4.1 Reporting & communications: Communication & reports

Question 1

Communication Paths: who are the primary contact for reporting?

Answer 1

The party responsible for handling the project for the target organization
● CISO
● CIO
● IT Director
● SOC Director

Question 2

Communication Triggers: what Status Report for?

Answer 2

Used to provide regular progress updates to the primary, secondary, and technical contacts during an engagement

Question 3

Communication Triggers: what a Critical Findings?

Answer 3

Occur when a vulnerability is found that could pose a significant risk to the organization

Question 4

Communication Triggers: what Indicator of Compromise (IoC)?

Answer 4

▪ A residual sign that an asset or network has been successfully attacked or is being attacked
▪ If there are IoCs in the target network, pause the engagement and shift to an incident response or recovery mode

Question 5

Reasons for Communication: what Situation Awareness as reason for communication?

Answer 5

▪ The perception of the different environment elements and events with respect to time or space, the comprehension of their meaning, and the projection of their future status
▪ Members need to communicate and share information to create a shared situational awareness amongst the team

Question 6

Reasons for Communication: what De-confliction as reason for communication?

Answer 6

Used to determine if a detected activity is a real attacker acting against the target network or an authorized penetration tester

Question 7

Reasons for Communication: what De-escalation ?

Answer 7

The process of decreasing the severity, intensity, or magnitude of a reported security alert

Question 8

Reasons for Communication: what False positives?

Answer 8

Use a results validation process with the trusted agent to help identify what findings may be false positives

Question 9

Reasons for Communication: what Criminal activity and Goal reprioritization?

Answer 9

o Criminal activity: In case of criminal activity, consult with your lawyer or legal counsel to determine the appropriate next steps
o Goal reprioritization: Realize that penetration tests are a fluid thing and priorities do change during the engagement

Question 10

Presentation of Findings: define C Suite and how to present your findings to them?

Answer 10

▪ Refers to the top-level management inside of an organization:
● How vulnerable is their organization?
● What can they do to stop those vulnerabilities?
● How much money is it going to take?
● How many people is it going to take?
● How much time is it going to take?
▪ You need to put the cost associated with your findings
▪ You need to present them with the benefits
▪ Keep things at a broad, high level that is focused on the business and the cost

Question 11

Presentation of Findings: what are the Third Party Stakeholders in the reporting phase?

Answer 11

People that are not directly involved with the organization or client, but still involved in the process related to the different penetration testing

Question 12

Presentation of Findings: what are the Technical Staff in the reporting phase?

Answer 12

They’re going to be looking for details and ways that they can change things using different operations software or security patches

Question 13

Presentation of Findings: what are the Developers in the reporting phase?

Answer 13

They’re looking for deeply technical information so they can change the code that’s runs those applications and prevent vulnerabilities from happening

Question 14

Report Data Gathering: what should be the source of the data you gather during your pentest?

Answer 14

▪ Open-source intelligence
▪ Reconnaissance
▪ Enumeration
▪ Vulnerability scanners
▪ Attack and exploit tools

Question 15

Report Data Gathering: what Normalization means?

Answer 15

The process of combining data from various sources into a common format and repository

Question 16

Report Data Gathering: what Dradis?

Answer 16

A framework used to gather and share data and findings amongst the penetration testing team

Question 17

Written Reports: what is the Executive Summary in a report?

Answer 17

▪ A high-level overview written for the management and executives
▪ The executive summary must have a conclusion statement

Question 18

Written Reports: what is the Scope Details in a report?

Answer 18

Reiterates the agreed-upon scope during the engagement

Question 19

Written Reports: what is the Methodology in a report?

Answer 19

▪ A high-level description of the standards or frameworks followed during the penetration test
▪ The methodology section also includes a brief attack narrative:
1. Reconnaissance
2. Footprinting
3. Enumeration
4. Vulnerability scanning
5. Initial attack
6. Lateral movement and Pivoting
7. Persistence

Question 20

Written Reports: what is Findings in a report?

Answer 20

▪ A full or summarized list of issues found during an engagement
▪ The findings section will most likely cover the bulk of the report
● Findings
● Recommendation
● Threat level
● Risk rating
● Exploitation

Question 21

Written Reports: define Metrics and Measures

Answer 21

▪ Metric: A quantifiable measurement that helps to illustrate the status or results of a process. What’s the amount
▪ Measure: A specific data point that contributes to a given metric. What to measure

Question 22

Written Reports: define Remediation

Answer 22

▪ Summarizes the biggest priorities the organization should focus on to remediate vulnerabilities
▪ This allows the organization to make educated decisions based on your recommendations

Question 23

Securing and Storing Reports: how to secure and store reports? How long a report should be stored?

Answer 23

o Store reports in an offline server or in an encrypted format
o Ensure the reports are only to be seen by those with a “need to know”: Proper access control, Secure encryption
o Maintain an audit trail to track the copies made of the report
o Make sure to know the lifecycle of all documents and evidence: A period of 12 to 24 months should be enough, in most cases