DORA requirements and Continuous Threat and Exposure Management

The Digital Operational Resilience Act (DORA) will come into effect across EU member states from January 17, 2025 and will apply to relevant financial entities and third party ICT providers. Continuous Threat and Exposure Management (CTEM) can play an important role in addressing many of its requirements.  

The financial services sector is driven by digital transformation and technology innovation, making it a leading target for malicious actors. The ever-increasing number of cyber-attacks and successful breaches on participants not only impacts the organizations concerned, it poses a threat to the stability and integrity of the financial system as a whole. DORA harmonises regulations on operational resilience and cybersecurity for EU financial sector organizations and critical third-party ICT providers, to ensure they can withstand all types of ICT-related disruptions and threats. 

A Closer Look

While the act is broad in scope, covering ICT risk management, the reporting of ICT incidents, resilience testing and information sharing, there are several DORA articles where the management of threats and exposures to external attack surface assets are within scope. We will briefly cover them here.  

Article 8 (Identification) 

  1. As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation.
  2. Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting 
  1. Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT supported business functions, information assets and ICT assets. Financial entities shall review on a regular basis, and at least yearly, the risk scenarios impacting them.

This article requires organizations to document business functions and the ICT assets that support them. It also requires organizations to identify all ICT assets and to map those that are considered critical. It calls for organizations to keep an inventory of critical assets which is updated periodically. All ICT assets are within scope.

While many organizations have visibility of assets that sit inside their network, this is less true when it comes to their internet facing assets. Blind spots resulting from shadow IT deployments, cloud adoption and mergers and acquisitions can result in a large pool of organization-owned assets that are unknown to security and compliance teams. 

ULTRA RED can act as the system of record for an organization’s external attack surface. Ultra Red automatically discovers hosts, domains and IP addresses which are within the organization's scope, including assets created by shadow IT activities and cloud deployments. Utilizing recursive techniques and proprietary technology to check and re-check validity, ULTRA RED creates an accurate asset register of internet exposed assets with an extremely low false positive rate. As ULTRA RED's asset discovery is a continual process, no periodic updates are required, saving the associated manual effort required to collect and update this information. New assets and services are automatically discovered as they are introduced and changes to existing assets are captured and documented. Information relating to all decommissioned assets is also kept.

Article 9 (Protection and Prevention

  1. For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.

This article covers minimizing the impact of ICT risk through the deployment of appropriate tools, policies, and procedures. 

ULTRA RED supports Gartner’s Continuous Threat and Exposure Management framework, giving organizations a standardized and repeatable process to identify and remediate threats and exposures relating to the external attack surface. ULTRA RED’s automated asset discovery, vulnerability detection, validation and prioritization allow cyber teams to focus on remediating the real threats to the organization and reduce ICT risk. Organizations can demonstrate the effectiveness of this process, showing the number of critical exposures remediated over time as well as a significant reduction in the number of attack surface exposures.  

Article 18 (Classification of ICT threats and incidents)

  1. Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.

As outlined in this article, the classification of ICT threats should be based on the criticality of the services potentially impacted and the clients potentially affected. 

In addition to categorizing assets into logical groupings such as VPNs, development environments, and admin & sensitive information, assets in the ULTRA RED repository can be labelled in multiple ways, including line of business, service criticality, etc. The categorization and labelling of assets can help address the requirements found in other Dora articles, such as those related to resilience testing. 

Validated vectors relating to assets are prioritized based one the organization’s unique attack surface. Relying on CVSS scores and other external indicators to prioritize vulnerabilities has its limitations because every attack surface is different. Some high-risk vulnerabilities will have mitigating controls in place and others may not have the required pre-requisites for successful exploitation. ULTRA RED’s vector scoring is based on a combination of the CVSS severity and exploitability. 

Article 25 – (Testing of IT tools and ICT services) 

  1. The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.

This article defines a resilience testing program. 

ULTRA RED can provide support by shining a light on weaknesses in internet facing assets and services.  Unlike point in time vulnerability scanning, ULTRA RED continuously scans assets in the Asset Inventory to detect new vulnerabilities and weaknesses. It not only identifies known public vulnerabilities but also cross references assets against a wide range of proprietary scanning findings and documented Dark Net references. All detected weaknesses are validated without impacting the scanned system and its security infrastructure and controls, ensuring production system continuity. 

Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT 

  1. Financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.

This article requires that threat led penetration testing is carried out a minimum of once every 3 years. 

In carrying out TLPT activities, red teams assume the role of the attacker, employing attacker tactics and procedures to identify exploitable weaknesses in the attack surface. Forgotten assets, misconfigured assets and services, and assets at patch levels with known vulnerabilities can all offer a way into the network. 

ULTRA-RED’s asset inventory can save red teams the considerable time needed to identify exploitable exposures, offering up candidate vectors based on a combination of the CVSS severity and exploitability. For example, an asset with a high-risk CVE may have mitigating controls that prevent it from being exploited. Ultra Red’s vector scoring takes this into account. Reference information and POCs for each vector aid red teams in understanding the weakness. 

Summary

When considering the implementation requirements of DORA from a threat and exposure management perspective, ULTRA-RED’s continuous threat exposure management can help organizations address requirements in the areas of identification, protection and prevention, threat classification, vulnerability testing and threat led penetration testing. As a system of record for internet exposed assets and services, it can also help support other cyber compliance regulations and requirements. To understand more about ULTRA-RED, visit ultrared.ai and request a demo.