A fundamental part during the execution of a pentest is a good communication. Have the contacts established, know the triggers and understand the reasons why you need to communicate during the ongoing security tests.
The Importance of Communication
Communication is vital for a penetration test. With established open paths of communication during all phases of a test, the pentester can be sure about the current scope of the rules of engagement, meeting client expectations, and not causing any unexpected trouble.
Open communication paths also help avoid and/or mitigate issues that might arise during the penetration test. Communications' paths can also provide a way for the pentester to identify if a finding is a false positive with some additional information from internal teams about the configuration and use of systems and applications. At the same time, if the pentester identify a possible attack in progress or find evidences of a past attack, the communications paths may be used to report possible criminal activity.
Defining a Communication Path
The pentester should clearly define the communication path during the planning stages of a security test engagement.
This communication path should include contacts that will be used in different circumstances:
Primary contact: is responsible for the regular administration of the penetration test, designated by the customer. You should report the progress of the penetration test and any problems to this individual.
Technical contact: if you have technical issues or questions during the test, this is the person you should talk. During the tests you may need help to add your device to an approved list to get by security controls, so this contact comes in handy.
Emergency contact: in case of any major issues appearing during the pentest, such as a system freeze, you may need to have an emergency contact, like a 24-hour security operations center (SOC).
Additionally to the communication stages, the pentester should establish a regular communication with their clients to provide periodic status updates. Usually a quick meeting with the keystakeholders where the pentester provide updates on the progress of the test and they all discuss outstanding issues.
These circumstances deserve immediate communication to management because they might come before regularly scheduled communications.
Critical Findings If the pentester identifies and validates a critical or major issue with the security of the client’s environment, the stakeholders should be immediately reported (even if this notification reduces the degree of penetration that the testers are able to achieve during the test) to then determine how to proceed. An unaddressed known vulnerability may put the organization at an unacceptable level of risk and result in a compromise.
Indicators of Prior Compromise If the pentesters discover indicators of an ongoing or past compromise, they should stop the pentest and immediately inform the stakeholders so they can decide how to proceed. Keep in mind that you are the pentester, and not part of the company’s cybersecurity incident response process.
Each Testing Stage End The end of a stage of the pentest should serve as a trigger for communicating status updates to management.
The statement of work (SOW) may require regular status updates or have other communication triggers in addition to those at each stage end.
Other Reasons for Communication
Situational awareness Having regular status updates with the customer brings the opportunity to receive updates on business operations that may affect the pentest.
De-escalation Some stages of the pentest may affect business operations. When this happens, the customer and the pentesters need to work together to de-escalate the situation and ensure business operations running smoothly. In such cases, the customer may choose to change the parameters of the pentest and take a different approach with testing in order to reduce or eliminate the impact on the business.
Deconfliction While perfoming the pentest, your actions need to be identifyed to avoid conflict with the IT security team. Your IP addresses or tools can raise some flags during the pentest and to prevent being blocked, you may need to ge them whitelisted for the period of the tests.
Identifying false positives You can use your communication path with the customer to identify whether a odd result or finding is a false positive.
Criminal activity If you come across evidence of criminal activity, you should report directly to the customer to discuss your findings.
Reprioritizing the goals of a penetration test is an acceptable activity. Another reason to meet regularly with the customer or stakeholders of the pentest is if the pentesters comes across new information that may potentially change the goals and priorities of the penetration test. If you wish to change rules or priorities defined in the statement of work, it would require acceptance from the stakeholders.