The Art of Attack E-Book

Table of Contents

Cover

Title Page

Copyright

About the Author

Acknowledgments

Introduction

Who Is This Book For?

What This Book Covers

Part I: The Attacker Mindset

Chapter 1: What Is the Attacker Mindset?

Using the Mindset

The Attacker and the Mindset

AMs Is a Needed Set of Skills

Summary

Chapter 2: Offensive vs. Defensive Attacker Mindset

The Offensive Attacker Mindset

Defensive Attacker Mindset

Summary

Chapter 3: The Attacker Mindset Framework

Development

Ethics

Social Engineering and Security

Summary

Part II: The Laws and Skills

Chapter 4: The Laws

Law 1: Start with the End in Mind

Law 2: Gather, Weaponize, and Leverage Information

Law 3: Never Break Pretext

Law 4: Every Move Made Benefits the Objective

Summary

Chapter 5: Curiosity, Persistence, and Agility

Curiosity

The Exercise: Part 1

The Exercise: Part 2

Persistence

Skills and Common Sense

Summary

Chapter 6: Information Processing: Observation and Thinking Techniques

Your Brain vs. Your Observation

Observation vs. Heuristics

Observation vs. Intuition

Observing People

Observation Exercise

AMs and Observation

Tying It All Together

Critical and Nonlinear Thinking

Vector vs. Arc

Education and Critical Thinking

Workplace Critical Thinking

Critical Thinking and Other Psychological Constructs

Nonlinear Thinking

Tying Them Together

Summary

Chapter 7: Information Processing in Practice

Reconnaissance

Recon: Passive

Recon: Active

OSINT

Signal vs. Noise

Summary

Part III: Tools and Anatomy

Chapter 8: Attack Strategy

Attacks in Action

Strategic Environment

The Necessity of Engagement and Winning

The Attack Surface

AMs Applied to the Attack Vectors

Summary

Chapter 9: Psychology in Attacks

Setting The Scene: Why Psychology Matters

Ego Suspension, Humility & Asking for Help

Introducing the Target‐Attacker Window Model

Target Psychology

Thin‐Slice Assessments

Default to Truth

Summary

Part IV: After AMs

Chapter 10: Staying Protected—The Individual

Attacker Mindset for Ordinary People

Behavioral Security

Amygdala Hijacking

Analyze Your Attack Surface

Summary

Chapter 11: Staying Protected—The Business

Testing and Red Teams

The Complex Policy

Antifragile

The Full Spectrum of Crises

Final Thoughts

Summary

Index

End User License Agreement

List of Illustrations

Chapter 3

Figure 3.1 Attacker Mindset Framework (AMsF)

Figure 3.2 Finding No. 1: Lehman Brothers’s corporate address

Figure 3.3 Finding No. 3: Lehman Brothers’s building engineers and suppliers

Figure 3.4 Find No. 1: SEC ALT number

Figure 3.5 Find No. 2: Ernst & Young LLP

Chapter 6

Figure 6.1 Photo A

Figure 6.2 Photo B

Figure 6.3 Photo B zoomed in

Figure 6.4 Photo C

Chapter 7

Figure 7.1 First page of google search results

Figure 7.2 Second page of Google search results

Figure 7.3 First Twitter find

Figure 7.4 Further information on Target

Figure 7.5 OSINT challenge example from social media

Figure 7.6 Example of professional finding giving usable personal inforamtion

Figure 7.7 Results of a simple search

Figure 7.8

Figure 7.9 Buckets: Categorizing OSINT Findings

Figure 7.10 Determining the location of my target by photo

Figure 7.11 List of churches in Berlin

Figure 7.12 Result of Google Maps search

Figure 7.13

Figure 7.14 Two photos from an Asian city

Figure 7.15 Map showing satellite imagery

Figure 7.16 Building match

Figure 7.17 Google Earth 3D view

Guide

Cover Page

Title Page

Copyright

About the Author

Acknowledgments

Introduction

Table of Contents

Begin Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

iv

v

vi

vii

xv

xvi

xvii

xviii

xix

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

63

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

273

274

275

276

277

278

279

280

281

282

283

284

285

The Art of Attack

Attacker Mindset for Security Professionals

Maxie Reynolds

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Control Number: 2021941139

ISBN: 978-1-119-80546-5

ISBN: 978-1-119-80628-8 (ebk)

ISBN: 978-1-119-80547-2 (ebk)

Trademarks: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Cover image: © Getty Images/Gearstd

Cover design: Wiley/Michael E. Trent

About the Author

Maxie Reynolds is widely considered one of this generation's most successful social engineers. She started her career in oil and gas as an underwater robotics pilot working in Norway, Venezuela, Australia, Italy, Russia, Nigeria, and the United States. She then transited into cybersecurity at PricewaterhouseCoopers in Australia, working in ethical hacking and social engineering. She later studied digital forensics with SANS and has performed digital forensics for law enforcement and corporate America, and as an expert witness.

