In contrast, the kind of testing that happens in TLPT has a much wider scope and takes place in a live business environment. Testers also do their best to stay hidden.
TLPT is a red team exercise that is “threat-led.”
In a TLPT, a threat intelligence exercise happens before red teaming occurs.
Threat intelligence (TI) is information about the tactics, techniques, and procedures of known threat groups, such as a nation-state-sponsored group like Conti. TI can include high-level strategic information gained from reports and whitepapers, tactical details about threat TTPs, and technical intelligence, such as malware samples and known compromised IP addresses.
In practice, TLPT is very similar to intelligence-led red teaming, which is already part of regulations like TIBER-EU. Instead of being a new type of testing, TLPT is just another way to describe intelligence-led, or threat-led, red teaming.
TLPT Threat Intelligence
To do a TLPT, testers need threat intelligence that tells them what to replicate.
Threat intelligence is used to create testing scenarios that red teamers run through.
Threat intelligence is supposed to be a testable version of the TTPs that cybercriminals are most likely to use against an organisation.
Depending on who's being tested and when, threat intelligence can change dramatically. A multinational bank or payment processor will face different cyber threats than a local credit union or a small investment firm. A threat intelligence report produced for either needs to take this into account.
Threats change over time, too, and threat intelligence should reflect this and be up to date with the modern threat landscape.
Who can provide threat intelligence for a TLPT?
If a test is taking place outside of a regulatory requirement and an organisation is doing testing for its own sake, TLPT providers could include the external red team doing the test, a different external team altogether, or an in-house research team.
If a TLPT is being done to comply with a regulation, who can and can’t provide threat intelligence will depend on the regulation in question.
For example, in a CBEST/STAR test, the Threat Intelligence Service Provider (TISP) and the Penetration Testing Service Provider (PTSP) are two different parties. On the other hand, under the Digital Operational Resilience Act (DORA), threat intelligence can come from the same provider doing the testing or a partner they recommend.
Threat-Led Penetration Testing Versus Non-Threat-Led Testing
One of SECFORCE’s red teamers described the difference between threat-led testing and non-threat-led red teaming as follows:
“[Normal] Red teaming can be threat-led but tends to be more flexible.”
TLPT gives organisations a deep understanding of how they would fare against specific threat groups, but TLPTs also have a downside: These tests might lead to a false sense of security if organisations focus too heavily on known threats.
A TLPT replicates known tactics, techniques and tools. In a real-world attack, an organisation might be confronted with unexpected, unknown or signatureless attacks that won’t be replicated in a TLPT.
Some red teaming frameworks like TIBER and Advanced Red Teaming (ART) try to combat this weakness by allowing testers to use "scenario X."
"Scenario X" is an additional, usually the final, "outside the box" scenario tested against. It can be defined by the RT provider and doesn't have to emulate any specific threat actor. This gives testors more flexibility and room to replicate the kind of creativity real attacks use.
In a non-threat-led penetration test or red teaming exercise, testers will use whatever methods suit the environment they encounter and the scope they have. The techniques used also often change based on what happens during the test.
For example, if a red team can’t get access to a corporate account through a brute force attempt, they might switch to phishing instead.
When Is Threat-Led Penetration Testing Used?
Threat-led penetration testing can be done whenever an organisation wants to see how its defences would fare against a specific scenario.
TLPT is also defined in the Digital Operational Resilience Act (DORA). You can learn more about how TLPT fits into DORA’s digital operational resilience testing pillar in another SECFORCE article linked here.
Other frameworks and assessments that include a testing requirement that is identical to the intelligence-led red teaming TLPT entails include:
- Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST). TLPT here is called “Threat Intelligence-Led Assessment.”
- TBEST. Called a “Threat Intelligence Assessment.”
- TIBER-EU. Defined as “Threat intelligence-based ethical red teaming.”
- STAR. Known as “Intelligence Led Testing.”
SECFORCE Provides Threat-Led Penetration Testing Support
SECFORCE is a provider of threat-led penetration testing services for compliance purposes and security assurance.
Contact us to learn about doing threat-led penetration testing in your environment.