Writing the Report
Andrew Mason, Technical Director, RandomStorm Limited
This chapter will look at the main deliverable to the client, which takes the form of a written report. The importance of report clarity and business drivers will be covered and a sample template for social engineering assessment reports will be presented along with a presentation template that summarizes the findings for stakeholders.
Keywords
Data collection; mind mapping; report writing
Information in this chapter
Introduction
Chapter 12 looked at the technology used within a social engineering attack. This chapter is going to look at the social engineering report and how this can be written to give the most value to the customer. The chapter will cover the collection of data during the assessment that is required to formulate the report, before moving onto the report itself and making suggestions as to the structure and elements that should be included. The last section looks at the way the report is delivered and presented to the customer.
It is very likely that anyone working in a professional services organization will already be well versed in the task of report creation. A customer engages a professional services organization in order to perform an assessment such as a social engineering assessment. The deliverable of what can be weeks of work is usually presented as a written report to the customer. The remainder of this chapter will look at the process of gathering and organizing the information required in order to create a report to deliver to the client.
It is common for a short professional services engagement to run for 5 days. Out of these 5 days, it is usual that 3 days will be spent on testing with the other 2 days spent on report writing. Therefore, the importance of a report structure is paramount to the consultant to ensure that an efficient system is put into place to deliver a report that provides maximum value for the customer. As with most things, the more experienced a consultant is the better their processes will become.
One point of note is the differences between report structures of competing professional services companies. The authors of this book have worked for several companies and observed differing standards when it comes to providing the customer with the deliverable of the project, the report. It is advisable to invest the time to produce a quality report template that can be reproduced on a per client basis.
There is usually a time period between performing the assessment and writing the report. It is important to try to keep this time to a minimum although in practice this often includes traveling, performing two or three assessments before getting back in the office and ready to write up all three assessments. The nirvana would be to perform the assessment Monday, Tuesday, and Wednesday and then write the report on Thursday and Friday.
Data collection
Before the report can be commenced, a wealth of meaningful data needs to be collected and analyzed some meaningful data to put in the report. It is very important to find a data collection process that works for each individual.
There are many methods for collecting data and it is important for the reader to find which method is the best for them. Far too often, people spend too long trying to shoehorn a new tool into their workflow rather than concentrating on the actual process. It is not the tool that matters but the process of how to use the tool efficiently, in order to collect the data into a safe and secure format that can be easily interpreted at a later stage when writing the report.
There is nothing worse than working on a lengthy assignment to only find that the collection of notes do not make sense a few days after the end of the assignment. This is especially true if there have been multiple assessments performed, as occurrences during assessments do have the ability to blend into one, making the practice of strict note taking more important than ever.
The data being collected will be of a sensitive nature and care has to be taken to ensure this information is securely stored while on the consultant’s laptop. Covering device security is outside of the scope of this book, but any company offering social engineering services would be expected to already implement a process for ensuring the security of data in transit.
Three examples of data collecting, using various computer-based tools, will be investigated. The first is using a simple text editor and a folder structure within the operating system of choice. The second will be a look at Mind Mapping, which is a method used considerably by the authors of this book and the third is by using a specific document manager such as Scrivener.
The common process of these three examples is that data has been collected, in order to be able to go through it, analyze it, and report on it. This data will take the form of a case file. This case file can take the form of one of the three examples below or it can take the format of another tool of your choice. The most important thing is to ensure that the data is collected in a format that can be understood, ready for collating and reporting on, when returning to the office.
OS folder structures and text editor
One of the simplest methods of collecting data is to use a simple text editor and a folder structure within the file system. All operating systems come preloaded with at least one text editor. This could be Notepad on Windows, TextEdit on OS X, or vi on Linux.
The idea here is to build a folder structure that emulates all parts of the report. For example, if there were a task of running an assessment that included a Remote Telephone Attack, Phishing Email Attack, and an Onsite Physical Attack at two locations the structure would look similar to what can be seen at Figure 13.1.
Figure 13.1 shows a top-level Customer Reports Working Folder before moving into a specific folder for each service being performed as part of the assessment. A text file in each folder would be created, for each service, and make linear notes as progress is being made through the assessment. Any documentary evidence such as screenshots, file attachments, or photographs can be added to the folder appertaining to that specific part of the assessment as it progresses.
At the end of the assessment, there needs to be a folder structure that has a single text file within each folder that acts as like an explanation of how the assessment was performed, what actions were taken, what were the results and failures along with anything else required for the report. As well as these text files, there would also be a collection of files within each folder that makes up the documentary evidence for the findings of each part of the assessment.
