Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:00,990 Instructor: After you've defined 2 00:00:00,990 --> 00:00:02,940 and clarified the scope of the assessment, 3 00:00:02,940 --> 00:00:05,280 you're then gonna need to agree upon the rules of engagement 4 00:00:05,280 --> 00:00:07,860 for that penetration test with your client. 5 00:00:07,860 --> 00:00:10,860 Now, the rules of engagement, also known as the ROE, 6 00:00:10,860 --> 00:00:13,650 are the ground rules that both parties must abide by, 7 00:00:13,650 --> 00:00:16,710 both the organization and the penetration tester. 8 00:00:16,710 --> 00:00:18,270 Think of it like a soccer game 9 00:00:18,270 --> 00:00:21,450 in which everybody needs to know and play by the same rules. 10 00:00:21,450 --> 00:00:23,550 Everybody knows that the goalie is the only player 11 00:00:23,550 --> 00:00:24,870 allowed to use their hands, 12 00:00:24,870 --> 00:00:27,120 and so both teams understand this common rule, 13 00:00:27,120 --> 00:00:29,280 and we can play the game accordingly. 14 00:00:29,280 --> 00:00:31,980 Rules of engagement cover five key areas: 15 00:00:31,980 --> 00:00:35,010 timeline, locations, time restrictions, 16 00:00:35,010 --> 00:00:37,890 transparency and boundaries for the test. 17 00:00:37,890 --> 00:00:40,440 Both the organization and the penetration tester 18 00:00:40,440 --> 00:00:43,200 need to agree upon the timeline for the engagement. 19 00:00:43,200 --> 00:00:45,810 A timeline is used to represent a series of events 20 00:00:45,810 --> 00:00:48,630 that transpire within a discreet period of time. 21 00:00:48,630 --> 00:00:50,400 This includes when the test will occur 22 00:00:50,400 --> 00:00:52,770 and the total duration of the engagement. 23 00:00:52,770 --> 00:00:54,180 Will the assessment be conducted 24 00:00:54,180 --> 00:00:57,630 over a couple of days, a week, a month, or a year? 25 00:00:57,630 --> 00:00:59,880 This will be negotiated as part of your contract, 26 00:00:59,880 --> 00:01:02,430 and becomes part of your rules of engagement. 27 00:01:02,430 --> 00:01:04,230 From this agreed upon duration, 28 00:01:04,230 --> 00:01:06,720 the penetration testing team will then need to outline 29 00:01:06,720 --> 00:01:08,610 what tasks are gonna be performed 30 00:01:08,610 --> 00:01:10,200 and estimate the amount of time required 31 00:01:10,200 --> 00:01:12,300 for each task to be completed. 32 00:01:12,300 --> 00:01:15,300 For instance, if a phishing campaign is gonna be utilized 33 00:01:15,300 --> 00:01:17,550 as part of a social engineering assessment, 34 00:01:17,550 --> 00:01:20,400 will those emails all be sent out at the same time, 35 00:01:20,400 --> 00:01:23,700 or are we gonna spread them out over several days or weeks 36 00:01:23,700 --> 00:01:27,360 in an attempt to be more covert and more likely effective? 37 00:01:27,360 --> 00:01:29,370 Once the timeline of events is created, 38 00:01:29,370 --> 00:01:31,440 this will often be provided to the trusted agent 39 00:01:31,440 --> 00:01:33,210 within the targeted organization 40 00:01:33,210 --> 00:01:35,910 to aid them in deconfliction and to get their concurrence 41 00:01:35,910 --> 00:01:38,190 before we execute the assessment. 42 00:01:38,190 --> 00:01:40,380 Now, when completed, the timeline should include 43 00:01:40,380 --> 00:01:43,110 the date and time that each task is gonna begin, 44 00:01:43,110 --> 00:01:46,230 its estimated duration, a brief description of the task, 45 00:01:46,230 --> 00:01:48,510 and who's responsible for performing that task 46 00:01:48,510 --> 00:01:50,970 within your penetration testing team. 47 00:01:50,970 --> 00:01:53,370 The second major concern is the location. 48 00:01:53,370 --> 00:01:56,010 Will the penetration testing team be conducting the attacks 49 00:01:56,010 --> 00:01:58,680 on site or from a remote location? 50 00:01:58,680 --> 00:02:01,350 If the target organization has multiple locations, 51 00:02:01,350 --> 00:02:02,820 will the pen tester be required 52 00:02:02,820 --> 00:02:06,600 to go to every single location or to test all the locations, 53 00:02:06,600 --> 00:02:08,370 or will they just use a sample set, 54 00:02:08,370 --> 00:02:10,530 or maybe just the corporate headquarters? 