Maxie was born and grew up in Scotland, dabbled as a stuntwoman, and achieved some success as a model in both the UK and the United States. She has a degree in computer science, a degree in underwater robotics, and is educated in quantum computing. She is also a published author, and in her spare time she works with the Innocent Lives Foundation and National Child Protection Taskforce.

Maxie has published articles on complex human behavior and its effect on a social engineer's ability to influence and has given speeches on the mindset and science behind the art of social engineering. She teaches various courses on social engineering and the attacker mindset. This book, The Art of Attack: Attacker Mindset for Security Professionals, is the first book of its kind to be published. It looks at the cognitive skills and requirements of the mindset, how to engage it, and why.

Acknowledgments

Attackers don't acknowledge people.

They target them.

Introduction

There is nothing either good or bad but thinking makes it so.

—William Shakespeare

I was recently told by someone I consider to be a subject matter expert that introductions in books, although seldom read by typical readers, are meant to respect the reader. Introductions are not intended to insinuate to readers that they will only understand the book's subject matter once they've read it cover to cover. Instead, the introduction should tell its audience how the core message of the book will be broken down. I think this is true, so this introduction acts only as a way to summarize what's to come, not to aggrandize it.

The core subject of this book is the attacker mindset, the gathering, processing, and applying of information for an objective. That's the key takeaway of this book. If you stop reading now, you will have received its central message. However, what I'm hoping will keep you reading, rather than repurposing the book as a doorstop, is that the whole book is about how to do this as an attacker—how to process and apply information for the benefit of the mission.

The Art of Attack looks at all aspects of the attacker mindset (AMs), focusing on the cornerstone pieces. In breaking these pieces down to their fundamental components, the book empowers you to build them back up into something recognizable as your own brand of attacker mindset. I will describe the principles of this mindset and how to interweave them with the process most attacks follow, namely: reconnaissance, initial approach, privilege escalation, redundant access, and escape. Through this attacker lens, this book explores tools you can implement as attackers and the psychological principles, too. I will also call out all the times you should take snacks with you on a job, which doesn't seem important now, but wait until you've been trapped in a bathroom stall for six hours.

To help you remember the material packed into this book, I'll provide stories (both successes and fails), which should make transferring AMs from theory into practice much easier. As a practitioner of social engineering, I will mainly concentrate on examples of the attacker mindset in my stories from the field. However, as a trained pen tester there will also be crossover.

The tagline I've used to put attacker mindset into shorthand over the years is: there really is nothing good or bad, but your attacker mindset makes it so—this line is effectively how this book came into being: Countless hours of trying to teach people the art of the attacker mindset allowed a reduction of it to that statement. The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack and its objective.

I wrote this book solely to teach this mentality, but each of you will build your own version of it that reflects your strengths and weaknesses. This book should teach you how to think, not what to think. It contains chapters on open source intelligence (OSINT) and social engineering, too. However, other books and courses exist that break down how to perform OSINT and how to become a social engineer (SE). My aim is to show you how those fit into the AMs's executive functions.

Who Is This Book For?

The attacker mindset should be taught to those who need it most—those who we, as a society, want to protect from malicious attackers. Companies should use physical testing as well as network testing to evaluate their security postures regularly, which will help build their populations' intuition and security. The attacker mindset should be used in boardrooms and other government and corporate settings as a way to scrutinize and analyze blind spots and vulnerabilities. Members of the cyber and information security communities should be consulted as think tanks and task forces. So, my aim is for this book to speak to those decision makers as well.

However, because I will look at the attacker mindset through the lens of a security professional, this book is first and foremost intended for those who wish to partake in a modern battle of stress testing and ethics: security professionals. Ethics and morals will come into play quite a bit. Knowing how to portray the bad actors is not the same as actually becoming them. The line that separates us from them is the line of ethics.

There's also a case to be made that says ordinary individuals can benefit from learning about AMs. Awareness of how this mindset might present itself can prove pivotal in assessing whether an attack is being mounted against you and what to do if it is. Because of this, my aim for The Art of Attack is for it to be useful for the general public, too.