Mind Mapping
Mind Mapping is a technique that was created by Tony Buzan in the United Kingdom. Mind Mapping is a way to use both sides of the brain in harmony by utilizing the technical left-hand side of the brain together with the more creative right-hand side of the brain.
Traditional learning is very left side of the brain as this deals with logic, details, and facts. The right-hand side of the brain is generally fuzzier and is dominated by symbols, images, and spatial perception.
Mind Mapping promotes what can be thought of as whole brain thinking, using both sides of the brain, to think better. Mind Maps do this by utilizing the left side technical details along with the right side creative display mechanisms.
All of this may sound very scientific but in reality all it means is that the information is represented, in a form of spider diagram called a Mind Map.
An example Mind Map can be seen at Figure 13.2.
To start using a Mind Map as a data collection tool for a social engineering assessment, first there needs to be an initial structure. It is highly recommended that a single Mind Map per customer assessment be created, using a single core branch for each of the main parts of the assessment.
Using the same example assessment as before, if there was an assessment that included a Remote Telephone Attack, Phishing Email Attack, and an Onsite Physical Attack at two locations the initial Mind Map would look similar to what can be seen at Figure 13.3.
As can be seen from Figure 13.3, there is an overview core branch that can be used for information and notes relating to the assessment and then each subsequent core branch reflects a part of the assessment. As an example, each core brand has also got subbranch information to provide a feel for the more complete structure of the template.
To use the Mind Map, as a data collection tool, it is important to start to take text notes, as progress is made through the assessment. However, rather than storing these in a linear format, try making them in the appropriate branch of the Mind Map. Most Mind Map editors have the ability to create text notes and link to these from the branch so that they can be viewed within the application or printed out for reference. As well as using text notes within the Mind Map links to file attachments and place images and photos can be made, directly onto the Mind Map.
Mind Mapping has been proven to help with data and information recollection and is useful for putting the data into context when there have been a few days between the assessment and actually writing the report.
Mind Mapping is the tool of choice for this chapter’s author. He has performed hundreds of assessments using Mind Mapping as the tool to record the data found on the assessment with great results.
More information on Mind Mapping can be obtained from the web site of Tony Buzan, the creator of the Mind Mapping techniques at http://www.thinkbuzan.com/.
The tool of choice for the chapter author when creating Mind Maps is MindJet: http://www.mindjet.com.
Below is a list of Open Source Mind Mapping applications:
• XMind: http://www.xmind.net
• FreeMind: http://freemind.sourceforge.net
• Compendium: http://compendium.open.ac.uk
• Mind42: http://mind42.com
• WiseMapping: http://www.wisemapping.com
• Bubbl.us: https://bubbl.us
Document management tools
The third method of data collection is to use a document management tool. Such tools are specifically written for collecting data and writing. The authors have used some of these tools for writing books and screenplays and some are specific to a specific type of project.
There is one tool that is written especially for writing security reports and this is called Dradis Pro: http://securityroots.com/dradispro/.
Dradis Pro is aimed at running an infrastructure penetration test and has its strengths in the ability to directly import data from various security tools used by penetration testers and to make the reporting section more efficient by removing duplication of both effort and information. Dradis Pro can be used to create the final report that is delivered to the customer and it can be customized to use a template that matches a specific corporate standard.
A screenshot of Dradis Pro can be seen in Figure 13.4.
Another document management tool, and one used by the authors of this book for writing projects is Scrivener from Literature and Latte which is available for both OS X and Windows from http://www.literatureandlatte.com/scrivener.php. The blurb from the web site describes the tool as “Scrivener is a powerful content-generation tool for writers that allows you to concentrate on composing and structuring long and difficult documents. While it gives you complete control of the formatting, its focus is on helping you get to the end of that awkward first draft.”
An example of a Scrivener project can be seen in Figure 13.5.
Scrivener provides a full interface for writing that can be used to create a folder structure for research and for writing. Using a tool like this allows the quick collection of information and the ability to arrange it into a structured order that reflects the assessment being performed.
Using the same example assessment as before, if an assessment was being performed that included a Remote Telephone Attack, Phishing Email Attack, and an Onsite Physical Attack at two locations the initial Scrivener setup would look similar to what can be seen at Figure 13.6.
Document management tools provide the ability to structured write text notes as well as to import alternative file types such as images, documents, and web pages. They keep all the information in one place and also have some unique features based around the research of data and ease of presentation when writing the report.
Some other document management applications worth considering include:
• Omni Outliner: http://www.omnigroup.com/products/omnioutliner/
• Evernote: http://www.evernote.com
• Microsoft OneNote: http://office.microsoft.com/en-us/onenote/
Writing the report
Now that the assessment has been performed, collected, and the data put in the structured format of choice, it is time to move on to writing the report that will be the final deliverable of the project with the customer.
