The red team test report shall contain information on at least all of the following:
(a)
information on the performed attack, including:
(i)
the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;
(ii)
summary of each scenario;
(iii)
flags reached and not reached;
(iv)
attack paths followed successfully and unsuccessfully;
(v)
tactics, techniques and procedures used successfully and unsuccessfully;
(vi)
deviations from the red team test plan, if any;
(vii)
leg-ups granted, if any;
(b)
all actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;
(c)
discovered vulnerabilities and other findings, including:
(i)
vulnerability and other finding description including their criticality;
(ii)
root cause analysis of successful attacks;
(iii)
recommendations for remediation including indication of the remediation priority.# Table 1 in anx_I
Item of information
Information required
Person responsible for the project plan, i.e. the Control Team Lead
NameContact details
Testers
☐internal☐external☐both
☐
internal
☐
external
☐
both
Communication channels selected in accordance with Article 9(2), point (d), and Article 9(4) point (a), including:(a)email encryption to be used(b)online data rooms to be used(c)instant messaging to be used
(a)
(a)
email encryption to be used
(b)
online data rooms to be used
(c)
instant messaging to be used
Codename for the TLPT
If any, critical or important functions the financial entity operates in other Member States
1.list of critical or important functions operated in another Member State2.for each critical or important function, indication of the Member State or States in which they are operated
1.
list of critical or important functions operated in another Member State
2.
for each critical or important function, indication of the Member State or States in which they are operated
If any, critical or important functions supported by ICT third party service providers
3.list of critical or important functions supported by ICT third-party service providers4.for each function, identification of the ICT third party service provider
3.
list of critical or important functions supported by ICT third-party service providers
4.
for each function, identification of the ICT third party service provider
Expected deadlines for the completion of the:
(1)Preparation Phase, in accordance with Article 9
(1)
(1)
Preparation Phase, in accordance with Article 9
(2)Testing Phase, in accordance with Articles 10 and 11
(2)
(2)
Testing Phase, in accordance with Articles 10 and 11
(3)Closure Phase, in accordance with Article 12
(3)
(3)
Closure Phase, in accordance with Article 12
(4)Remediation plan in accordance with Article 13
(4)
(4)
Remediation plan in accordance with Article 13
Table 2 in anx_I
☐
internal
Table 3 in anx_I
☐
external
Table 4 in anx_I
☐
both
Table 5 in anx_I
(a)
email encryption to be used
Table 6 in anx_I
(b)
online data rooms to be used
Table 7 in anx_I
(c)
instant messaging to be used
Table 8 in anx_I
1.
list of critical or important functions operated in another Member State
Table 9 in anx_I
2.
for each critical or important function, indication of the Member State or States in which they are operated
Table 10 in anx_I
3.
list of critical or important functions supported by ICT third-party service providers
Table 11 in anx_I
4.
for each function, identification of the ICT third party service provider
Table 12 in anx_I
(1)
Preparation Phase, in accordance with Article 9
Table 13 in anx_I
(2)
Testing Phase, in accordance with Articles 10 and 11
Table 14 in anx_I
(3)
Closure Phase, in accordance with Article 12
Table 15 in anx_I
(4)
Remediation plan in accordance with Article 13
Table 1 in anx_II
(a)
where the critical or important function is not included in the scope of the TLPT, the explanation of the reasons for which it is not included;
Table 2 in anx_II
(b)
where the critical or important function is included in the scope of the TLPT:(i)the explanation of the reasons for its inclusion;(ii)the identified ICT system(s) supporting that critical or important function;(iii)for each identified ICT system:1.whether it is outsourced and if so, the name of the ICT third party service provider;2.the jurisdictions in which the ICT system is used;3.a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
(i)
the explanation of the reasons for its inclusion;
(ii)
the identified ICT system(s) supporting that critical or important function;
(iii)
for each identified ICT system:1.whether it is outsourced and if so, the name of the ICT third party service provider;2.the jurisdictions in which the ICT system is used;3.a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
2.