55 00:02:10,530 --> 00:02:12,240 The rules of engagement will specify 56 00:02:12,240 --> 00:02:14,430 which locations are authorized to be targeted 57 00:02:14,430 --> 00:02:17,700 and which ones are considered off limits and out of scope. 58 00:02:17,700 --> 00:02:20,640 As a penetration tester, it's always important to consider 59 00:02:20,640 --> 00:02:22,740 if any of the target locations are located 60 00:02:22,740 --> 00:02:25,140 across international borders as well. 61 00:02:25,140 --> 00:02:28,770 For example, some organizations have offices in California, 62 00:02:28,770 --> 00:02:30,630 London, and Hong Kong. 63 00:02:30,630 --> 00:02:32,160 Now, each of those three locations 64 00:02:32,160 --> 00:02:33,990 will require the penetration tester 65 00:02:33,990 --> 00:02:35,760 to become familiar with the laws and regulations 66 00:02:35,760 --> 00:02:38,310 that are applicable in those areas. 67 00:02:38,310 --> 00:02:40,230 All authorized locations should be listed 68 00:02:40,230 --> 00:02:41,580 in the rules of engagement, 69 00:02:41,580 --> 00:02:44,670 especially any that cross international borders. 70 00:02:44,670 --> 00:02:46,770 The third key area in the rules of engagement 71 00:02:46,770 --> 00:02:48,330 is time restrictions. 72 00:02:48,330 --> 00:02:51,300 Now, time restrictions are used to specify certain times 73 00:02:51,300 --> 00:02:53,340 that the penetration tester is authorized 74 00:02:53,340 --> 00:02:56,880 or unauthorized to conduct their exploits and attacks. 75 00:02:56,880 --> 00:02:59,760 For instance, if a company always does server maintenance 76 00:02:59,760 --> 00:03:02,130 on Saturday nights from midnight to 2:00 AM 77 00:03:02,130 --> 00:03:03,930 and they can't afford any additional downtime 78 00:03:03,930 --> 00:03:07,380 during those hours, the targeted organization may specify 79 00:03:07,380 --> 00:03:08,580 that the penetration testers 80 00:03:08,580 --> 00:03:11,850 simply can't conduct their assessments during those hours. 81 00:03:11,850 --> 00:03:14,190 Another example is if the target organization 82 00:03:14,190 --> 00:03:16,320 is typically a business organization, 83 00:03:16,320 --> 00:03:18,960 and they may allow us to attack during weekends and holidays 84 00:03:18,960 --> 00:03:21,690 when a large portion of their staff are not at work. 85 00:03:21,690 --> 00:03:22,920 As a penetration tester, 86 00:03:22,920 --> 00:03:25,680 I really love conducting assessments during a holiday period 87 00:03:25,680 --> 00:03:28,110 because there's less people working and the ones who are 88 00:03:28,110 --> 00:03:30,210 are really not paying that close of attention. 89 00:03:30,210 --> 00:03:31,980 Conversely though, if we're conducting 90 00:03:31,980 --> 00:03:35,040 the PCI DSS compliance for a retail organization 91 00:03:35,040 --> 00:03:37,350 and we wanna conduct our attack on Christmas Eve, 92 00:03:37,350 --> 00:03:38,370 well, guess what? 93 00:03:38,370 --> 00:03:40,740 That retailer is probably gonna disapprove that 94 00:03:40,740 --> 00:03:42,750 because they don't wanna take anything offline 95 00:03:42,750 --> 00:03:45,840 or lose sales during one of their busiest days of the year. 96 00:03:45,840 --> 00:03:47,700 It all comes down to what the organization 97 00:03:47,700 --> 00:03:50,430 and the penetration tester are going to agree upon. 98 00:03:50,430 --> 00:03:52,380 Now, with all that being said, 99 00:03:52,380 --> 00:03:54,390 if your client does not maintain an operation 100 00:03:54,390 --> 00:03:57,600 on a 24/7, 365 type of schedule, 101 00:03:57,600 --> 00:04:00,120 you should really explain to your client's key stakeholders 102 00:04:00,120 --> 00:04:02,250 the importance of conducting the penetration test 103 00:04:02,250 --> 00:04:04,320 during their normal business hours. 