Cybersecurity

Legal side of Hacking. Here is how to prepare for the engagement

Hacking is governed by complex federal and state laws. Understanding these laws is essential for compliance

Aryan Kumar Singh
8 min read
Legal side of Hacking. Here is how to prepare for the engagement
Information Technology (IT) Act, 2000

It is not like Red teamers just randomly strike any website of their liking. That will make them Hackers. There are a lot of paperwork involving Non-Disclosure Agreements (NDAs) which they use in case the company tries to be innocent and claims to be attacked suddenly. Before Hacking, what we technically call as Adversarial attack simulation, both the parties, the outsourced professionals and the organization, must go through step-by-step document preparation and filling in order to prevent any unwanted circumstance afterwards. Although which document or set of documents and in which format it is to be used, depends from company to company, we will take a closer look on the most common ones…

Documents

Rules of Engagement (RoE)

This manual sets forth the rules for a Red team and must be followed when carrying out an engagement. Any deviation from the guidelines outlined above must be approved by all stakeholders before being put into action. It covers a range of topics, including...

  • Clearly Limited Actions
  • Permitted Measures
  • Methods of attack
  • Systems that are blacklisted
  • The engagement's goals

The ROE records the target data, authorisations, threat execution, and issues and activities needed to staff, plan, and carry out engagements in the target environment.. Main body of the ROE, often derived from a standing template, provides information on…

  • The Red Team methodology
  • An overview of the different kinds of tasks that can be performed
  • The types of hardware and software that may be employed
  • A recommended deconfliction process
  • Levels of threat available (comparison)
  • Roles and responsibilities of each functional group [Exercise Control Group (ECG), White Cell, Training Audience (TA), etc.]
  • The identification of and references to appropriate legal requirements (PCI, FERPA, HIPAA, HITEC, SOX, GLBA, etc.)
  • A waiver of legal duty (federally mandated obligations for the Red Team to disclose specific results)

Annexes to the ROE should contain documentation unique to each individual engagement. To begin with, ROE annexes ought to explain...

  • The Target of the Engagement
    • Organization name
    • Address
    • Specific groups or divisions
    • Organizational identifiers
    • Senior management contact info
  • An Engagement Contact List (name, role, phone, email, office location)
    • ECG personnel
    • White Cell
    • Trusted Agents
    • Red Team Lead
    • Red Tech Lead
  • Engagement Objectives
    • Conditions
    • Threat level
    • Targeted objectives
    • Targets of opportunity
    • Measures of success/failure
  • Authorized Target Space
    • Network
      • The IP boundaries of the event
      • Domains and/or workgroups
      • Specific off-limits areas and resources (non-target intellectual property file share)
      • Off-limits machines, networks, equipment, or applications (blacklist)
      • Maintenance windows
    • Physical
      • Areas of the campus
      • Buildings
      • Offices
      • Off-limits areas (e.g., the emergency services sector of a medical complex)
      • Off-limits materials within the target space (e.g., sensitive documents or equipment)
  • Authorized Actions - Types of activities approved for the engagement
  • Restricted Actions - Types of activities restricted during the engagement (if any)
  • The process for requesting approval of additional activities during engagement execution
    • Approval process
    • Points of contact (name, role, phone, email, office location)
    • Alternate POC

Any changes to the target space, authorised actions, objectives, or scope necessitate updating the ROE. For example, the initial scope might have been restricted to attacks on computer networks. The ROE needs to be updated with the new activities and controls if physical attacks are planned. Any recommendations or changes to the ROE will be addressed by the Red Team Lead. The originator must receive each review outcome. A Trusted Agent in the target environment's senior management must approve the final ROE.

Security CONcept of OPerationS (CONOPS)

It is a succinct and clear statement, either in words or images, that conveys to security stakeholders what security leadership wants a security department or departmental function to accomplish and how that will be done with current or future resources. In terms of organisation, this paper is not as technical as System CONOPS. To write one, you don't need any technical experience. All you have to do is be aware of the intentions of leadership, whether it your superior or yourself, about one or more security responsibilities. Then, you can determine how it will be carried out with resources that are already available, scheduled, or to be sought. It might have a broad or narrow scope. That's where being adaptable comes in. An example of such a SecCONOPS is given below for reference…

“Holo Enterprises has hired TryHackMe as an external contractor to conduct a month-long network infrastructure assessment and security posture. The campaign will utilize an assumed breach model starting in Tier 3 infrastructure. Operators will progressively conduct reconnaissance and attempt to meet objectives to be determined. If defined goals are not met, the red cell will move and escalate privileges within the network laterally. Operators are also expected to execute and maintain persistence to sustain for a period of three weeks. A trusted agent is expected to intervene if the red cell is identified or burned by the blue cell throughout the entirety of the engagement. The last engagement day is reserved for clean-up and remediation and consultation with the blue and white cell.
The customer has requested the following training objectives: assess the blue team's ability to identify and defend against live intrusions and attacks, Identify the risk of an adversary within the internal network. The red cell will accomplish objectives by employing the use of Cobalt Strike as the primary red cell tool. The red cell is permitted to use other standard tooling only identifiable to the targeted threat.
Based on customer security posture and maturity, the TTP of the threat group: FIN6, will be employed throughout the engagement”

The management can approve these documents as operational. Once authorised, they give you the necessary operational requirements to meet as well as associated roles and powers for you and the staff members who will conduct the activities. Policy, procedure, task order, operational order, job aid, and other sorts of specialised organisational documents that will create the organisational framework required for the function to be performed by the assigned individuals can all be named in a SecCONOPS document.

