Last step of an assessment is to formalize the work to be done. This is critically important, as this defines what the expectations for the work will be, and grants you permission to conduct what might otherwise be illegal activity. We will cover this at a high level, but this is a very complex step so you will likely want to check with your organization’s legal representative for assistance.
As part of the formalization process, you will need to define the rules of engagement for the work. This covers items such as:
- What systems are you allowed to interact with ? It is important to ensure you don’t accidentally interfere with anything that is critical to business operations.
- What time of day and over what attack window is the assessment allowed to occur ? Some organizations like to limit the times that the assessment work can be conducted.
- When you discover a potential vulnerability, are you allowed to exploit it ? If not, what is the approval process ? There are some organizations that take a very controlled approach to each exploitation attempt, whereas others would like a more realistic approach. It is best to define these expectations clearly before work begins.
- If a significant issue is discovered, how should it be handled ? Sometimes, organizations want to be informed right away, otherwise it is typically addressed at the end of the assessment.
- In case of emergency, who should you contact ? It is always important to know who to contact when a problem of any sort occurs.
- Who will know about the activity ? How will it be communicated to them? In some cases, organizations will want to test their incident response and detection performance as part of the assessment. It is always a good idea to know this beforehand, so you know if you should take any degree of stealth in the approach to the assessment.
- What are the expectations at the end of the assessment ? How will results be communicated ? Know what all parties expect at the end of the assessment. Defining the deliverable is the best way to keep everyone happy after the work is completed.
While not complete, this listing gives you an idea of the details that should be covered. However, you should realize that there is no substitute for good legal representation.
Once these items are defined, you need to acquire proper authorization to perform the assessment, since much of the activity that you will do in the course of an assessment may not be legal without proper authority from someone with the authority to give that permission.
With all that in place, there is still one last step you will want to take before starting work : validation.
Never trust the scope that you are provided—always validate it. Use multiple information sources to confirm that the systems within scope are in fact owned by the client and that they are operated by the client as well. With the prevalence of cloud services, an organization may forget that they don’t actually own the systems providing them service. You may find that you have to obtain special permission from a cloud service provider before starting work.
In addition, always validate IP address blocks. Don’t count on an organization’s assumption that they own entire IP blocks, even if they sign off on them as viable targets. For example, we have seen examples of organizations that request an assessment of an entire class C network range when, in fact, they only owned a subset of those addresses. By attacking the entire class C address space, we would have ended up attacking the organization’s network neighbors. The OSINT Analysis sub-category of the Information Gathering menu contains a number of tools that can assist you with this validation process.