In Art of Attack: Attacker Mindset for Security Professionals, physical pentester and social engineer Maxie Reynolds describes the mental model of a typical hacker. Reynold argues that to successfully fend off attacks and stay ahead of them is to be able to think like those who would seek to attack us.
War is 90 percent information.—Napoleon Bonaparte
The attacker mindset (AMs) is a set of cognitive skills applied to four laws:
The cognitive skills an attacker must exhibit: an attacker must have curiosity in abundance; persistence to drive that curiosity into action so as to be moving forward all the time; the ability to process information into workable categories; mental agility enough that allows the repurposing of information when a situation calls for it and the agility to adapt the information in ways not always intended by the source; and finally, this mindset requires self-awareness.
- The first law of AMs states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.
- Law 2 states that you gather, weaponize, and leverage information for the good of the objective. This is how you serve law 1.
- Law 3 says that you never break pretext. You must remain disguised as a threat at all times.
- Law 4 tells you that everything you do is for the benefit of the objective. The objective is the central point from which all moves an attacker makes hinge. You cannot diverge from the objective set out because of law 1.
In the most traditional sense, an attacker is an individual, or a group of individuals, who seeks to destroy, expose, alter, disable, and steal information or to gain unauthorized access to or make unauthorized use of an asset or person.
It is the interwoven use of five cognitive skills that form the backbone of the attacker mindset:
- You cannot become a good ethical attacker without a healthy dose of curiosity.
- Your curiosity will not pay off without persistence.
- You will have nothing to persist in if you cannot take in information and leverage the most mundane of it correctly.
- You will need to have mental agility enough to actively adapt information in the moment.
- If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it. Self-awareness will allow you a higher level of influence over someone else. These five things play a role in every job you will get as an ethical attacker looking to succeed.
Offensive vs Defensive Security
- Offensive security is a proactive and oppositional approach to protecting computer systems, networks, and individuals from attacks. The offensive part of the attacker mindset is also oppositional and dogged.
- Defensive security uses a reactive approach that focuses on the prevention and detection of attacks. Defensive security relies on a comprehensive understanding of an environment and being able to analyze it in order to detect latent flaws. The barrier to perpetual, effective defensive security is the inability to always accurately predict the future.
The Defensive attacker mindset (DAMs) minimizes how long a mitigating control or interference can obstruct you from achieving your objective by identifying defenses. The offensive attacker mindset (OAMs) promotes a permanent state of readiness, allowing constant analyzation of your environment and the ability to detect vulnerabilities and impose costs on those defenses.
All the best in your quest to get better. Don’t Settle: Live with Passion.
Comments are closed.