Rules of Engagement

The rules of an engagement are specific to each assessment and can be 100% customized to a client’s needs. The following are the bare minimum rules that must be explicitly allowed or denied for every assessment:

• Code Execution
• Phishing
• Social Engineering
• Denial of Service (DoS)

Please note that these rules of engagement do not affect price, however, if extremely prohibitive rules are placed on an assessment, the quality of the work will suffer. For instance, if all work is required to be done during a 4 hour per day testing window with only one week to conduct the assessment, the report may not adequately reflect the true risk to your network, simply due to time constraints. We will advise and recommend alternative solutions should a desired rule present possible danger to the quality of your assessment.

For more information on this and our services see the Service Catalog.

Code Execution

Code execution is only optional for Vulnerability Assessments. All other assessment types fundamentally include code execution in some manner. Please note that you have great flexibility here with how you allow code execution on your systems. For example, you can require specific working hours, restrict it to specific systems or applications, or require prior consent per execution or at any juncture in an assessment. There are an indefinite amount of conditionals you may place on this rule to ensure proper business operations are not disrupted. Even without specific mention in an ROE document, and unless specifically told otherwise, we will seek consent for any action that has a reasonable chance of disrupting your network.

Phishing

Phishing is required for Red Team Assessments and not applicable to vulnerability or web application assessments. Phishing can include simple spam-like phishing to very tailored spear phishing of individual targets based on open source intelligence (OSINT) of their likes and behaviours.

Unless specifically requested, phishing provided by Red Queen Security is not a metrics-based assessment and will include code execution and/or post-exploitation operations.

Social Engineering

Social engineering (or SE) is not applicable to vulnerability or web application assessments.

SE is intentionally separated from phishing to distinguish between simple phishing and more tailored targeting of humans such as phone calls and in-person interactions.

Denial of Service (DoS)

Generally not recommended. This is typically only allowed if a client would like to test specific protections they have incorporated to prevent denial of service or distributed denial of service to a core business function.

Visibility

No Knowledge (Black Box)

No knowledge assessments, sometimes referred to as “black box” assessments, may be preferred by a company’s security team for their perceived realism. However, they can be expensive due to the longer intelligence gathering phase and may not identify certain vulnerabilities that would otherwise be detected with more knowledge. This assessment focuses on “low hanging fruit” and the path of least resistance into your network. They are generally not recommended if you have something very specific you wish to test, as it may not even be seen in this type of assessment.

Full Knowledge (White/Crystal Box)

The opposite of a no knowledge assessment, this type of assessment visibility means full knowledge of the test environment. As much information as possible should be provided to better explain the business context of what is being tested. This can often include source code, network maps, network space, domains, etc. This is generally the recommended approach for web applications, very sensitive environments such as SCADA/ICS,¹ or very business critical devices/applications.

Partial Knowledge (Grey Box)

Generally the preferred compromise between full knowledge/white box and no knowledge/black box. In this type of assessment, a limited set of information is provided. For example, the specific targets or network space you wish to test, employee email addresses, domains, and other aspects of what is referred to as the scope of an assessment.