the jurisdictions in which the ICT system is used;
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
(i)
the explanation of the reasons for its inclusion;
(ii)
the identified ICT system(s) supporting that critical or important function;
(iii)
for each identified ICT system:1.whether it is outsourced and if so, the name of the ICT third party service provider;2.the jurisdictions in which the ICT system is used;3.a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
2.
the jurisdictions in which the ICT system is used;
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
2.
the jurisdictions in which the ICT system is used;
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
Table 3 in anx_II
(i)
the explanation of the reasons for its inclusion;
Table 4 in anx_II
(ii)
the identified ICT system(s) supporting that critical or important function;
Table 5 in anx_II
(iii)
for each identified ICT system:1.whether it is outsourced and if so, the name of the ICT third party service provider;2.the jurisdictions in which the ICT system is used;3.a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
2.
the jurisdictions in which the ICT system is used;
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
2.
the jurisdictions in which the ICT system is used;
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
Table 6 in anx_II
1.
whether it is outsourced and if so, the name of the ICT third party service provider;
Table 7 in anx_II
2.
the jurisdictions in which the ICT system is used;
Table 8 in anx_II
3.
a high-level description of preliminary flag(s), indicating which security aspect of confidentiality, integrity, authenticity or availability is covered by each flag.
Table 1 in anx_III
1.
The overall scope of the intelligence research including at least the following:(a)critical or important functions in scope;(b)their geographical location;(c)official EU language in use;(d)relevant ICT third party services providers;(e)period of time over which the research is gathered.
(a)
critical or important functions in scope;
(b)
their geographical location;
(c)
official EU language in use;
(d)
relevant ICT third party services providers;
(e)
period of time over which the research is gathered.
(a)
critical or important functions in scope;
(b)
their geographical location;
(c)
official EU language in use;
(d)
relevant ICT third party services providers;
(e)
period of time over which the research is gathered.
Table 2 in anx_III
(a)
critical or important functions in scope;
Table 3 in anx_III
(b)
their geographical location;
Table 4 in anx_III
(c)
official EU language in use;
Table 5 in anx_III
(d)
relevant ICT third party services providers;
Table 6 in anx_III
(e)
period of time over which the research is gathered.
Table 7 in anx_III
2.
The overall assessment of what concrete actionable intelligence can be found about the financial entity, including:(a)the employee usernames and passwords;(b)the look-alike domains which can be mistaken for official domains of the financial entity;(c)technical reconnaissance: vulnerable or exploitable software, systems and technologies;(d)information posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;(e)information for sale on the dark web;(f)any other relevant information available on the internet or public networks;(g)where relevant, physical targeting information, including ways of access to the premises of the financial entity.
(a)
the employee usernames and passwords;
(b)
the look-alike domains which can be mistaken for official domains of the financial entity;
(c)
technical reconnaissance: vulnerable or exploitable software, systems and technologies;
(d)
information posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;
(e)
information for sale on the dark web;
(f)
any other relevant information available on the internet or public networks;
(g)
where relevant, physical targeting information, including ways of access to the premises of the financial entity.
(a)
the employee usernames and passwords;
(b)
the look-alike domains which can be mistaken for official domains of the financial entity;
(c)
technical reconnaissance: vulnerable or exploitable software, systems and technologies;
(d)
information posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;
(e)
information for sale on the dark web;
(f)
any other relevant information available on the internet or public networks;
(g)
where relevant, physical targeting information, including ways of access to the premises of the financial entity.
Table 8 in anx_III
(a)
the employee usernames and passwords;
Table 9 in anx_III
(b)
the look-alike domains which can be mistaken for official domains of the financial entity;
Table 10 in anx_III
(c)
technical reconnaissance: vulnerable or exploitable software, systems and technologies;
Table 11 in anx_III
(d)
information posted by employees on the internet, related to the financial entity, which might be used for the purposes of an attack;
Table 12 in anx_III
(e)
information for sale on the dark web;
Table 13 in anx_III
(f)
any other relevant information available on the internet or public networks;
Table 14 in anx_III
(g)
where relevant, physical targeting information, including ways of access to the premises of the financial entity.
