Problem -
You are hired as part of a team of external Penetration Testers to work for a company with a large enterprise network. The organization that hired your team is in the retail industry and processes over 100,000 credit card transactions everyday across 100 store locations. This organization has a very large network infrastructure that connects their retail stores, business offices, and company headquarters. The Chief Information Security Officer (CISO) would like your team to focus on their most critical systems and devices.
Prior to executing the penetration test, the CISO would like to meet with the team as they are nervous about the test potentially bringing their network down. They would like to minimize impacts to their production environment and ensure that their backup systems and devices are not targeted at the same time. They want you to focus on the following: DNS servers, mail servers, web servers, database servers, firewalls, and routers.
Your Team Lead would like you to develop a Test Plan for the penetration test. The Test Plan should be developed using the following outline:
Sections:
1. Introduction
2. Overview of technical approach to conducting the test (high level methodology)
3. Detailed penetration testing (hacking) process
Note: Section 3 should include 1) attacks you will use, 2) tools, 3) timeline (you only have one week), 4) reporting methods if major issues occur or if you identify incidents in their environment. You may make these as sub-sections if you'd like (e.g., 3.1 Attacks Used, 3.2 Tools Used, etc.)
4. Summary
Note: This section should be short, a paragraph or two.
Penetration Test Plan:
You are facing a client who is nervous about you basically "hacking" their system, this is the scenario, and while you cannot dictate exactly what will happen once the testing actually begins you should be able to formulate a good plan of action.
All you are doing here is providing your plan of action, indicating what you believe are possible good tests to complete based off of your current knowledge. Of course as you progress with the actual testing it is possible you could remove or add to your steps.
In the real world no one is going to just give access to their network, they will want to know what you plan and to know what your backup plans are if things go wrong.
This case study is just to provide you an opportunity to explain what you would do in a situation similar to this one, where a client is asking you to provide guidance and potentially solutions. You are not predicting what will happen, so much as providing courses of action.