#import "@preview/diagraph:0.3.6" #import "../addons/cvss.typ" #let render(target: str, targetInSentence: str, testFocus: str, testObject: str, testScenario: str, recommendation: str, start: str, end: str, setup: str, nodes: raw, scope: array) = { [ = Management Summary == Motivation #target ordered Acme Security, LLC to perform a #testScenario penetration test onto a selected number of hosts in a live and productive environment. This penetration test was conducted to proactively identify, assess, and validate the severity of security vulnerabilities within the defined scope of #targetInSentence, specifically those exploitable by #testFocus. Adversarial techniques to bypass controls, gain unauthorized access, and compromise critical assets were performed for this test scenario to determine the actual impact on confidentiality, integrity, and availability. == Test Object #testObject == Test Methodology The aim of the test was to uncover vulnerabilities and weaknesses of all kinds and chaining findings and vulnerabilities accordingly to gain a deep understanding of the audited hosts, following a security-in-depth approach. The tests were carried out in accordance with the MITRE ATT&CK Framework#footnote("https://attack.mitre.org"). The penetration test was performed as a #testScenario. == Findings The penetration test revealed #context([ #let num = cvss.riskCategories.values().map(v => v.state.final()).sum() #if num == 1 { [ #num finding ] } else { [ #num findings ] } ]) which can be categorized by risk: #table( columns: (16.66%, 16.66%, 16.66%, 16.66%, 16.66%, 16.66%), align: center, [Critical], [High], [Medium], [Low], [None], [Other], table.cell(context(cvss.riskCategories.at("CRITICAL").state.final()), fill: red, align: center), table.cell(context(cvss.riskCategories.at("HIGH").state.final()), fill: orange, align: center), table.cell(context(cvss.riskCategories.at("MEDIUM").state.final()), fill: yellow, align: center), table.cell(context(cvss.riskCategories.at("LOW").state.final()), fill: lime, align: center), table.cell(context(cvss.riskCategories.at("NONE").state.final()), fill: white, align: center), table.cell(context(cvss.riskCategories.at("OTHER").state.final()), fill: gray, align: center), ) == Recommendations & Next Steps #recommendation == Test Scope and Setup #if start != "" { if end != "" { [ The test was conducted from #start to #end. ] } else { [ The test was conducted on #start. ] } } #setup The following scope was set for the penetration test: #table( columns: (25%, 50%, 25%), align: center, inset: 10pt, table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*Type*], table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*Value*], table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*State*], ..for (i, value) in scope.enumerate() { ( table.cell(value.type), table.cell(value.content), if value.inScope { table.cell("In scope", fill: lime, align: center) } else { table.cell("Out of scope", fill: gray, align: center) } ) } ) #if nodes != "" { [ From the perspective of the machine used for the penetration test, the network layout was seen as shown in the graph below. ] figure( diagraph.raw-render(nodes), caption: [ Schematic graph showing the test objective network ] ) } ] }