Quote - signed
Master Service Agreement - signed
Rules of Engagement
Customer Point of Contact (CPOC)
- basically emergency contact
- Need one from each company (penetrator and penetrated)
Scope (cover your ass, CYA):
- IP range(s)
- Malware Emulation Testing
- Cobalt Strike and Meterpreter
- Bounds of the test
- Even if more are found, only the ones in scope will be tested
- Stop Point:
- When the testing will end (end of business on the last day written earlier)
- Keeping access through malware
- Announcements:
- The vulnerability scan will not be announced to the company (penetrated) staff
- Project Closure:
- A week or 2 after the last day of assessment
- Post Mortem:
- full disclosure and reporting to explain the attacks and vulnerabilities
- Out of Scope:
- What you cannot attack or perform
- Denial of Service is usually out of scope
- Social Engineering (for most external pen test/engagement)
- A red team engagement should include social engineering
- We stop at MFA if we find creds
- Disclaimer:
- Use commercial or readily available tools that could effect performance or crashes