Finally, every chapter in this book, every paragraph, every sentence, has the capacity to offend or irk someone. Those with a detailed military background will need all of their patience to forgive what cannot be known about warfare recon without having been in the thick of it; those who guard the realm of the ethical hacker will need to find a way to subside their rage given this book speaks as directly to malicious attackers as it does ethical. Alas, I cannot control who reads this and what they do with the information within it. For those very sensitive or pedantic, putting the word ethical before the word attacker will not make what I say in this book invisible to any malicious actors reading it. To subside this rage, all I can offer is this: as a society increasingly in need of effective security measures, focusing on the need to better understand attacks and attackers is prudent. Understanding how and why an attacker performs is one thing—and it's important. But being able to think like them, looking at ourselves through their eyes, we become more powerful, more dominant, and far safer.

My final sentiments are a cloned copy of Tai T'ung, who, in the 13th century said of his book, History of Chinese Writing: “Were I to wait perfection, my book would never be finished.” Of course, I am not writing a history of the attacker mindset. I am setting out to show the full breadth of it and its modern-day uses and functions.

What This Book Covers

The idea behind this book is to document and teach the attacker mindset, without taking individualism and obliterating it.

Different strengths will have to be played to by all of us who use this book to build an attacker mindset and execute attacks. Nonetheless, I'll pick apart the attacker mindset so that we can find the commonalties and still leave room for each of us to apply our own personal brand to it.

The greatest and sharpest attackers are trained to see opportunities in the moment, and there's no way for this book to list the infinite opportunities an (ethical or otherwise) attacker might come across out in the field. But what it will teach is this: how to form the attacker mindset and how to apply it.

In the name of ethics, the final part of this book will explore the “tells” of an attack and what businesses, organizations, and institutions can and should do pre- and post-attack to protect themselves.

Finally, the end goal of the attack, after you've sprinted 18 flights of stairs, hidden under desks, been wedged in between two 20-foot containers, sweated the foundation off your thumb tattoos (all fun stories for later), and handed in the report, is to leave each company, boardroom, and client stronger for having employed you. It's almost all that separates us from the bad guys.

Here we go. Enjoy.

Part IThe Attacker Mindset

Chapter 1What Is the Attacker Mindset?

War is 90 percent information.

—Napoleon Bonaparte

It is 5 a.m., and I still have an hour before I meet my team. I've been up for the last hour going over plans because this is how I always start my attacks: with a niggling amount of nervous energy, I pace the floor of my hotel room, playing a game of mental chess in my mind. I go over my initial approach, consider my possible moves if I do get past security, and then again if I don't, I start to wonder How will I pivot? The game of mental chess carries on. This is the most efficient and successful way I have found to hone my mental agility.

From this thought I dive into a myriad of others, imagining new ways I might get into the building, new ways to escalate my privileges and deepen my foothold after my initial breach, whether that starts in the basement or the lobby. If someone happens to ask me why I am in the basement, could I say I got in the wrong elevator from the parking garage and ask for help…?

I visualize the layout of the building internally—another luxury afforded by solid open source intelligence (OSINT) findings—and use faceless silhouettes to represent staff I might pass along the way. Sometimes I imagine them asking me questions; sometimes I imagine myself just nodding at them in silent acknowledgment. After all, the largest component of executing an artful attack lies in the attacker's ability to adapt to the people and surroundings in which they find themselves, even when those things are brand-new.

I continue to walk myself through it all a few times, picturing different obstacles: Would it be better just to tailgate, or should I walk in front of the building declaring myself a visitor? I imagine the payoffs of each and weigh them. Working the visitor system should give me almost unfettered access for the day, but it's a high-risk move, I tell myself, whereas tailgating in through a less visible entrance leaves me at the mercy of sloppy, albeit well-intentioned, employees holding any one of hundreds of fire and security doors open for me… . Taking a moment, I come to a conclusion: No, stick with the A-plan: go to security and get access, I tell myself.

The whole time I'm performing this mental pre-attack ritual, I am reminding myself of the same things over and over: get in, get the flags, never let them know you're a threat, and stay within scope. In my mind I am always making my way to the 38th floor, and I am always mentally preempting the challenges I'll face as I try to walk into the CFO's office and place a USB drive into their computer port. That's my job. And, although I like to warm up by running as many possibilities through my mind as I can come up with, I have yet to predict obstacles and pivots correctly even once in my career. That is irrelevant, though—the mental warm-up is what I need—it induces the power of thinking on my feet and knowing I've learned from prior failures and successes.

