account information, and anything else stored in the database.
A simple vish could be made with this knowledge to multiple departments in the organization to gain more information based on these findings or to weaponize this information immediately to attempt to gain forgotten credentials. You may be able to gain entry to a secure building upon learning of an upcoming event they are holding and vishing to find out which type of ID is required to enter. If it's their work badge, you may be able to find a clear enough picture online to re-create one. You may be able to circumvent a whole building's security team by finding out what time the guards change shifts.
The possibilities are truly endless when you have information, and you can weaponize it and leverage it correctly. All of this neatly brings us to the cognitive skills an attacker must exhibit: an attacker must have curiosity in abundance; persistence to drive that curiosity into action so as to be moving forward all the time; the ability to process information into workable categories; mental agility enough that allows repurposing of information when a situation calls for it and the agility to adapt the information in ways not always intended by the source; and finally, this mindset requires self-awareness. Self-awareness is invisible. No one can “see” that you are self-aware, but almost everyone can feel if you are or not. You must leave people feeling however you need them to in order to fulfill your objective. I will cover this in a later chapter on target psychology.
The Attacker and the Mindset
It's silly to argue about the “true” meaning of a word—a word means whatever people believe it to mean—but for me, “hacking” information through AMs means using information in ways unanticipated by the original source. Just as a hacker uses something in a way it was not intended to be used, an attacker uses information in a way it was not intended. This gives AMs a sense of neutrality on the surface, but delving a little deeper into it, it encompasses the art of the mindset seamlessly: information exists, and we are free to process it and apply it however we want. A great attacker will always apply information for the good of the attack; they will always bend and twist the information in a way that furthers the mission or gains the objective.
In the most traditional sense, an attacker is an individual, or a group of individuals, who seeks to destroy, expose, alter, disable, and steal information or to gain unauthorized access to or make unauthorized use of an asset or person. Attackers are often portrayed as ruthless individuals with almost otherworldly skills and the means to win against their victims. They will try to find the path of least resistance for the biggest gain. To an extent this is true, but as we have already covered in part, an attacker's main ammo is the leveraging and weaponization of information—without this, they are powerless. The world runs on data now, so information is abundantly available. Malicious attackers will use information to gain information from their targets; ethical attackers will do the same but will teach the targets how their own information can be used against them, how to recognize when that is happening, and how to prevent it.
There are two main states of attacker mindset: there's before the vulnerable information has been carved out and there's after. One commonality exists between them: every step you take as an attacker must go in the direction of the objective. The nature of AMs means it boils down to forming information around the objective, inferring in cases, leveraging information where possible, and concealing other information where needed. These are the core competencies that make up AMs, and we are about to start untangling them. But it is prudent to note that you do not need the skills to understand the laws of AMs, and you do not need the laws to use the skills. It's the application of the skills against the laws that makes the mindset:
The first law of AMs states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.
Law 2 states that you gather, weaponize, and leverage information for the good of the objective. This is how you serve law 1.
Law 3 says that you never break pretext. You must remain disguised as a threat at all times.
Law 4 tells you that everything you do is for the benefit of the objective. The objective is the central point from which all moves an attacker makes hinge. You cannot diverge from the objective set out because of law 1.
It is the interwoven use of five cognitive skills that form the backbone of the attacker mindset:
1 You cannot become a good ethical attacker without a healthy dose of curiosity.
2 Your curiosity will not pay off without persistence.
3 You will have nothing to persist in if you cannot take in information and leverage the most mundane of it correctly.
4 You will need to have mental agility enough to actively adapt information in the moment.
5 If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it. Self-awareness will allow you a higher level of influence over someone else. These five things play a role in every job you will get as an ethical attacker looking to succeed.
AMs Is a Needed Set of Skills
Defenses against attackers generally center on building technological protections to combat ever-lurking adversaries. Businesses typically try to fortify their assets by closing off the most obscure entry points, which is commendable. But it becomes irrelevant if they leave the front door wide open rather than employing an active defense. Attackers are often relentless and dogged types (and need to be in order to succeed). Protecting against this can be difficult, because the threat is somewhat faceless and motionless until one day it's not—how can we truly protect ourselves against such a faceless, shapeless entity, you may wonder? Something that doesn't seem like it's a threat at all until one day it appears, and it is tangible, dangerous, and consequential. Looking the threat in the face leaves most companies wondering how they could have missed imagining the scenario in which they find themselves, and the truth is there are infinite attack scenarios. Imagining and barricading against them all is futile. Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It's the closest thing to a security panacea I will see in my working lifetime, of that I have no doubt.
People, typically not in the cybersecurity or information security industries, wonder if it's safe or even ethical to teach people how to think like an attacker, whether that be teaching a penetration tester how to break into networks or a social engineer how to elicit information and use it against a target. My response is always this: the solution to successfully fending off attacks and staying ahead of them is to be able to think like those who would seek to attack us. I am not teaching people to be malevolent or corrupt; I am teaching them to how to be ethical—testing people, companies, and security for our greater good. When a company is attacked, regardless if they left themselves open to it or not, it affects the people who work there; it affects the people who used the services. This should not be overlooked or taken lightly. Because of the stakes, we must have only trusted individuals within our workplaces, or the information security/cybersecurity sectors test our businesses.
Also, as I have said in the introduction and countless times before, whether it be when asked by people curious about my profession or in interview and training settings, putting the word ethical, or some variation of it, before the word attacker will not make the words that follow invisible to malicious actors. I also cannot control who buys this book. But I believe that learning to think like a malicious attacker can and will help us, as security professionals, get ahead, stay ahead, and beat them. We take their power when we can think like them, but with a purer intent.
As a society, we test everything: we test our cars to see how they'll fare on impact, we test buildings for structural safety, we even test markets before launching products. We train our emergency personnel, too, and rightly so. We wouldn't simply place a person in front of a burning building with a hose expecting them to put it out; we