eBook - ePub
The Art of Attack
Attacker Mindset for Security Professionals
Maxie Reynolds
This is a test
Share book
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
The Art of Attack
Attacker Mindset for Security Professionals
Maxie Reynolds
Book details
Book preview
Table of contents
Citations
About This Book
Take on the perspective of an attacker with this insightful new resource for ethical hackers, pentesters, and social engineers
In The Art of Attack: Attacker Mindset for Security Professionals, experienced physical pentester and social engineer Maxie Reynolds untangles the threads of a useful, sometimes dangerous, mentality. The book shows ethical hackers, social engineers, and pentesters what an attacker mindset is and how to use it to their advantage. Adopting this mindset will result in the improvement of security, offensively and defensively, by allowing you to see your environment objectively through the eyes of an attacker.
The book shows you the laws of the mindset and the techniques attackers use, from persistence to "start with the end" strategies and non-linear thinking, that make them so dangerous. You'll discover:
- A variety of attacker strategies, including approaches, processes, reconnaissance, privilege escalation, redundant access, and escape techniques
- The unique tells and signs of an attack and how to avoid becoming a victim of one
- What the science of psychology tells us about amygdala hijacking and other tendencies that you need to protect against
Perfect for red teams, social engineers, pentesters, and ethical hackers seeking to fortify and harden their systems and the systems of their clients, The Art of Attack is an invaluable resource for anyone in the technology security space seeking a one-stop resource that puts them in the mind of an attacker.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is The Art of Attack an online PDF/ePUB?
Yes, you can access The Art of Attack by Maxie Reynolds in PDF and/or ePUB format, as well as other popular books in Informatik & Cybersicherheit. We have over one million books available in our catalogue for you to explore.
Information
Part I
The Attacker Mindset
Chapter 1
What Is the Attacker Mindset?
War is 90 percent information.āNapoleon Bonaparte
It is 5 a.m., and I still have an hour before I meet my team. I've been up for the last hour going over plans because this is how I always start my attacks: with a niggling amount of nervous energy, I pace the floor of my hotel room, playing a game of mental chess in my mind. I go over my initial approach, consider my possible moves if I do get past security, and then again if I don't, I start to wonder How will I pivot? The game of mental chess carries on. This is the most efficient and successful way I have found to hone my mental agility.
From this thought I dive into a myriad of others, imagining new ways I might get into the building, new ways to escalate my privileges and deepen my foothold after my initial breach, whether that starts in the basement or the lobby. If someone happens to ask me why I am in the basement, could I say I got in the wrong elevator from the parking garage and ask for helpā¦?
I visualize the layout of the building internallyāanother luxury afforded by solid open source intelligence (OSINT) findingsāand use faceless silhouettes to represent staff I might pass along the way. Sometimes I imagine them asking me questions; sometimes I imagine myself just nodding at them in silent acknowledgment. After all, the largest component of executing an artful attack lies in the attacker's ability to adapt to the people and surroundings in which they find themselves, even when those things are brand-new.
I continue to walk myself through it all a few times, picturing different obstacles: Would it be better just to tailgate, or should I walk in front of the building declaring myself a visitor? I imagine the payoffs of each and weigh them. Working the visitor system should give me almost unfettered access for the day, but it's a high-risk move, I tell myself, whereas tailgating in through a less visible entrance leaves me at the mercy of sloppy, albeit well-intentioned, employees holding any one of hundreds of fire and security doors open for meā¦ . Taking a moment, I come to a conclusion: No, stick with the A-plan: go to security and get access, I tell myself.
The whole time I'm performing this mental pre-attack ritual, I am reminding myself of the same things over and over: get in, get the flags, never let them know you're a threat, and stay within scope. In my mind I am always making my way to the 38th floor, and I am always mentally preempting the challenges I'll face as I try to walk into the CFO's office and place a USB drive into their computer port. That's my job. And, although I like to warm up by running as many possibilities through my mind as I can come up with, I have yet to predict obstacles and pivots correctly even once in my career. That is irrelevant, thoughāthe mental warm-up is what I needāit induces the power of thinking on my feet and knowing I've learned from prior failures and successes.
I soon start to focus on making sure I've disguised myself as a threat. I've based my pretext off the OSINT I've found so far. For this bank job, I am a lawyer here to help wrap up the mergers and acquisitions deal that was all over the news only weeks ago, albeit without much context. It took a lot of searches and piecing together information to choose the nuance of this pretext; I am not just any lawyer, but a lawyer who is now needed to help the deal over the final few hurdles, equipped with an abundance of paperworkāmy prop and my seeming legitimacy. And, unless the security guards happen to be a team of lawyers, I won't be found out by the typical questions people ask a lawyer: What are you here for? What firm do you work for? How long have you been practicing, what school did you go to? Do you know how I can get out of a parking ticket? I call these my pretext layers, and depending on the job, I might need to go many layers deep, to the point I need to know much more than you might expect, from common jargon to how a piece of machinery works.
