While not complete, this listing gives you an idea of the details that should be covered. However,
you should realize that there is no substitute for good legal representation. Once these items are
defined, you need to acquire proper authorization to perform the assessment, since much of the
activity that you will do in the course of an assessment may not be legal without proper authority
from someone with the authority to give that permission.
With all that in place, there is still one last step you will want to take before starting work: valida-
tion. Never trust the scope that you are provided—always validate it. Use multiple information
sources to confirm that the systems within scope are in fact owned by the client and that they are
operated by the client as well. With the prevalence of cloud services, an organization may forget
that they don’t actually own the systems providing them service. You may find that you have to
obtain special permission from a cloud service provider before starting work. In addition, always
validate IP address blocks. Don’t count on an organization’s assumption that they own entire IP
blocks, even if they sign off on them as viable targets. For example, we have seen examples of or-
ganizations that request an assessment of an entire class C network range when, in fact, they only
owned a subset of those addresses. By attacking the entire class C address space, we would have
ended up attacking the organization’s network neighbors. The OSINT Analysis sub-category of
the Information Gathering menu contains a number of tools that can assist you with this validation
process.
