Technical Support

00:00

hello and welcome to a penetration testing execution standard discussion. Today we're going to go over the technical report areas and components within the reporting section of the Pee test standard. So let's jump straight into our objectives. So we're going to discuss what the technical report is and these sections within that report.

00:20

So let's start with what the technical report is. So the technical report will communicate to the reader, the technical details of the test

00:28

and all aspects I'm components agreed upon as key success indicators within the pre engagement exercise. The technical report section will describe in detail the scope, information, attack, path impact and remediation suggestions of the test. Now

00:43

this is being written for a technical audience. And so, unlike the executive summary, this is a very detailed on an in depth

00:50

report. So

00:52

all of the areas that we previously mentioned in the goals everything that we talked about as far as exploitation post exploitation, you're gonna cover all of those facets with evidence and information in this report. So some of the sections as follows Introduction section of the technical report is intended to be an initial inventory of

01:11

personnel involved in the testing

01:15

from both the client and penetration testing team

01:18

contact information assets involved in testing, objectives of test, scope of test, strength of tests, approach and threat grading structure. So all of this is a general introduction to the overall technical report. The people that were involved, the things that we were trying to achieve,

01:34

what the overall aggressiveness of the test was in the approach

01:38

and the grading scale we used to quantify risk and are threats

01:44

now information gathering. This is where we provide intelligence gathering and information assessments are the foundation of a good pen tests, as we have discussed. And so the more information the tester eyes about the environment or the more informed the testers about the environment, the better The results of the test will be so in this section,

02:01

a number of items should be written up to show the client the extent

02:06

of public and private information available through the execution of intelligence gathering. And then we get into passive and active intelligence again,

02:15

conveying to the client

02:16

how much data did we get without sending traffic to the network through Google through d. N s and things of that nature how much information did we get sending things to the network and so both passive and active reconnaissance and intelligence gathering?

02:32

We want to lay out exactly what we were able to find and what was of concern and what should be noted and addressed. Now. The vulnerability assessment again

02:43

is the act of identifying the potential vulnerabilities, which exists in a in a test and the threat classifications of each threat.

02:50

In this section, a definition of the methods used to identify vulnerabilities as well as evidence and classifications vulnerabilities should be present. So in addition, this should include the classifications levels,

03:01

technical vulnerabilities, logical vulnerabilities and an overall summary of the results for that particular assessment.

03:09

Now exploitation and vulnerability confirmation. So that should be confirmation. Is the act again of triggering the vulnerabilities identified on the previous section to gain a specific level of access to the target asset? So once we validate that vulnerabilities air good,

03:25

we move into the exploitation phase. All of that we want a document. Timestamp provide snippets of and Ford to confirm the status of skins and scan results from our vulnerability analysis phase

03:38

post exploitation. We

03:40

one of the most critical items in all testing, of course, his connection to an actual

03:46

impact on the client being tested. So we want to sink on vulnerability to an export to a result that could produce impacts a while. The section above relates the technical nature of the vulnerability and the ability to successfully take action against the full post. Exploitation

04:01

helps us to tie the ability of exploitation to actual risk,

04:06

right, so there could be risks with a vulnerability. There could be risk with an exploit, but showing someone that we exploited a system and what we could get to provides risk

04:17

now risk exposure wants the direct impact of the businesses qualified through the evidence. Of course, in an existing vulnerability, exploitation and post exploitation section, the risk quantification can be conducted. So in this section, the results from the above areas

04:32

our combined with risk values, information, criticality, corporate valuation and derive business impact from pre engagement areas.

04:42

Then this will give the client the ability to identify, visualize and monetize the vulnerabilities found throughout the testing and weigh those okay resolutions against their business objectives. And so again, if we don't provide them with something to measure our way these things against,

04:59

they'll make the decisions that they think are best, and if they're not sure, they may not take any action. So by being able to provide risk scores and await,

05:06

we can then give them the tools they need to be successful and to mitigate risk.

05:12

And then you'll provide an overall conclusion. So this is the final overview of the test. It's suggested that this section echoes portions of the overall test as well as support the growth of the client security posture. So it should end on a positive note

05:25

with the support and guidance to enable progress in the security program and a regime of testing sash security activity in the future to come. So you want to do kind of a comment? Sand, which opened with good notes,

05:34

give him all the stuff in between that could be good, bad and ugly. Give him something good at the end to closing off a good comment sandwiches, I like to say and make sure that they walk away from the engagement feeling empowered, aware of what's going on and with the tools to make change and reduce risk if we've given them those things and they could walk away and make an impact.

05:56

Then we have met our goal of risk identification and risk reduction.

06:00

Now, in summary, we discussed what a technical report is,

06:04

and we went through each of the given sections just doing Ah hi overview of information that should be in each. The introduction, information gathering passive and active intelligence, vulnerability, assessment, exploitation, vulnerability, confirmation, post exploitation, risk exposure and the conclusion

06:20

All of these things are important in a very strong

06:25

and powerful report. But again, modify this based on your company's best practices mount if I this based on what you're currently doing, look at some different templates and then make a decision on what you think is going to be most beneficial to your client meeting their goals as well as your goals to reduce risk and assist