The start point of the operation is as hermetic as it's ever going to be. I have my props, which in this case are an ID card from my āfirmā and a portfolio filled with ālegal documents,ā categorized by tabs that have the words āSigned by [CFO's name]ā and today's date. I also have a fake guest pass card that one of my teammates was able to print for me based on a picture of a legitimate one we'd found on Yelp. Blessed be Yelp. I have lock picks; I have my radio-frequency identification (RFID) duplicator and fobs just in case the opportunity arises to clone a working security card I can't slip into my pocket; and I have the most important thing I'll carry all day: my letter of approval. It is a piece of paper with my point of contact's name and number and a short statement asking anyone who detains me to contact him before the police. I also have my fake ID, although I am sans a snack, which is unlike me. The snack is not important. Yet.
With another huge thanks to mighty OSINT, I've already prepared my outfit for the day, too. I've had it picked out for about a week now, and it will be a big part of the operation. I've chosen it with meticulous care to be professional and versatile. This is not a job where I can wear a costume. I won't be going head-to-toe in scrubs or coveralls, like in some of my other jobs. I put on my wardrobe for the day with a sense of gravity and focus that I generally don't use for throwing on my usual working-from-home attire (sweats on the bottom, work-acceptable T-shirt on top). It is the middle of summer in New York, yet I have on a long-sleeved blue shirt under a white silk shirt, but for a good reason. There is a chance I'll need to ditch the top layer so that the security team can't quickly identify me by the color of my clothes, should someone start to become suspicious. I have a hairband tied around my wrist, too, to throw my hair up in case I need to hide its length and color. I've put foundation on the rather unfortunate tattoo I have on my right thumb. I'll be returning to this office soon enough, and I don't want anything about me to be too recognizable. These seemingly inconsequential things matter.
Finally, dressed and mentally prepared, I leave the room to meet my team. They won't be joining me, but they will be on standby in case of trouble, which is a company policy and one I've been thankful for on more than one occasion. After a pep talk, making sure we can stay in constant communication, I make my way to the bank's offices and try to break in, knowing that if it all goes well, I'll be out in time to do it a second time under the cover of darkness. I'll need my team for that and a few more games of mental chess.
Using the Mindset
The attacker mindset (AMs) is a set of cognitive skills applied to four laws. It is evident and relevant across all professions, trades, and businesses, although it often goes under the guise of expertise. Many people exhibit AMs qualities within their domain, as we will look at shortly. The Art of Attack, however, is about gaining and using this mindset for malicious activity over any domainābut in a way that ultimately results in the betterment of an organization's security.
The laws say that you must know your end goal, be able to constantly collect information that you can weaponize and leverage to achieve that goal, develop a pretext that you never let slip, and have every action you take be for the advancement of the objective. As you will see, the cognitive skills needed to uphold these laws in an attack are broad, but they all have a single common thread: they relate to information, and most importantly, information as you perceive it. There is no attack without information, and learning to tie it back to your objective is the essence of AMs.
A woman spills coffee on herself, and it burns her. We hear, āSomeone had butterfingers,ā and comprehend hot liquids scald.
A lawyer hears āThe coffee was too hotā and the winds of a lawsuit. This particular woman's lawyer took facts and bent them and shaped them to fit the objective set out by the law. This is what the attacker mindset looks like at work. Your attacker mindset will differ from that of a lawyer's, but the central principles remain: the building of an attack is based on information as you perceive it; the execution is based on the information as you apply it. AMs is nothing more or less than a way of taking information in and applying it to an objective. The mark of a good attacker is the ability to repurpose information in ways not intended by the source. This is made possible by using the first and second laws of the attacker mindset: the first law states that you start with the end in mind, and the second law states that you gather, weaponize, and leverage information as a means to that end.
As an example, if you hear of a company holding a conference, you may be able to phish them by gathering information on who their vendors are and impersonating those vendors by way of vish (a call in which an attacker attempts to gain information or perform an attack), phish (an email in whch an attacker aims to gain information or gain access to a user's machine/network), or even in person to gain sensitive details or access. If they are holding the event virtually, a well-crafted phish will have a high probability of being undetected. You might start by finding out which platform they are holding the event on and phishing them, pretending to be that platform. You might be able to phish their attendees or their speakers, appearing as if you are in fact reaching out from the hosting company itself, gaining access to potentially thousands of people's sensitive data. Most people's reaction to that possibility is that this sort of attack would be illegal. This is actually up for debate, depending on where in the world you live. Some governments can authorize this sort of test if you have a bank account in that country, as an example. Typically, though, it will be a company that hires you, and you will not be able to test their attendees.
Let's look at another example of how this mindset can take seemingly innocuous informationāin this case given by the sourceāand use it to create a vulnerability. Say you are able to circumvent a company's technical defenses upon searching current or historical job postings. In this example, a company was looking for a candidate who had āan overview or understanding of SAP product and service portfolio (SAP Cloud Platform Integration, SAP PI/PO, API Management).ā They were also looking for that person to have āsound knowledge of JavaScript and Groovy Script. [Be] able to configure Sound NetWeaver. Should be comfortable with Java Programming. Nice to have worked in UI developments using SAP Web IDE \#.ā
There's a lot of information in this that could prove vital in various attacks against this target, including network, web app, phishing, and vishing attacks.
A network attack is an attempt to gain...