Why Project Scope Matters

In the wake of recent events regarding two Coalfire employees, physical intrusion, and law enforcement, there is one major component that stands out: Scope details and proper authorization matter! Although there are some details that still aren’t clear for this case, what we do know is that certain details of the scope, methodology, and rules of engagement were vague enough to leave room for misunderstanding and miscommunication.

Update 9/19/2019: There is a link at the bottom of this page to the Iowa State Court’s Administration Statement, which contains several documents.

We are NOT lawyers, so we’re not going to cover legality, etc. What we are covering are details that need to be relayed and agreed upon by an authorized sponsor on the client side and the penetration testers, before any assessment starts where you’re attempting to simulate malicious behavior – whether it’s physical, or logical testing.

So, let us try to answer this question: How do you avoid getting into a similar situation?

Here are our own personal thoughts and opinions based off of professional experience:

Methodology

Having a detailed methodology for each assessment type is VERY important! This is where the security company performing the assessment has the chance to provide details and samples of what the assessment entails, along with the various techniques and tools that can be used.

This also allows the client to review details and decide internally on which of these tools and techniques they are okay with being utilized, what the approach will be for the life of the assessment, and to prepare any questions during the kick-off call / Rules of Engagement review.

Rules of Engagement / Letter of Authorization

The rules of engagement are also extremely important. This is where BOTH parties agree on what is acceptable during the assessment. You agree on things such as the tools and techniques, confirm the target, and have all the necessary points of contact. You also work out details such as the dates and time of day that it is acceptable to perform the assessment, and the people that can be contacted when the assessment is complete, or if things don’t go as planned.

Update 9/19/2019: The documents included in the link at the bottom of this page contains the “Rules of Engagement” document. Although parts are redacted, it states specific hours of the day that the assessment should be performed. We do know that the consultants did test outside of this window.

It is important that the Rules of Engagement also includes a Letter of Authorization, signed by the sponsor who is authorized to grant permission for this type of assessment. A Letter of Authorization is simply a “Get out of jail free card” and should have at least two points of contact for security, law enforcement, etc. to call. These points of contact should be available by phone at all times during the life of the assessment.

If incident response testing is a part of the assessment, this needs to be clearly defined, and the risks to both the company and the consultants need to be weighed – especially for covert physical security assessments.

Professional Consultants

As consultant’s, we are the professionals who are being hired to perform an assessment against a target, in order to help them identify vulnerabilities and risks within whatever environment is in scope–“scope” being the key word here. As professionals, we are familiar with many different tactics that can be utilized to reach the same end goal, but as much as we may want to push the envelope in certain occasions, we are often contractually obligated to stick within specified boundaries.

There are those rare times when you do get it in writing that there is “no scope”, and “anything goes”, but again, that is rare and for physical security assessments, the scope must be clearly defined and several questions need to be asked during the kick-off call. Deviating outside of the scope and limitations means you’re crossing the line between what was agreed upon and signed in legal documentation.

Before any work of any kind begins, make sure that you have a very clear understanding of what is and isn’t okay. If there are questions and concerns, even after the assessment starts, it’s up to you to obtain clarification from the client. As a client, it is up to you to ensure that proper channels are communicated, available, and agreed upon before the assessment even begins – this includes lines of communication for incident response testing.

Social Engineering and Assumptions

“Physical Security Assessments”, “Covert Entry”, “Breaking and Entering”; whatever you want to call it, is not for everyone. It requires a solid understanding from the consultant of people’s perceptions about whom they are attempting to social engineer, the atmosphere in which they are working, details related to the client such as their industry, the likelihood of attacks, and many other vectors. It also requires a strong talent of thinking “off the cuff”, and most importantly, staying calm when tensions arise.

There are things to consider when attempting covert entry. This is where the point about perception comes up again. Whenever you’re tasked with gaining entry into a target facility, assume that you will be seen and challenged as to your identity and intentions. A good social engineer can usually work their way out of these situations with a strong guise, cooperative and confident tone, and an appearance that ties their story together.

So, considering these factors, make sure that whatever you’re wearing, the time you attempt entry (even outside of the time of day, we recommend avoiding dates like 9/11 and similar holidays where threat awareness may be higher that usual), and your physical actions once inside the building will work towards building confidence towards whatever guise you’re using to those who see you, and judge you based off of what they see of you in the moment. Keep in mind that they do not know you personally and are making quick judgements about you and of your intentions. Make sure that you are compliant when necessity compels you to be.

If you’re gaining entry after midnight wearing a Hack The Planet hoodie and moving about as though you’re trying to take cover while holding a big ole bag, you have to imagine how this looks to those who have no clue about you or your intentions. Consider that even though you do not see a security guard, there is probably a camera pointing at you and your attempts to be a ninja are being recorded.

You have to consider this in ALL instances. If your approach, guise, etc. in any way comes across as threatening not only to the those inside of the target facility, but also as a threat to a law enforcement agency that might respond, take a different approach. You want to build confidence, rapport, and most importantly–trust. The last thing that you want is to create a situation where tensions are already high, and you’re now working your way out of a potentially fatal ending…or not even having that opportunity, if an armed guard or law enforcement officer has a gun drawn on what they view is a threat and justified.

Remember, it’s JUST a job. It’s NOT a movie. Real emotions are involved, and there are real consequences to your actions.

Closing

Physical entry is our favorite part of this job, and something that we’re very passionate about. We absolutely hate what has happened to these two colleagues, and hope that everything gets worked out fairly in the end. We also want to help to curb fears that can arise with mainstream media’s “fear-mongering” approach to stories like this, working yet again to paint a negative picture of “hackers”.

We understand that mistakes can happen, and we are only hoping to contribute to the community, and hoping that we can help others avoid finding themselves or their company in a similar situation.

For more information regarding scoping, issues, and other information that’s been mentioned in this post, check out our presentation from our 2019 DerbyCon talk:
https://www.youtube.com/watch?v=nKrzf7gbsRE

## Update:
Here are some more details into the case:
Iowa Judicial Branch – State Court Administration Statement, which also contains the Rules of Engagement, Social Engineering Authorization, Master Agreement, and more.
https://www.iowacourts.gov/announcements/state-court-administration-statement/


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.