Resource planning

It describes how several corporate systems and processes are strategically combined into one cohesive platform that includes supply chain management, finance, and human resources, among other areas. ERP acts as the hub for cybersecurity, providing a central location from which security-related operations and assets may be more effectively controlled and coordinated. Because of this convergence, traditional cybersecurity techniques are no longer as isolated, and security management becomes more unified and adaptable. Below is the format for a general cybersecurity resource plan...

  • Header
    • Personnel writing
    • Dates
    • Customer
  • Engagement dates
    • Reconnaissance dates
    • Initial compromise dates
    • Post exploitation and persistence dates
    • Miscellaneous dates
  • Knowledge required (optional)
    • Reconnaissance
    • Initial compromise
    • Post exploitation
  • Resource requirements
    • Personnel
    • Hardware
    • Cloud
    • Miscellaneous

Cybersecurity laws

There are various laws too made for Cybersecurity that I think should be worth mentioning as if anything unexpected happens beyond the above mentioned documents, then these laws will come into picture…

Digital Personal Data Protection Act (DPDPA), 2023

After receiving approval from both chambers of the Indian Parliament, this measure was formally enacted by the President of India on August 11, 2023. As India's first-ever privacy Act designed to protect residents' personal data, this enactment marks a significant milestone by establishing a dedicated legal framework in the country. It draws attention to the significance of the Indian Data Protection Board, its main features, and the responsibilities and rights of both individuals and businesses. The Act's main goal is to control how digital personal data is processed, respect people's right to privacy protection, and acknowledge that processing and using such data is necessary for legitimate purposes.

The Act's wording is clear and uncomplicated, making it easy for everyone to understand. In addition, the Act seeks to provide a thorough legislative framework that would control India's digital personal data protection. The entire process of data management is impacted by the DPDP Act. For the privacy program to be successful, the board must supervise its implementation, management, and enhancement. The board's role in navigating the DPDP Act is comprehensively explained in this document, "The DPDP Act and enterprises in India: Privacy for the board." It covers the processing and use of such data for legitimate purposes.

It addresses the new law's requirements and how they affect businesses while giving board members professional advice on how to handle the DPDP Act's operationalisation. In order to help board members comprehend the crucial issues they need to address in order to guarantee compliance with the new regulation, it also includes a ready reckoner.

General Data Protection Regulation (GDPR)

This Regulation establishes guidelines for the free flow of personal data as well as guidelines for the protection of natural people when processing personal data. The preservation of natural persons' fundamental freedoms and rights, including their right to the privacy of their personal information, is ensured by this regulation. Regarding the processing of personal data, there will be no restrictions or prohibitions on the free movement of personal data throughout the Union for purposes related to the protection of natural persons.

This regulation covers both the processing of personal data that is processed entirely or in part by automated means and the processing of personal data that is processed in a way other than by automated means and that is intended to be processed as part of a filing system. It is the world's strictest law regarding security and privacy. Despite being draughted and approved by the European Union (EU), it places duties on organisations worldwide, provided that they target or gather information about individuals inside the EU. On May 25, 2018, the regulation went into force. Those that break the GDPR's privacy and security regulations face severe fines that may total tens of millions of dollars.

According to the GDPR, data controllers must be able to provide proof that they are in compliance. Furthermore, you cannot comply with the GDPR after the fact: if you believe you are in compliance but are unable to provide proof, you are not. Eleven chapters make up the GDPR of 2016. They cover topics such as general provisions, principles, data subject rights, duties of data controllers or processors, transfers of personal data to third parties, supervisory authorities, member state cooperation, remedies, liability or penalties for rights violations, and various final provisions. "Personal data processing should be designed to serve mankind," states Recital 4.

California Consumer Privacy Act (CCPA)

A state act in the United States state of California aims to improve consumer protection and privacy rights for its citizens. The California State Legislature passed the measure to change Part 4 of Division 3 of the California Civil Code, and on June 28, 2018, California Governor Jerry Brown signed it into law. Officially known as AB-375, Ed Chau, a member of the California State Assembly, and state senator Robert Hertzberg presented the legislation. On September 13, 2018, Senate Bill 1121, which contained amendments to the CCPA, was approved.

On October 11, 2019, more significant revisions were ratified. On January 1, 2020, the CCPA went into force. The California Privacy Rights Act, or Proposition 24, was approved by voters in November 2020 and updates and enhances the CCPA. It is applicable to any company operating in California, including for-profit organisations that gather personal information from customers. It is not necessary for the companies covered by this statute to be based in California. The business is deemed to be covered by the CCPA as long as it is operating in the state and satisfies the conditions. Online transactions are included in this.

When compared to other privacy regulations such as the GDPR, the CCPA's geographical scope is not as clear. The collection of personal health information (PHI) is a significant component of the CCPA exemption.PHI should be handled in accordance with the Health Insurance Portability and Accountability Act, or HIPAA, rather than the CCPA regulations. The company gathering the data must follow the "Common Rule" if it has anything to do with clinical trials.