I soon start to focus on making sure I've disguised myself as a threat. I've based my pretext off the OSINT I've found so far. For this bank job, I am a lawyer here to help wrap up the mergers and acquisitions deal that was all over the news only weeks ago, albeit without much context. It took a lot of searches and piecing together information to choose the nuance of this pretext; I am not just any lawyer, but a lawyer who is now needed to help the deal over the final few hurdles, equipped with an abundance of paperwork—my prop and my seeming legitimacy. And, unless the security guards happen to be a team of lawyers, I won't be found out by the typical questions people ask a lawyer: What are you here for? What firm do you work for? How long have you been practicing, what school did you go to? Do you know how I can get out of a parking ticket? I call these my pretext layers, and depending on the job, I might need to go many layers deep, to the point I need to know much more than you might expect, from common jargon to how a piece of machinery works.

The start point of the operation is as hermetic as it's ever going to be. I have my props, which in this case are an ID card from my “firm” and a portfolio filled with “legal documents,” categorized by tabs that have the words “Signed by [CFO's name]” and today's date. I also have a fake guest pass card that one of my teammates was able to print for me based on a picture of a legitimate one we'd found on Yelp. Blessed be Yelp. I have lock picks; I have my radio-frequency identification (RFID) duplicator and fobs just in case the opportunity arises to clone a working security card I can't slip into my pocket; and I have the most important thing I'll carry all day: my letter of approval. It is a piece of paper with my point of contact's name and number and a short statement asking anyone who detains me to contact him before the police. I also have my fake ID, although I am sans a snack, which is unlike me. The snack is not important. Yet.

With another huge thanks to mighty OSINT, I've already prepared my outfit for the day, too. I've had it picked out for about a week now, and it will be a big part of the operation. I've chosen it with meticulous care to be professional and versatile. This is not a job where I can wear a costume. I won't be going head-to-toe in scrubs or coveralls, like in some of my other jobs. I put on my wardrobe for the day with a sense of gravity and focus that I generally don't use for throwing on my usual working-from-home attire (sweats on the bottom, work-acceptable T-shirt on top). It is the middle of summer in New York, yet I have on a long-sleeved blue shirt under a white silk shirt, but for a good reason. There is a chance I'll need to ditch the top layer so that the security team can't quickly identify me by the color of my clothes, should someone start to become suspicious. I have a hairband tied around my wrist, too, to throw my hair up in case I need to hide its length and color. I've put foundation on the rather unfortunate tattoo I have on my right thumb. I'll be returning to this office soon enough, and I don't want anything about me to be too recognizable. These seemingly inconsequential things matter.

Finally, dressed and mentally prepared, I leave the room to meet my team. They won't be joining me, but they will be on standby in case of trouble, which is a company policy and one I've been thankful for on more than one occasion. After a pep talk, making sure we can stay in constant communication, I make my way to the bank's offices and try to break in, knowing that if it all goes well, I'll be out in time to do it a second time under the cover of darkness. I'll need my team for that and a few more games of mental chess.

Using the Mindset

The attacker mindset (AMs) is a set of cognitive skills applied to four laws. It is evident and relevant across all professions, trades, and businesses, although it often goes under the guise of expertise. Many people exhibit AMs qualities within their domain, as we will look at shortly. The Art of Attack, however, is about gaining and using this mindset for malicious activity over any domain—but in a way that ultimately results in the betterment of an organization's security.

The laws say that you must know your end goal, be able to constantly collect information that you can weaponize and leverage to achieve that goal, develop a pretext that you never let slip, and have every action you take be for the advancement of the objective. As you will see, the cognitive skills needed to uphold these laws in an attack are broad, but they all have a single common thread: they relate to information, and most importantly, information as you perceive it. There is no attack without information, and learning to tie it back to your objective is the essence of AMs.

A woman spills coffee on herself, and it burns her. We hear, “Someone had butterfingers,” and comprehend hot liquids scald.

A lawyer hears “The coffee was too hot” and the winds of a lawsuit. This particular woman's lawyer took facts and bent them and shaped them to fit the objective set out by the law. This is what the attacker mindset looks like at work. Your attacker mindset will differ from that of a lawyer's, but the central principles remain: the building of an attack is based on information as you perceive it; the execution is based on the information as you apply it. AMs is nothing more or less than a way of taking information in and applying it to an objective. The mark of a good attacker is the ability to repurpose information in ways not intended by the source. This is made possible by using the first and second laws of the attacker mindset: the first law states that you start with the end in mind, and the second law states that you gather, weaponize, and leverage information as a means to that end.