The report can be written in a plethora of chosen tools. If using a document management tool, then it is likely that the report can be created directly from the tool. However, the choice may be taken to avoid using a commercial word processor, such as Microsoft Word or Apple Pages; alternatively, there are numerous open source word processor available for most operating system platforms.
As with the data collection phase, presuming this is something that will be done more than once, then there is an efficiency in time saving to first spend the time creating a report structure and template that can be used as the basis for all customer reports.
There is already a substantial amount of both academic and professional information about the creation of a structure for a consultancy-led report. A quick search on Google returns many suggestions for such a structure for your consultancy report. The general structure that we recommend is outlined below:
Cover page
The cover page carries the title of the report and outlines the customer name and the date that the report was created. This page can be branded with the logo from the consultancy company or co-branded also showing the brand of the customer. It is envisaged that protective marking is used to classify the data based on industry standard security definitions. This should be in line with established corporate protective marking standards for sensitive customer data.
Title page
The title page extends the cover page to provide details about the author of the customer report along with version details outlining the current version and any changes that have occurred to previous versions. The number of pages for the report can also be shown. The distribution list for the report can be shown along with an indication as to the role of the individuals as either Author, for Information or for Review.
Disclaimer page
A disclaimer is a statement that the consultant company hopes will limit its liability for the product or service it provides and is fairly typical in consulting projects. It outlines that the work is subject to the agreed terms and conditions and covers the area of disclosure, as what is contained within the report is most likely sensitive information.
An example disclaimer could be as follows:
All the information, representations, statements, opinions and proposals in this document are correct and accurate to the best of our present knowledge but are not intended (and should not be taken) to be contractually binding unless and until they become the subject of separate, specific agreement between the parties.
The information contained herein has been prepared on the basis that the agreement entered into between the parties as a result of further negotiations will be based on SUPPLIER NAME Standard Terms and Conditions.
If not otherwise expressly governed by the terms of a written confidentiality agreement executed by the parties, this report contains information that is confidential to SUPPLIER NAME and CUSTOMER NAME. Disclosures may not take place without the prior written consent of CUSTOMER NAME.
Table of contents
The table of contents can serve three purposes.
1. This helps readers who do not want to read the whole report but want to easily locate particular sections contained within it.
2. This assists readers who want an overview of the report’s scope and contents before they begin reading it in its entirety.
3. This serves as a tool for writers of the report by outlining specific aspects that need to be addressed.
Most word processing tools will automatically create the table of contents as long as the proper use of styles are implemented, within the word processor and mark the headers accordingly.
Social engineering overview
For a lot of customers this may be the first social engineering engagement that they have undertaken. Additionally, the current reader of the report may not be the sponsor, within the customer, it is beneficial to include a few pages of text outlining what social engineering is, what the need is for testing and how this testing can benefit the company being tested.
This introduction sets the scene for the reader so that they understand what it is they are about to read. It could be argued that this is superfluous information and report padding, so it is only really recommended for clients who do not have a strong history of social engineering engagements. If the customer is fully aware of the social engineering landscape or has undertaken assessments in the past, then this section would be removed.
This section covers a brief overview of social engineering and the common types of attack found along with basic information about how to defend against social engineering attacks.
Social engineering methodology
The social engineering methodology provides a mechanism for presenting to the customer the methodology used before and during the assessment for dealing with the consultancy project.
An example methodology for social engineering can be:
Threat modeling
The initial stage of any social engineering assessment is to assess the likely threats to a business. These threats may be theft from a warehouse, attacks on network resources from internal employees, or even vandalism from activists.
Reconnaissance
This phase of the assessment is concerned with collecting as much information about the business as possible. This information is primarily collected from public resources such as DNS records, search engines, forums, and news groups.
Scenario creation
The social engineers will use the gathered information and likely threats to the business and create possible scenarios to play out. These scenarios will be constructed to address a specific threat to the company to assess whether or not procedures are in place to protect against them.
Scenario execution
Once the scenarios have been constricted, the social engineers will play them out using a variety of techniques. The social engineering techniques used could include deception, pretexting, distraction, and impersonation.
Reporting
After fully completing all scenarios the gathered information is used to construct a report detailing the results of the assessment. This report will show a scenario time line, complete with vulnerability, exposure, and remediation advice.
The methodology can be graphically represented as shown in Figure 13.7.
As with the Overview of Social Engineering section, for existing customers au fait with the engagement model for Social Engineering this section could be classes as optional. However, the same is true of the value for new customers who may be new to the concept of involvement with a social engineering assessment.
