Red Team Exercises for Australian Financial Institutions: TLPT and Adversary Simulation

October 22, 2024

Standard penetration testing and red team exercises test whether systems and controls can be exploited. Threat-led penetration testing goes further: it models how a specific category of real-world adversary would approach a specific institution, using intelligence about that adversary's known techniques, tools, and objectives. The distinction matters for financial institutions because the threats facing a major Australian bank, insurer, or superannuation fund are different in character from the generic threats addressed by a commodity penetration test.

The term TLPT is used in different contexts with varying levels of precision. In the European financial sector it has a formal definition under DORA. In the Australian context, the term is used more loosely to describe threat intelligence-driven adversary simulation exercises, typically conducted against systemically important financial institutions. What follows is a practical explanation of what these exercises involve, how they differ from standard red team engagements, and why they are relevant to Australian financial institutions subject to APRA oversight.

How TLPT Differs from a Standard Red Team

A standard red team exercise defines an objective -- typically access to a specified system or data set -- and gives a team of skilled testers a timeframe and a scope within which to attempt to reach that objective by any means available. The team makes decisions about which techniques to use based on what works in the specific environment. The result is a measure of the organisation's ability to detect and respond to a skilled, persistent attacker using current techniques.

A threat-led exercise begins before the technical work starts. The first phase is a threat intelligence assessment: identifying which threat actor groups are most relevant to the institution based on its sector, size, geographic presence, and the data and infrastructure it holds. That intelligence informs the techniques the red team uses during the exercise. Rather than applying the full range of available techniques, the team focuses on the techniques, tools, and procedures associated with the identified threat actors. This makes the exercise more predictive: the question being answered is not "can any skilled attacker reach this objective" but "can the specific type of attacker we face most plausibly reach this objective."

Why This Matters for Australian Financial Institutions

Australian financial institutions face a specific threat landscape. The sector is a persistent target for state-sponsored threat actors seeking financial gain and intelligence, for organised criminal groups deploying ransomware and business email compromise, and for insider threats with access to payment systems and customer data. These different threat actor categories use materially different techniques and pursue different objectives.

A threat-led exercise for a financial institution typically focuses on the attack paths most relevant to the institution's profile. For a bank with significant retail payment infrastructure, this might mean simulating a threat actor targeting payment processing systems using techniques associated with known financial sector adversaries. For a superannuation fund with a large member account database, it might mean simulating credential-based access to member accounts at scale. The exercise is shaped by what is actually happening in the threat environment, not by what is technically possible in the abstract.

What APRA Expects

APRA has not published a formal TLPT framework equivalent to those in place for European financial institutions. However, CPS 234 requires that testing of information security controls be commensurate with the criticality of the assets involved and the nature of threats facing the entity. For systemically important financial institutions, APRA's supervisory expectations -- expressed through individual engagement rather than published standards -- increasingly reflect an expectation that control testing at the highest level of criticality goes beyond standard penetration testing.

APRA's information security prudential practice guide (CPG 234) notes that entities should test controls against realistic threat scenarios and that testing should involve techniques consistent with those used by adversaries relevant to the entity's risk profile. This language is consistent with a threat-led approach, even if the framework does not use that terminology explicitly. Institutions that have received supervisory feedback on their testing programmes have in several cases been advised to move toward more intelligence-driven testing methodologies.

Planning and Executing a TLPT Exercise

A threat-led exercise for a financial institution involves several phases that are distinct from a standard penetration test:

  • Scoping and intelligence phase -- defining the scope, the objective, and the threat actor profile, with input from the institution's threat intelligence function and the testing team
  • Reconnaissance phase -- gathering open-source and technical intelligence about the institution's public-facing infrastructure, third-party relationships, and employee information that a real attacker would use to plan the intrusion
  • Initial access phase -- attempting to gain a foothold using techniques consistent with the identified threat actor profile, which may include phishing, exploitation of internet-facing services, or abuse of trusted third-party connections
  • Post-exploitation phase -- moving from the initial foothold toward the defined objective, using lateral movement, privilege escalation, and persistence techniques associated with the threat actor profile
  • Detection and response measurement -- assessing how quickly the institution's security operations function detected the activity, how accurately they characterised it, and how effectively they contained it

The final report from a TLPT exercise is not simply a list of vulnerabilities. It is an assessment of the institution's resilience against a realistic adversary scenario, including findings about detection capability and response effectiveness that a standard penetration test does not address.

To discuss threat-led penetration testing and adversary simulation for your financial institution, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Offensive Security
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?