As an example, if you hear of a company holding a conference, you may be able to phish them by gathering information on who their vendors are and impersonating those vendors by way of vish (a call in which an attacker attempts to gain information or perform an attack), phish (an email in whch an attacker aims to gain information or gain access to a user's machine/network), or even in person to gain sensitive details or access. If they are holding the event virtually, a well-crafted phish will have a high probability of being undetected. You might start by finding out which platform they are holding the event on and phishing them, pretending to be that platform. You might be able to phish their attendees or their speakers, appearing as if you are in fact reaching out from the hosting company itself, gaining access to potentially thousands of people's sensitive data. Most people's reaction to that possibility is that this sort of attack would be illegal. This is actually up for debate, depending on where in the world you live. Some governments can authorize this sort of test if you have a bank account in that country, as an example. Typically, though, it will be a company that hires you, and you will not be able to test their attendees.

Let's look at another example of how this mindset can take seemingly innocuous information—in this case given by the source—and use it to create a vulnerability. Say you are able to circumvent a company's technical defenses upon searching current or historical job postings. In this example, a company was looking for a candidate who had “an overview or understanding of SAP product and service portfolio (SAP Cloud Platform Integration, SAP PI/PO, API Management).” They were also looking for that person to have “sound knowledge of JavaScript and Groovy Script. [Be] able to configure Sound NetWeaver. Should be comfortable with Java Programming. Nice to have worked in UI developments using SAP Web IDE \#.”

There's a lot of information in this that could prove vital in various attacks against this target, including network, web app, phishing, and vishing attacks.

A network attack is an attempt to gain unauthorized access to the target's network, with the objective of stealing data or performing other malicious activity. Thanks to this job posting, I know that the target uses systems applications and products (SAP) systems, which are tempting to perform an attack on because they store and manage the lifeblood of any organization: critical information and business processes. SAP systems can be based on different platforms: ABAP (Advanced Business Application Programming), Java, or HANA. We can assume this is based on Java, given the job description. The main SAP platform is SAP NetWeaver, and ExploitDB (www.exploit-db.com)—a popular website repository—shows that vulnerabilities exist for version 7.4, one of which showed that SQL injections are possible. This type of attack allows attackers to inject their own evil SQL commands, creating requests and paving the way for access to critical data in a database of users’ passwords, account information, and anything else stored in the database.

A simple vish could be made with this knowledge to multiple departments in the organization to gain more information based on these findings or to weaponize this information immediately to attempt to gain forgotten credentials. You may be able to gain entry to a secure building upon learning of an upcoming event they are holding and vishing to find out which type of ID is required to enter. If it's their work badge, you may be able to find a clear enough picture online to re-create one. You may be able to circumvent a whole building's security team by finding out what time the guards change shifts.

The possibilities are truly endless when you have information, and you can weaponize it and leverage it correctly. All of this neatly brings us to the cognitive skills an attacker must exhibit: an attacker must have curiosity in abundance; persistence to drive that curiosity into action so as to be moving forward all the time; the ability to process information into workable categories; mental agility enough that allows repurposing of information when a situation calls for it and the agility to adapt the information in ways not always intended by the source; and finally, this mindset requires self-awareness. Self-awareness is invisible. No one can “see” that you are self-aware, but almost everyone can feel if you are or not. You must leave people feeling however you need them to in order to fulfill your objective. I will cover this in a later chapter on target psychology.

The Attacker and the Mindset

It's silly to argue about the “true” meaning of a word—a word means whatever people believe it to mean—but for me, “hacking” information through AMs means using information in ways unanticipated by the original source. Just as a hacker uses something in a way it was not intended to be used, an attacker uses information in a way it was not intended. This gives AMs a sense of neutrality on the surface, but delving a little deeper into it, it encompasses the art of the mindset seamlessly: information exists, and we are free to process it and apply it however we want. A great attacker will always apply information for the good of the attack; they will always bend and twist the information in a way that furthers the mission or gains the objective.

In the most traditional sense, an attacker is an individual, or a group of individuals, who seeks to destroy, expose, alter, disable, and steal information or to gain unauthorized access to or make unauthorized use of an asset or person. Attackers are often portrayed as ruthless individuals with almost otherworldly skills and the means to win against their victims. They will try to find the path of least resistance for the biggest gain. To an extent this is true, but as we have already covered in part, an attacker's main ammo is the leveraging and weaponization of information—without this, they are powerless. The world runs on data now, so information is abundantly available. Malicious attackers will use information to gain information from their targets; ethical attackers will do the same but will teach the targets how their own information can be used against them, how to recognize when that is happening, and how to prevent it.

