Keeping Engagement Data Secure

One of the things I think it's crucial during an engagement, is keeping the information about your customer or target, and the information you extract from them secure. There is a need to both keep their privacy and security tight. In the case of a customer, the data you extract belongs to them, and it may contain highly confidential information. It is extremely important to handle this information in a secure way, as much as possible.

Project Name and Customer Name

One thing I like to do, is to give each customer a codename. This will allow me to talk about the customer to another member of a team on a semi-open location (an office, or on the phone) without disclosing who the customer is.
This is also good if you are sitting with another customer, and a call comes in. You can talk about certain things only referring to the customer by its codename. This way you keep each customer's privacy and OPSEC. Unless specifically allowed to use a customer as reference, you should never mention customer names.

The same can be applied to projects within a certain customer. As you may have yearly projects, or even different projects with the same customer, having codewords for projects will help you keep the data organized. Also, it will help compartmentalize this data. Often, you can get a project within a customer that requires your team members to have a security clearance, for example. Those that have no security clearance, and therefore are not part of this project, shouldn't have access to it. This includes client name and project name. So, sometimes within the team you can benefit from having a codeword for projects.

Both customer and project name compartmentalization is part of OPSEC and you should decide what and how it is applied.

Project Data

Project data includes scan results, OSINT dumps, email addressed captures, credentials, and exfiltrated data, among other things. Anything that is collected from and about the customer or target, should be considered sensitive data.
Efforts should be put in place to keep that information secure. Personally, I do a combination of things. I use:

  • Per engagement external USB backup drive
  • Per engagement USB thumb drive
  • Per engagement completely wiped and re-installed laptop

I store all the data about and from the customer or target encrypted on the backup drive. I might dump all the data at the end of the day, or I might copy it as I find it, but all data ultimately goes there.
If I need to use a USB thumb drive, I use only the one assigned to this project (as much as possible, exceptions will occur). Again data copied to it, will be copied to the backup drive at the end of the day.

At the end of the engagement with a customer, and after the report is done and briefed, I usually ask the customer if he wants to keep his data, or he rather I keep it or destroy it. Since all it's stored in one place, it's easy to destroy or safely store on a safe location. And if the customer chooses to get his data back, as it is his right, it's easy to transfer this to him.

In cases where data comes from a target, having it all sorted and encrypted in one drive, allows for better storage, and transfer to law enforcement or other organizations.

End of Engagement

At the end of the engagement, it is important to wipe the laptop clean and re-install a new operating system and software. Be ready for the next engagement.