Introduction to Penetration Testing Documentation
In this post, I will do a brief overview of the reporting phase of a pentest and cover a high-level description of what should be included and things to look out for.
Introduction
Once the penetration testing is concluded, the client should receive the findings. The penetration tester has a responsibility to the client to present the findings. This can be seen as an opportunity to explain why time and money spent on the test were wisely spent.
Findings should come in the form of a written report explaining the services provided, the methodology adapted, the testing results and possible solutions and recommendations.
The final report is often the only tangible evidence that a client will receive from the penetration testing process.
The report should be carefully planned and written during the course of testing. Four development stages can be identified:
Report Planning
Information collection
Writing the first draft
Review and finalization
Report Planning
The Report Planning stage should include the following phases:
Report objective
Time
Target Audience
Report classification
Report distribution
The report objective focuses on the main points of the pentest. They should explain the reasons for conducting the testing and the benefits.
Time refers to how long the testing will last and when it was performed. Penetration testers need to inform the client the timing of the test for several reasons. For instance, an organization may need to make sure some key IT staff is available during the test in case something goes wrong.
Sufficient time to perform the testing and write the report should be allocated.
Penetration Testing reports usually have several target audiences. The following target audience characteristics should be considered:
Their need for the report (i.e. operational planning, resource allocation, approval)
Position in the organization
Knowledge of the report topic (i.e. purpose)
Responsibility or authority to make decision based on the report
Personal demographics (i.e. age, alliances, attitudes)
Report audiences include Information Security Manager, CISO, IT Manager and technical teams
A penetration testing report has sensitive information such as server IPs, app information, system vulnerabilities, threats, exploits and more. As a result, it should be considered to be in every high rank of confidentiality.
The report classification will be based on the target organization information classification policy.
Once the report is concluded, it needs to be delivered to the client. This is a phase that needs to be executed carefully and should be addressed in the scope of work. The pentester has an ethical and legal obligation to keep the details of the report confidential.
The number of copies, the format and the delivery procedure should ensure that the report only arrives to the right person and at the right time.
A hardcopy should be printed in a limited number and with the name of the receiver. Software copies should be delivered safely and encrypted with a secure key that only the client knows. Any other evidence of the testing should be destroyed.
Information Collection
Collection of information to be used on the report is obtained during the actual penetration test. Saving the outputs and info gained from tools and research will ease the report writing.
Information could include:
Traffic captured
Scanning results
Vulnerability assessment
Snapshots of findings
Exploits (if any)
During the collection of information, a first draft of the report should be started. At this stage, the tester should not be concerned about editing and proofreading. Once a first draft of the report is finished, it should be peer reviewed by members of the pentesting team.
Report Section
A report should have a hierarchical structure to support different levels of details. The report should include several independent sections:
Executive Summary
Detailed Report
Raw Output
Together, these sections will form a complete report, but each piece should function as a standalone report.
The executive summary is a brief overview of the major findings, which should NOT exceed two pages in length and only include the most important points of the test.
The executive summary needs to be addresses to nontechnical management so that they can understand the findings and their implications. It should NOT include technical details and jargon.
If vulnerabilities and exploits were discovered, the executive summary needs to focus on explaining how these findings impact the business. Links and references to the detailed report should be provided.
The detailed report should include a comprehensive list of results including the technical details. The audience includes IT managers, security experts, network admins, etc... In most cases, this report will be used to understand the details of what your test uncovered and how to address/fix the issues.
A ranking system should be included to explain the highest ranking vulnerabilities first. It is crucial to present the issues that pose the most danger to the client's network. This makes your penetration test easier to read and allows the client to take actions on the issues that present the highest risk.
Tools like Nessus or Nexpose provide the user with a default ranking system, which could be used as a starting point.
The final portion should be the technical details and raw output from each of the tools. The output raw data belongs to the client and it is important that they have access to it.
When custom tools are used to perform a pentest, owners may not want to divulge details of them. However, in most cases, it is required to provide the direct output of these tools.
If there are concerns about disclosing specific commands used to run proprietary tools, the raw output should be sanitized to remove those commands and manually delete other sensitive information.
Raw data may not be an actual component of a report and could be used as a separate document.