There are two main states of attacker mindset: there's before the vulnerable information has been carved out and there's after. One commonality exists between them: every step you take as an attacker must go in the direction of the objective. The nature of AMs means it boils down to forming information around the objective, inferring in cases, leveraging information where possible, and concealing other information where needed. These are the core competencies that make up AMs, and we are about to start untangling them. But it is prudent to note that you do not need the skills to understand the laws of AMs, and you do not need the laws to use the skills. It's the application of the skills against the laws that makes the mindset:

The first law of AMs states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.

Law 2 states that you gather, weaponize, and leverage information for the good of the objective. This is how you serve law 1.

Law 3 says that you never break pretext. You must remain disguised as a threat at all times.

Law 4 tells you that everything you do is for the benefit of the objective. The objective is the central point from which all moves an attacker makes hinge. You cannot diverge from the objective set out because of law 1.

It is the interwoven use of five cognitive skills that form the backbone of the attacker mindset:

You cannot become a good ethical attacker without a healthy dose of curiosity.

Your curiosity will not pay off without persistence.

You will have nothing to persist in if you cannot take in information and leverage the most mundane of it correctly.

You will need to have mental agility enough to actively adapt information in the moment.

If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it. Self-awareness will allow you a higher level of influence over someone else. These five things play a role in every job you will get as an ethical attacker looking to succeed.

AMs Is a Needed Set of Skills

Defenses against attackers generally center on building technological protections to combat ever-lurking adversaries. Businesses typically try to fortify their assets by closing off the most obscure entry points, which is commendable. But it becomes irrelevant if they leave the front door wide open rather than employing an active defense. Attackers are often relentless and dogged types (and need to be in order to succeed). Protecting against this can be difficult, because the threat is somewhat faceless and motionless until one day it's not—how can we truly protect ourselves against such a faceless, shapeless entity, you may wonder? Something that doesn't seem like it's a threat at all until one day it appears, and it is tangible, dangerous, and consequential. Looking the threat in the face leaves most companies wondering how they could have missed imagining the scenario in which they find themselves, and the truth is there are infinite attack scenarios. Imagining and barricading against them all is futile. Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It's the closest thing to a security panacea I will see in my working lifetime, of that I have no doubt.

People, typically not in the cybersecurity or information security industries, wonder if it's safe or even ethical to teach people how to think like an attacker, whether that be teaching a penetration tester how to break into networks or a social engineer how to elicit information and use it against a target. My response is always this: the solution to successfully fending off attacks and staying ahead of them is to be able to think like those who would seek to attack us. I am not teaching people to be malevolent or corrupt; I am teaching them to how to be ethical—testing people, companies, and security for our greater good. When a company is attacked, regardless if they left themselves open to it or not, it affects the people who work there; it affects the people who used the services. This should not be overlooked or taken lightly. Because of the stakes, we must have only trusted individuals within our workplaces, or the information security/cybersecurity sectors test our businesses.

Also, as I have said in the introduction and countless times before, whether it be when asked by people curious about my profession or in interview and training settings, putting the word ethical, or some variation of it, before the word attacker will not make the words that follow invisible to malicious actors. I also cannot control who buys this book. But I believe that learning to think like a malicious attacker can and will help us, as security professionals, get ahead, stay ahead, and beat them. We take their power when we can think like them, but with a purer intent.

As a society, we test everything: we test our cars to see how they'll fare on impact, we test buildings for structural safety, we even test markets before launching products. We train our emergency personnel, too, and rightly so. We wouldn't simply place a person in front of a burning building with a hose expecting them to put it out; we test our firefighters, give them experience and build their skills. The same goes for many other professions. As businesses, we can and should test everything. “Everything” includes human-based defenses. Testing people against ostensibly malicious attacks is tactical, daunting, and dynamic, but it works as a way of upping security, and it's the next great defense in security for businesses, and for us all. One of the most effective ways to uncover flaws and weaknesses in a business's security posture is to carry out planned attacks, exposing gaps in their defenses before a malicious attacker can take advantage.