104 00:04:04,320 --> 00:04:06,810 By conducting the test during their normal business hours, 105 00:04:06,810 --> 00:04:08,460 the organization's reaction to an attack 106 00:04:08,460 --> 00:04:09,780 can be more clearly measured 107 00:04:09,780 --> 00:04:12,480 because those defenders are there during the day at work 108 00:04:12,480 --> 00:04:14,400 during that potential attack and exploits 109 00:04:14,400 --> 00:04:16,620 that you're creating during the engagement. 110 00:04:16,620 --> 00:04:18,779 Whichever timeline restrictions are agreed upon 111 00:04:18,779 --> 00:04:22,050 should clearly be stated inside of your rules of engagement. 112 00:04:22,050 --> 00:04:23,850 For example, there might be a line 113 00:04:23,850 --> 00:04:25,110 in that document that says, 114 00:04:25,110 --> 00:04:27,210 activities for the engagement will be conducted 115 00:04:27,210 --> 00:04:31,650 only on weekdays from 9:00 AM to 5:00 PM US Pacific time, 116 00:04:31,650 --> 00:04:32,790 unless otherwise stated 117 00:04:32,790 --> 00:04:35,520 and approved within an individual test plan. 118 00:04:35,520 --> 00:04:37,350 This would mean that the bulk of the engagement 119 00:04:37,350 --> 00:04:39,990 is going to happen during normal business hours, 120 00:04:39,990 --> 00:04:42,390 but maybe you have an individual test plan 121 00:04:42,390 --> 00:04:45,120 that you wanna try and conduct a physical penetration test 122 00:04:45,120 --> 00:04:47,640 of their data center at 2:00 AM on a Sunday 123 00:04:47,640 --> 00:04:49,140 because there's not as many people there 124 00:04:49,140 --> 00:04:51,600 and you need the cover of dark to make that happen. 125 00:04:51,600 --> 00:04:52,890 If that plan gets approved, 126 00:04:52,890 --> 00:04:54,180 it's gonna be okay to do that 127 00:04:54,180 --> 00:04:55,770 outside of normal business hours 128 00:04:55,770 --> 00:04:58,320 because it is a separately approved test plan 129 00:04:58,320 --> 00:05:00,000 that's meeting the goal. 130 00:05:00,000 --> 00:05:02,850 Now, our fourth area to consider is transparency. 131 00:05:02,850 --> 00:05:05,010 We need to know who in the target organization 132 00:05:05,010 --> 00:05:06,540 is going to be told that an engagement 133 00:05:06,540 --> 00:05:09,090 is scheduled to occur or is ongoing. 134 00:05:09,090 --> 00:05:11,220 Now, some organizations will keep this information 135 00:05:11,220 --> 00:05:13,290 confidential and highly controlled 136 00:05:13,290 --> 00:05:14,820 so that only senior executives, 137 00:05:14,820 --> 00:05:16,410 like the chief security officer 138 00:05:16,410 --> 00:05:17,670 or chief technology officer 139 00:05:17,670 --> 00:05:19,650 are gonna be aware of the engagement. 140 00:05:19,650 --> 00:05:21,060 Other organizations though 141 00:05:21,060 --> 00:05:22,860 may tell some of their system administrators 142 00:05:22,860 --> 00:05:24,780 or their director of information technology 143 00:05:24,780 --> 00:05:26,280 that this is gonna happen. 144 00:05:26,280 --> 00:05:28,830 Again, this really depends on the rules of engagement 145 00:05:28,830 --> 00:05:30,090 that are gonna be established 146 00:05:30,090 --> 00:05:32,550 and the objectives of the overall assessment. 147 00:05:32,550 --> 00:05:34,530 Now, this person inside the organization 148 00:05:34,530 --> 00:05:36,150 that you're allowed to communicate with, 149 00:05:36,150 --> 00:05:38,310 we call them a trusted agent. 150 00:05:38,310 --> 00:05:40,860 This trusted agent is an in-house staff member 151 00:05:40,860 --> 00:05:42,600 who's gonna be designated as a monitor 152 00:05:42,600 --> 00:05:44,940 in the organization during this assessment. 153 00:05:44,940 --> 00:05:47,130 It's really important to work with that trusted agent 154 00:05:47,130 --> 00:05:51,150 before, during, and after the engagement to ensure success. 155 00:05:51,150 --> 00:05:52,320 Now, this person is somebody 156 00:05:52,320 --> 00:05:54,390 who's inside the targeted organization, 157 00:05:54,390 --> 00:05:55,950 and they're gonna receive all the details 158 00:05:55,950 --> 00:05:58,920 of the penetration test while it's being conducted. 