Table 15 in anx_III
3.
Threat intelligence analysis considering the general threat landscape and the particular situation of the financial entity, including, at least:(a)the geopolitical environment;(b)the economic environment;(c)technological trends and any other trends related to the activities in the financial services sector.
(a)
the geopolitical environment;
(b)
the economic environment;
(c)
technological trends and any other trends related to the activities in the financial services sector.
(a)
the geopolitical environment;
(b)
the economic environment;
(c)
technological trends and any other trends related to the activities in the financial services sector.
Table 16 in anx_III
(a)
the geopolitical environment;
Table 17 in anx_III
(b)
the economic environment;
Table 18 in anx_III
(c)
technological trends and any other trends related to the activities in the financial services sector.
Table 19 in anx_III
4.
Threat profiles of the malicious actors (specific individual/group or generic class) that may target the financial entity, including the systems of the financial entity that malicious actors are most likely to compromise or target, the possible motivation, intent and rationale for the potential targeting and the possiblemodus operandiof the attackers.
Table 20 in anx_III
5.
Threat scenarios: at least three end-to-end threat scenarios for the threat profiles identified in accordance with point 4 who exhibit the highest threat severity scores. The threat scenarios shall describe the end-to-end attack path and shall include, at least:(a)one scenario that includes but is not limited to compromised service availability;(b)one scenario that includes but is not limited to compromised data integrity;(c)one scenario that includes but is not limited to compromised information confidentiality.
(a)
one scenario that includes but is not limited to compromised service availability;
(b)
one scenario that includes but is not limited to compromised data integrity;
(c)
one scenario that includes but is not limited to compromised information confidentiality.
(a)
one scenario that includes but is not limited to compromised service availability;
(b)
one scenario that includes but is not limited to compromised data integrity;
(c)
one scenario that includes but is not limited to compromised information confidentiality.
Table 21 in anx_III
(a)
one scenario that includes but is not limited to compromised service availability;
Table 22 in anx_III
(b)
one scenario that includes but is not limited to compromised data integrity;
Table 23 in anx_III
(c)
one scenario that includes but is not limited to compromised information confidentiality.
Table 24 in anx_III
6.
Where relevant, a description of the non-threat-led scenario referred to in Article 10(4).
Table 1 in anx_IV
(a)
communication channels and procedures;
Table 2 in anx_IV
(b)
the tactics, techniques and procedures allowed and not-allowed for use in the attack, including ethical boundaries for social engineering;
Table 3 in anx_IV
(c)
the risk management measures to be followed by the testers;
Table 4 in anx_IV
(d)
a description for each scenario, including:(i)the simulated threat actor;(ii)their intent, motivation and goals;(iii)the target function(s) and the supporting ICT system or systems;(iv)the targeted confidentiality, integrity, availability and authenticity aspects;(v)flags;
(i)
the simulated threat actor;
(ii)
their intent, motivation and goals;
(iii)
the target function(s) and the supporting ICT system or systems;
(iv)
the targeted confidentiality, integrity, availability and authenticity aspects;
(v)
flags;
(i)
the simulated threat actor;
(ii)
their intent, motivation and goals;
(iii)
the target function(s) and the supporting ICT system or systems;
(iv)
the targeted confidentiality, integrity, availability and authenticity aspects;
(v)
flags;
Table 5 in anx_IV
(i)
the simulated threat actor;
Table 6 in anx_IV
(ii)
their intent, motivation and goals;
Table 7 in anx_IV
(iii)
the target function(s) and the supporting ICT system or systems;
Table 8 in anx_IV
(iv)
the targeted confidentiality, integrity, availability and authenticity aspects;
Table 9 in anx_IV
(v)
flags;
Table 10 in anx_IV
(e)
a detailed description of each expected attack path, including pre-requisites and possible leg-ups to be provided by the control team, including deadlines for their provision and potential usage;
Table 11 in anx_IV
(f)
the scheduling of red teaming activities, including time planning for the execution of each scenario, at a minimum split according to the three phases a tester takes throughout the testing phase, respectively entering financial entities’ ICT systems, moving through the ICT systems and ultimately executing actions on objectives and eventually extracting itself from the ICT systems (in, through, and out phases);
Table 12 in anx_IV
(g)
particularities of the financial entities’ infrastructure to be considered during testing;
Table 13 in anx_IV
(h)
if any, additional information or other resources necessary to the testers for executing the scenarios.