Finally, while testing people is of course not teaching them the attacker mindset, it is teaching them how an attack might rear its ugly head and that alone gives them defenses against it. So, as security professionals, it's also our duty to form attack methods that, once executed, have no long-lasting adverse effects on the population tested—a major contrast when compared to those breeched by a malicious attacker. After all, some of the most devastating attacks haven't been the most technical—they've simply been human versus human. The catch is that only one human knows about the attack as it unfolds. By offering insight into the principles of AMs, we should be able to move the needle on security in the right direction without adversely affecting the population.

A Quick Note on Scope

The word scope will be used frequently throughout this book and chapter. It refers to a document that is an agreement on the work you're going to perform for a client. It outlines what you can and cannot do. It is your get out-of-jail-free card if you are caught (if you stuck to the terms of it) and possibly your never-go-to-actual-jail card if you are caught (if you stuck to the terms of it).

The scope will permit you to do a whole host of things, like enter a building from any given area or use real employee names in a phish. It might let you break into a building during the day but not at night (within normal working hours), or it might allow you to impersonate employees, both in person and over the phone. It is decided by the client.

Here's the bottom line of scope: you don't have to do everything scope permits. You cannot do a single thing it prohibits. Ensure you understand scope before you embark on the work. Make sure it uses clear language, and make sure you clarify anything you are unsure of.

Collectively, as a team, we've broken into hundreds of servers and physically compromised many of the world's most tightly guarded corporate and government facilities, including banks, corporate headquarters, and defense sites. However, I am always struck by how James Bond–like people think the job is. Each job is a long process that looks at legalities, operational conflicts that have to be worked around, and deliverables.

The first phase of the process is aligning with the target, picking a period in which to attack and defining the scope. To discuss that in great detail is beyond the range of this book, although an important point about scope should be made: scope limits what you do, not how you think. Breaking that down a little further, the scope matters to you because it tells you what you are and are not allowed to do—if you are not allowed to impersonate an internal employee, then you might pivot to impersonating a contractor. You may not be allowed to spoof numbers or name drop, so your AMs will have to forge ahead, giving you deceptive and creative ideas to offset those limitations. For instance, if you can't spoof numbers, you might get a burner number that's a few digits off from the one the target will expect. If you can't name drop, you might use names that sound close to the one. If scope limits you from using tools, like card cloners, then you might have to use a look-alike card and feign a technical error when it won't permit you access. Basically, scope adds complexities to your job, but it doesn't limit the power of your AMs; it simply exercises it in different ways.

There are good and bad outcomes that arise from having a scope in place. Primarily it is a protection for you as an attacker, which is why stepping outside the lines of them can be so damaging and devastating, both to your company and to your career. They are protection for the target, too. Most often you will hear new people in the field saying a real attacker would never stick to scope, so why should they? This is more complex than you'd first think. The first part of the statement is true; an attacker does not have a scope to stick to. However, if the client is asking you to go after the same asset that a real and malicious attacker would, the outcome is the same. Your clients should train their staff on how to spot attacks even when they are using spoofed numbers and impersonation, but if you are able to successfully breach them with these limitations in place, you further hit home to them how vulnerable they are. Scope is an attacker's blessing in disguise.

There are, however, grounds to challenge scope. If the client is too extreme in either direction, without good cause, you should—professionally—be able to point out to them how it precludes valuable testing. For instance, if you are vishing a bank and the client doesn't want you to use any semblance of an existing department as your pretext, you might point out that such limitations are heavily skewed in a way that will impact the findings and go against their security posture and future mitigations. It's too far removed from a realistic attack scenario.

However, if you are breaking into a government facility and the client doesn't want you to take any device in that's able to film or photograph, that shouldn't be too much of a concern for you as long as a mechanism is in place for you to prove your successes (and failures). Some clients will want a representative to accompany you; others will want you to check in at different points throughout the building. In the case of most pen tests, you will usually screenshot your progress. However, some clients will prohibit this and use their own logs as an example.

We will not cover report writing, although it is a large part of a job for most clients. What I will say about reports is that they should not be approached with fear or loathing. Equally, they should not be treated as precious. They are a way for you to give a coherent and exhaustive rundown of what you did from start to end and to give recommendations based on all of that. Giving the client all the vulnerabilities you saw but didn't take is important, too. I care more for a simple and easy report to both write and to read. There's still an element of AMs law involved in writing them: you must know the objective of the report (to show them where they are vulnerable and how to close those vulnerabilities); you must be able to take the information you gathered and describe it effectively, leveraging it for the report; you will have to stay professional the entire report—it is not a document for you to write your moves out like a screenplay; and you must always keep the objective of the report in mind so that it doesn't drift in the direction of fiction or in the direction of data only, without fixes.

