Rules of Engagement

Overview

The Rules of Engagement document is one that we have to sign with the client after the Quote and the Master Service Agreement signed.

This document lays out exactly what you CAN and CAN'T do. Reading it thoroughly and follwoing it ensures that there won't be any legal issues in the future if you have an oopsies.

Basics of an ROE

• Roles and Responsibilities

  • Penetration team

  • Client company

  • Customer Point of Contact (CPOC)

    • Person from the client company that is responsible for direct communication and coordination with the penetration team in case things go down

  • Penetration Team Point of Contact

• Rules of Engagement

  • Dates of Test - Start to Finish

  • Disclosures and Status Updates

  • Scope

    • CIDR Networks

    • Individual IP addresses

    • NOTHING OUTSIDE OF THE SCOPE SHOULD BE ATTACKED

  • Malware Emulation Testing

    • Heads up that malware may be dropped onto the system

    • Make sure the client notifies the penetration team if they detect it; Kudos to the client

  • Bounds of the test

  • Stop Point and Keeping access

  • Announcement

    • Any scanning wont be announced by the client to their staff

  • Project Closure - a week or two after the assessment ended

  • Post Mortem - Giving a report to explain attacks and findings

  • Out of Scope

    • Denial of Service (DoS) attacks against production infrastructure

    • Social engineering attacks

      • We are strictly attacking the infrastructure and not people

    • DO NOT DO THE THINGS LISTED

  • Disclaimer

    • Stating you may use commercial or common tools that may impede system performance, crash production systems and permit unapproved access

    • State that the client understands this

• Acceptance

  • DO NOT perform a penetration test until the document is signed

  • Always double and triple checked that it is signed