Table 1 in anx_V
(a)
information on the performed attack, including:(i)the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;(ii)summary of each scenario;(iii)flags reached and not reached;(iv)attack paths followed successfully and unsuccessfully;(v)tactics, techniques and procedures used successfully and unsuccessfully;(vi)deviations from the red team test plan, if any;(vii)leg-ups granted, if any;
(i)
the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;
(ii)
summary of each scenario;
(iii)
flags reached and not reached;
(iv)
attack paths followed successfully and unsuccessfully;
(v)
tactics, techniques and procedures used successfully and unsuccessfully;
(vi)
deviations from the red team test plan, if any;
(vii)
leg-ups granted, if any;
(i)
the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;
(ii)
summary of each scenario;
(iii)
flags reached and not reached;
(iv)
attack paths followed successfully and unsuccessfully;
(v)
tactics, techniques and procedures used successfully and unsuccessfully;
(vi)
deviations from the red team test plan, if any;
(vii)
leg-ups granted, if any;
Table 2 in anx_V
(i)
the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;
Table 3 in anx_V
(ii)
summary of each scenario;
Table 4 in anx_V
(iii)
flags reached and not reached;
Table 5 in anx_V
(iv)
attack paths followed successfully and unsuccessfully;
Table 6 in anx_V
(v)
tactics, techniques and procedures used successfully and unsuccessfully;
Table 7 in anx_V
(vi)
deviations from the red team test plan, if any;
Table 8 in anx_V
(vii)
leg-ups granted, if any;
Table 9 in anx_V
(b)
all actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;
Table 10 in anx_V
(c)
discovered vulnerabilities and other findings, including:(i)vulnerability and other finding description including their criticality;(ii)root cause analysis of successful attacks;(iii)recommendations for remediation including indication of the remediation priority.
(i)
vulnerability and other finding description including their criticality;
(ii)
root cause analysis of successful attacks;
(iii)
recommendations for remediation including indication of the remediation priority.
(i)
vulnerability and other finding description including their criticality;
(ii)
root cause analysis of successful attacks;
(iii)
recommendations for remediation including indication of the remediation priority.
Table 11 in anx_V
(i)
vulnerability and other finding description including their criticality;
Table 12 in anx_V
(ii)
root cause analysis of successful attacks;
Table 13 in anx_V
(iii)
recommendations for remediation including indication of the remediation priority.
Table 1 in anx_VI
1.
for each attack step described by the testers in the red team test report:(a)list of detected attack actions;(b)log entries corresponding to these detections;
(a)
list of detected attack actions;
(b)
log entries corresponding to these detections;
(a)
list of detected attack actions;
(b)
log entries corresponding to these detections;
Table 2 in anx_VI
(a)
list of detected attack actions;
Table 3 in anx_VI
(b)
log entries corresponding to these detections;
Table 4 in anx_VI
2.
assessment of the findings and recommendations of the testers;
Table 5 in anx_VI
3.
evidence of the attack by the testers collected by the blue team;
Table 6 in anx_VI
4.
blue team root cause analysis of successful attacks by the testers;
Table 7 in anx_VI
5.
list of lessons learned and identified potential for improvement;
Table 8 in anx_VI
6.
list of topics to be addressed in purple teaming.