159 00:05:58,920 --> 00:06:00,210 They are empowered to communicate 160 00:06:00,210 --> 00:06:02,520 directly with the penetration testing team 161 00:06:02,520 --> 00:06:04,500 so that the attacks can be deconflicted, 162 00:06:04,500 --> 00:06:06,180 and if there's any negative effects 163 00:06:06,180 --> 00:06:07,530 on the operational network, 164 00:06:07,530 --> 00:06:09,030 the penetration testers can be told 165 00:06:09,030 --> 00:06:11,280 to stop their exploitations that are in progress 166 00:06:11,280 --> 00:06:12,990 while the organization recovers their systems 167 00:06:12,990 --> 00:06:14,880 back to normal operations. 168 00:06:14,880 --> 00:06:17,550 The trusted agent can also provide the penetration testers 169 00:06:17,550 --> 00:06:20,520 with resources if you're doing a known environment test, 170 00:06:20,520 --> 00:06:22,860 things like network diagrams, source code, 171 00:06:22,860 --> 00:06:24,960 and a list of the operating systems. 172 00:06:24,960 --> 00:06:26,310 Now, if the objectives require 173 00:06:26,310 --> 00:06:28,050 an unknown environment test though, 174 00:06:28,050 --> 00:06:30,540 those type of resources are not gonna be provided, 175 00:06:30,540 --> 00:06:32,730 and the penetration testers will instead be required 176 00:06:32,730 --> 00:06:35,100 to conduct the assessment in the blind. 177 00:06:35,100 --> 00:06:36,750 The final area that we need to think about 178 00:06:36,750 --> 00:06:38,340 is one of boundaries. 179 00:06:38,340 --> 00:06:40,440 Now, what exactly will the penetration tester 180 00:06:40,440 --> 00:06:41,970 include in the assessment? 181 00:06:41,970 --> 00:06:43,230 Now, this will already be covered 182 00:06:43,230 --> 00:06:44,820 inside of your statement of work, 183 00:06:44,820 --> 00:06:46,170 but in the rules of engagement, 184 00:06:46,170 --> 00:06:48,720 you should also include any rules about what you can 185 00:06:48,720 --> 00:06:51,240 and cannot test from a technical, physical, 186 00:06:51,240 --> 00:06:53,130 or operational perspective. 187 00:06:53,130 --> 00:06:55,950 For example, is the penetration tester authorized 188 00:06:55,950 --> 00:06:57,210 to conduct social engineering 189 00:06:57,210 --> 00:06:59,370 as a method of gaining access to the network, 190 00:06:59,370 --> 00:07:00,990 or are they only allowed to use 191 00:07:00,990 --> 00:07:03,180 openly available technical exploits? 192 00:07:03,180 --> 00:07:04,920 Some organizations simply wanna see 193 00:07:04,920 --> 00:07:06,390 their technical vulnerabilities, 194 00:07:06,390 --> 00:07:07,920 and therefore, they're gonna exclude 195 00:07:07,920 --> 00:07:09,630 social engineering attacks, like phishing, 196 00:07:09,630 --> 00:07:11,100 from your assessments. 197 00:07:11,100 --> 00:07:13,230 These organizations aren't necessarily concerned 198 00:07:13,230 --> 00:07:14,970 with testing their user awareness. 199 00:07:14,970 --> 00:07:16,980 Instead, they wanna see if their systems 200 00:07:16,980 --> 00:07:18,900 are correctly configured to prevent somebody 201 00:07:18,900 --> 00:07:21,300 from attacking outside of the corporate network 202 00:07:21,300 --> 00:07:23,220 to inside the corporate network. 203 00:07:23,220 --> 00:07:25,200 Again, this comes down to agreeing 204 00:07:25,200 --> 00:07:26,460 to the boundaries for the assessment 205 00:07:26,460 --> 00:07:28,800 in order to meet the engagement objectives. 206 00:07:28,800 --> 00:07:30,870 Remember, boundaries are used to refer 207 00:07:30,870 --> 00:07:32,700 to what systems may be targeted 208 00:07:32,700 --> 00:07:35,130 and what techniques can be utilized. 209 00:07:35,130 --> 00:07:37,140 If we're doing a physical security test, 210 00:07:37,140 --> 00:07:38,820 are we allowed to climb their fence? 211 00:07:38,820 --> 00:07:39,900 Well, maybe we can. 212 00:07:39,900 --> 00:07:42,180 Maybe we can't, but the boundaries established 213 00:07:42,180 --> 00:07:45,130 in the rules of engagement will confirm what is authorized. 214 00:07:46,213 --> 00:07:48,270 (gentle music) 16516