Logo
TLCTC
Blog / Regulations & Compliance

TLCTC Analysis: DORA TLPT vs. TLCTC Framework V2.0

From Compliance to Strategy: Bridging the Gap in DORA's Threat-Led Penetration Testing.

BK
Bernhard Kreinz
6 min read
Executive Summary

The DORA TLPT Final Report (JC 2024 29) establishes a robust procedural framework for mandatory threat-led penetration testing in the EU financial sector. It defines the "who, when, and how" of testing compliance. However, it lacks a standardized "what"—specifically, a consistent taxonomy for the threats being simulated and a metric for the speed at which they propagate.

The Top Level Cyber Threat Clusters (TLCTC) Framework V2.0 supplies this missing substance. By integrating TLCTC, DORA TLPT evolves from a compliance exercise into a strategic risk instrument. It introduces Bridge Clusters to map domain crossings, Attack Velocity (Δt) to measure true defense reality, and Standardized Notation to make results comparable across the Eurozone.

1. The Gap in DORA TLPT (The Process)

The DORA TLPT mandate focuses on orchestration:

  • Scoping: Based on "critical or important functions" (CIFs).
  • Intelligence: Relies on bespoke threat intelligence to define scenarios.
  • Output: Remediation plans and attestations of compliance.

The Structural Weakness:
The regulation treats all "threat scenarios" as qualitatively distinct ad-hoc stories. It lacks a Universal Topology. Without a standardized taxonomy, a Red Team engagement at Bank A (focused on Social Engineering) cannot be effectively compared to one at Bank B (focused on Software Exploitation), nor can systemic sector-wide risks be aggregated. Furthermore, DORA measures success by detection, often ignoring the physics of speed.

2. The Solution: TLCTC Framework V2.0 (The Substance)

The TLCTC framework categorizes threats based on Generic Vulnerabilities (Axiom I) and positions them within a Topology of Attack.

A. The 10 Clusters (The Standard)

Instead of infinite ad-hoc scenarios, TLCTC defines the landscape with 10 immutable clusters:

  • #1 Abuse of Functions (Logic/Scope)
  • #2 Exploiting Server (Server Code Flaws)
  • #3 Exploiting Client (Client Code Flaws)
  • #4 Identity Theft (Credential Use)
  • #5 Man in the Middle (Path/Channel)
  • #6 Flooding Attack (Capacity)
  • #7 Malware (Execution Environment)
  • #8 Physical Attack (Physical Access)
  • #9 Social Engineering (Human Trust)
  • #10 Supply Chain Attack (3rd Party Trust)

B. The Topology: Bridge vs. Internal Clusters [New in V2.0]

A critical distinction for Red Teaming scoping.

  • Internal Clusters (#1-#7): Operate within a single control regime (the IT domain). They exploit technical vulnerabilities.
  • Bridge Clusters (#8, #9, #10): Cross Domain Boundaries. They exploit the handoff between responsibility spheres (e.g., Human $\to$ Cyber, Vendor $\to$ Org, Physical $\to$ Logical).
Enlarge Topology
INTERNAL IT DOMAIN (#1-#7) Technical Vulnerabilities #1 ... #7 #9 Social Human Bridge #10 Supply Trust Bridge #8 Phys
Figure: Bridge Clusters (#8, #9, #10) are the entry vectors that bypass internal technical controls by crossing domain boundaries.
Insight

A TLPT that only tests Internal Clusters (e.g., unpatched servers) misses the most common real-world entry vectors (Bridges) that bypass technical controls entirely.

C. The Metric: Attack Velocity (Δt) [New in V2.0]

Risk is a function of time.

  • Attack Velocity (Δt): The time interval between successful steps in an attack path.
  • Detection Coverage Score (DCS): $MTTD / \Delta t$. If the attacker moves from #4 (Identity Theft) to #1 (Admin Rights) in 10 minutes, and the Blue Team detects it in 15 minutes, the entity is systemically insecure, regardless of whether they eventually "passed" the test.

3. Comparative Analysis: Enhancing DORA with TLCTC V2.0

Integrating TLCTC V2.0 concepts addresses the substantive gaps in the DORA regulation.

Area of Improvement DORA TLPT (Current State) With TLCTC V2.0 Integration
1. Scoping Strategy Scoping is based on critical functions. Threat scenarios are chosen ad-hoc by TI providers. Topology-Aware Scoping: Scoping mandates coverage of both Internal and Bridge clusters. Regulators can require that every 3-year cycle tests at least one scenario starting with #9 (Human Bridge), one with #10 (Supply Chain Bridge), and one Internal exploitation (#2/#3).
2. Supply Chain Testing "Supply chain" is a broad topic often tested via questionnaire or assumed trust. Explicit Boundary Testing: Use the || Boundary Operator to simulate crossing from Vendor $\to$ Entity using #10.
3. Performance Metrics Success is defined by the "effectiveness of detection and response" (qualitative). Velocity-Based Metrics: Success is defined by the Detection Coverage Score. Did the Blue Team interrupt the chain before the business impact occurred? The report measures Δt for critical transitions (e.g., #4 $\to$ #1).
4. Comparability Results are isolated. Bank A's "Pass" $\neq$ Bank B's "Pass". Standardized Benchmarking: Regulators can aggregate data: "The Eurozone financial sector has a median Δt of 4 hours for detecting #4 Identity Theft." This highlights systemic sector risk.
5. Strategic Reporting Technical findings (Red Team Report) are hard to translate to the Board. Event Chain Mapping: Findings are mapped to the Cyber Bow-Tie. The report shows exactly how a technical threat leads to a System Compromise and cascades to Business Impact.

4. Applied Example: A Standardized DORA Threat Scenario

Instead of a narrative description, a DORA TLPT mandate using TLCTC would define the test scenario using Standardized Attack Path Notation:

Scenario: "Supply Chain Compromise leading to Ransomware"

#9 -> #4 -> #1 -> #10.2 || [dev] || -> #7
#9 Social #4 Identity #1 Abuse #10.2 BRIDGE || [dev] || #7 Malware Ransomware

#9 Social Engineering: Phishing the TI Provider's developer.

#4 Identity Theft: Stealing developer credentials.

#1 Abuse of Functions: Abusing the CI/CD pipeline to inject code.

#10 Supply Chain (Bridge): The malicious update crosses the Explicit Domain Boundary || from the Vendor to the Financial Entity via the [dev] channel.

#7 Malware: Code executes in the Bank's environment.

Benefit: The regulator instantly sees that this test assesses the Bank's ability to detect a trust violation at the boundary, rather than just an internal firewall failure.

5. Conclusion

The DORA TLPT regulation is the "rules of the road" for testing. The TLCTC Framework is the "physics of the traffic."

By adopting TLCTC, the DORA framework gains:

  • Precision: Distinguishing between Bridge Clusters (Domain Crossings) and Internal Clusters.
  • Reality: Using Attack Velocity (Δt) to measure if defense is fast enough to matter.
  • Clarity: Using Standardized Notation to make threats comparable across the EU.

Recommendation: The DORA TLPT authorities should encourage or mandate the use of the TLCTC taxonomy for the "Threat Intelligence" and "Red Team Report" phases to ensure that the results of these expensive exercises are statistically comparable and strategically actionable.