Table 1 in anx_VII
(a)
the parties involved;
Table 2 in anx_VII
(b)
the project plan;
Table 3 in anx_VII
(c)
the validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes, and technologies supporting the critical or important functions covered by the TLPT;
Table 4 in anx_VII
(d)
selected scenarios and any significant deviation from the targeted threat intelligence report;
Table 5 in anx_VII
(e)
executed attack paths, and used tactics, techniques and procedures;
Table 6 in anx_VII
(f)
captured and non-captured flags;
Table 7 in anx_VII
(g)
deviations from the red team test plan, if any;
Table 8 in anx_VII
(h)
blue team detections, if any;
Table 9 in anx_VII
(i)
purple teaming in testing phase, where conducted and the related conditions;
Table 10 in anx_VII
(j)
leg-ups used, if any;
Table 11 in anx_VII
(k)
risk management measures taken;
Table 12 in anx_VII
(l)
identified vulnerabilities and other findings, including their criticality;
Table 13 in anx_VII
(m)
root cause analysis of successful attacks;
Table 14 in anx_VII
(n)
high level plan for remediation, linking the vulnerabilities and other findings, their root causes and remediation priority;
Table 15 in anx_VII
(o)
lessons derived from feedback received.
Table 1 in anx_VIII
(a)
on the performed TLPT:(i)the starting and end dates of the TLPT;(ii)the critical or important functions in scope of the test;(iii)where relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;(iv)where relevant, other financial entities that were involved in the TLPT;(v)where relevant, the ICT third-party services providers that participated in the TLPT;(vi)in respect of testers:1.whether internal testers were used;2.whether Article 5(3), second subparagraph, was used by the financial entity;(vii)the duration, in calendar days, of the active red team testing phase;
(i)
the starting and end dates of the TLPT;
(ii)
the critical or important functions in scope of the test;
(iii)
where relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;
(iv)
where relevant, other financial entities that were involved in the TLPT;
(v)
where relevant, the ICT third-party services providers that participated in the TLPT;
(vi)
in respect of testers:1.whether internal testers were used;2.whether Article 5(3), second subparagraph, was used by the financial entity;
1.
whether internal testers were used;
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
(vii)
the duration, in calendar days, of the active red team testing phase;
(i)
the starting and end dates of the TLPT;
(ii)
the critical or important functions in scope of the test;
(iii)
where relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;
(iv)
where relevant, other financial entities that were involved in the TLPT;
(v)
where relevant, the ICT third-party services providers that participated in the TLPT;
(vi)
in respect of testers:1.whether internal testers were used;2.whether Article 5(3), second subparagraph, was used by the financial entity;
1.
whether internal testers were used;
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
1.
whether internal testers were used;
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
(vii)
the duration, in calendar days, of the active red team testing phase;
Table 2 in anx_VIII
(i)
the starting and end dates of the TLPT;
Table 3 in anx_VIII
(ii)
the critical or important functions in scope of the test;
Table 4 in anx_VIII
(iii)
where relevant, information on critical or important functions in scope of the test in relation to which the TLPT was not performed;
Table 5 in anx_VIII
(iv)
where relevant, other financial entities that were involved in the TLPT;
Table 6 in anx_VIII
(v)
where relevant, the ICT third-party services providers that participated in the TLPT;
Table 7 in anx_VIII
(vi)
in respect of testers:1.whether internal testers were used;2.whether Article 5(3), second subparagraph, was used by the financial entity;
1.
whether internal testers were used;
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
1.
whether internal testers were used;
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
Table 8 in anx_VIII
1.
whether internal testers were used;
Table 9 in anx_VIII
2.
whether Article 5(3), second subparagraph, was used by the financial entity;
Table 10 in anx_VIII
(vii)
the duration, in calendar days, of the active red team testing phase;
Table 11 in anx_VIII
(b)
where several TLPT authorities have been involved in the TLPT, the other TLPT authorities, and in which capacity;
Table 12 in anx_VIII
(c)
list of the documents examined by the TLPT authority for the purposes of the attestation.