Introduction
All of the pages before this section have being preamble, either setting the scene or considered as front matter essential for the structure of the report. The introduction of the report states the What, Why, When, Where, and How of the report:
• What has been carried out as part of the social engineering assessment? This includes which attack vectors had been used to form part of the social engineering assessment. It is normal for the customer to outline the attack vectors as part of the initial consultancy requirements.
• Why this has been carried out? If the customer has a specific requirement for the assessment it is explained in this section.
• When this assessment has been carried out? This includes dates of engagement for all of the attack vectors as well as dates for writing the report and delivery to the customer.
• Where the assessments had been carried out? This is normally onsite for work against the customer’s infrastructure and also remote for assessment vectors performed over the Internet or against remote workers. If the onsite work was performed at more than one site, then each site location is listed along with the dates that each site was visited.
• How was the assessment carried out? Details of the methodology applied to carry out the assessment.
Executive summary
The executive summary is primarily designed to serve the person who, at least initially, does not intend to read the entire report.
For anyone needing to pick up the report and understand what has been performed as part of the assessment along with the results of the assessment, then the executive summary is the most important part of the report. The executive summary acts as a conclusion to the report although the main body of the report is yet to come.
The executive summary contains all of the main points of each attack vector that had been chosen as part of the assessment and emphasizes results, conclusions, and recommendations.
As well as being textual in nature it is also advisable to include some bullet points highlighting the positive and negative points of action within the report.
It is usual for the executive summary to be around two or three pages in length and care should be taken to ensure it is kept to this and not sprawl into several pages or too much detail for such a summary.
Individual attack vectors
The executive summary provides the conclusion and an easy-to-read overview of the findings, but this next section serves as the main body of the report. It is here, where each attack vector is explained in great depth along with the results, conclusions, and recommendations backed up with supporting evidence that is collected during the assessment.
At this level, a brief introduction is produced before moving onto covering each attack vector in its own subsection. A brief structure for each section could be:
The attack vector introduction provides an overview of what the basis for selecting the attack vector and what the vector entails before covering the scope of the assessment and what was performed.
The consultants comments provides written narrative as to what the consultant did in order to test the attack vector. This tells the story of the assessment and also outlines in detail the findings for each section. As with the executive summary, it is useful to include checklists of good and bad findings at this level along with recommended remedial action in order to remedy any shortcomings outlined by the assessment.
The assessment evidence is the supporting material that backs up the consultant’s comments and findings for each individual attack vector. Although this does not have to be in a structure it is useful to keep this in a chronological order and be sure to include a time line as to the findings of the assessment with regard to this attack vector.
In the data collection section of this chapter, we looked at a sample social engineering engagement where the assessment included a Remote Telephone Attack, Phishing Email Attack, and an Onsite Physical Attack at two locations. Using this example, the structure for this section of the report would be as follows:
Delivery of the report
At this point, the social engineering assessment has been performed and the data collected using a chosen method of data collection. This data is used to formulate and write a structured report that provides value to the end user and forms the final deliverable of the consultancy work that the company was engaged within. The next stage of concern is the delivery of the report to the customer.
The confidentiality concerns regarding sensitive customer data have already been covered in the data collection section of this chapter. A complete introduction to protective marking is outside of the scope of this book, but it is essential that the guidelines set down by the organization are adhered, in order to follow their protective marking standards.
As well as the data storage concern, the report also has to be securely transmitted to the client. It is presumed that anyone working for a company, engaged in such professional services, will have a corporate standard for secure document delivery in place. This may be using a secure customer portal where the customer authenticates against an encrypted secure portal and then securely downloads the report or through the use of an email encryption scheme, where the email is encrypted and securely delivered to the customer.
Too many professional service companies appear to adopt the fire and forget strategy to delivery of reports. This is where the customer is provided with the report and then left to read it with no further communication, from either the consultant or projects team that provided the assessment.
Once the customer has been provided with the report it is advisable to arrange a client debrief a few days after, in order to provide the customer with time to read and digest the information provided. This will allow them time to formulate some questions to ask the consultant, who performed the assessment. This debrief can be over the telephone or ideally face to face if logistics allow.
Summary
This chapter has looked at the report of the social engineering assessment. Commencing with the need for data collection and suggesting three ways that the consultant can harness in order to collect the data necessary to formulate and write the document. The next step was to look at how to write the report and a simple professional services consultancy report template was suggested that covered the necessary elements for a social engineering report. The final section in this chapter covered the delivery report and how care has to be taken to ensure the data confidentiality and integrity of the report along with a suggested client debrief once the customer has digested the information contained within the report.
The next chapter will provide advice for hardening policies and procedures against social engineering attacks.