Summary

Attacker mindset can be used from your computer, but it really can't be taught there. It's a set of skills and laws working in combination.

AMs is a set of cognitive skills applied to four laws. Used together, they produce an advantage for the attacker and a disadvantage of the target.

Teaching the attacker mindset to those who don't seek to harm us, but to protect us, will greatly impact our successes in information security going forward.

The following chapters present a complete system for building this mentality and untangling the complex web of thinking and resulting actions that make an attacker mindset so formidable.

Reports are, for most people, the least fun part of the job but the most important part for the client.

Key Message

War is 90 percent information; the rest is how you apply it to the objective. An attacker takes in information to achieve an objective, but instead of profiting in the end, an ethical attacker seeks to strengthen defenses they circumvented or defeated. AMs’ largest commodity is information; it is the use of this information that defines the attacker and the attack.

To carry out the acts of an attacker requires curiosity and persistence, which are interdependent as one often drives the other. Information processing is another important skill. A subset of information processing is mental agility—you cannot use information agilely if you cannot first parse it. Self-awareness is the ability to use yourself in a way that is beneficial for the objective.

Chapter 2Offensive vs. Defensive Attacker Mindset

Before we dive into the components of the mindset, it is worthwhile to categorize it into its offensive and defensive sides. In this chapter, we will briefly look at what offensive and defensive security is and how they differ from each other. Then we will look at the offensive and defensive side of the mindset and what each side brings to its security counterpart in terms of skill and functionality.

Many millions of dollars in public and private investment have been spent on new technologies, usually for defensive measures rather than offensive. Offensive security is a proactive and an oppositional approach to protecting computer systems, networks, and individuals from attacks. The offensive part of the attacker mindset is also oppositional and dogged.

Defensive security, however, uses a reactive approach that focuses on prevention and detection of attacks. The defensive mode of your AMs will allow you to be reactive, helping you see ways in which you might be caught and hopefully circumventing those defenses with the help of your offensive prowess. Afterward, your defensive AMs will allow you to see ways to prevent attacks, making you extremely valuable to any client.

In terms of technology, currently there is an enormous defensive preference in security. Unfortunately, this means that the time between a defensive weapon's creation in comparison to that of its offensive counter is often huge. Another problem with this defensive preference is that even with the best defensive security protocols and technologies in place, as a social engineer or red teamer, there is a chance I'll be able to slip right past them, which is often a lot easier than getting past a technological defensive protection and can be just as damaging, maybe more so. Additionally, technology is becoming further and further intertwined throughout the broad population's professional and personal lives, which makes the overall goal of security more complex. Because of this, both sides of technology are needed and both sides of the mindset are needed.

Both offensive and defensive securities have their purpose, and each is important from a business standpoint. Offensive cybersecurity strategies shrink the chance of attacks by promoting a permanent state of readiness and actively analyzing the environment; they can and should be critical in keeping people like me out, which is a big win when undergoing testing, and the malicious digital pentesters, too.

Defensive security relies on a comprehensive understanding of an environment and being able to analyze it in order to detect latent flaws. The barrier to perpetual, effective defensive security is the inability to always accurately predict the future.

A like-for-like scenario might be that of an earthquake. In the United States, we construct buildings meant to withstand earthquakes within a range of magnitude, but we can't always accurately predict all the other chaos, mayhem, and destruction it might bring with it. So, after a hurricane strikes, the clean-up begins and measures like riverbank management are put in place so that the situation is not repeated in the future. However, the next earthquake that strikes might do unforeseen damage to other critical infrastructure. So, that is then hardened, and the loop continues. As an example, Hurricane Sandy, when it hit New York in 2012, shone a light on the inherent flaws of keeping generators in basements. When flooded, generators are relegated from use. The aftermath of Hurricane Sandy also saw the city build more emergency shelters, repair public housing to make it more storm-resistant, and construct flood protection in the form of greenery around Manhattan. City officials estimate that the storm cost $19 billion in damages and lost economic activity.

Defensive cybersecurity deals with the prevention of attacks and the strengthening of the defenses that keep them at bay. These defensive measures often follow a successful offensive attack—hence the constant lag and uneven playing field. If a metaphorical hurricane hits a business, they have to quickly address the points of failure, put in place short-term mitigations, and find ways to make their environment more resilient and less vulnerable to malicious damage. That reality means it's imperative for the business to start preparing immediately to protect its employees, infrastructure, and revenue from those future catastrophes.