The tagline I've used to put attacker mindset into shorthand over the years is: there really is nothing good or bad, but your attacker mindset makes it so—this line is effectively how this book came into being: Countless hours of trying to teach people the art of the attacker mindset allowed a reduction of it to that statement. The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack and its objective.
I wrote this book solely to teach this mentality, but each of you will build your own version of it that reflects your strengths and weaknesses. This book should teach you how to think, not what to think. It contains chapters on open source intelligence (OSINT) and social engineering, too. However, other books and courses exist that break down how to perform OSINT and how to become a social engineer (SE). My aim is to show you how those fit into the AMs's executive functions.
Who Is This Book For?
The attacker mindset should be taught to those who need it most—those who we, as a society, want to protect from malicious attackers. Companies should use physical testing as well as network testing to evaluate their security postures regularly, which will help build their populations' intuition and security. The attacker mindset should be used in boardrooms and other government and corporate settings as a way to scrutinize and analyze blind spots and vulnerabilities. Members of the cyber and information security communities should be consulted as think tanks and task forces. So, my aim is for this book to speak to those decision makers as well.
However, because I will look at the attacker mindset through the lens of a security professional, this book is first and foremost intended for those who wish to partake in a modern battle of stress testing and ethics: security professionals. Ethics and morals will come into play quite a bit. Knowing how to portray the bad actors is not the same as actually becoming them. The line that separates us from them is the line of ethics.
There's also a case to be made that says ordinary individuals can benefit from learning about AMs. Awareness of how this mindset might present itself can prove pivotal in assessing whether an attack is being mounted against you and what to do if it is. Because of this, my aim for The Art of Attack is for it to be useful for the general public, too.
Finally, every chapter in this book, every paragraph, every sentence, has the capacity to offend or irk someone. Those with a detailed military background will need all of their patience to forgive what cannot be known about warfare recon without having been in the thick of it; those who guard the realm of the ethical hacker will need to find a way to subside their rage given this book speaks as directly to malicious attackers as it does ethical. Alas, I cannot control who reads this and what they do with the information within it. For those very sensitive or pedantic, putting the word ethical before the word attacker will not make what I say in this book invisible to any malicious actors reading it. To subside this rage, all I can offer is this: as a society increasingly in need of effective security measures, focusing on the need to better understand attacks and attackers is prudent. Understanding how and why an attacker performs is one thing—and it's important. But being able to think like them, looking at ourselves through their eyes, we become more powerful, more dominant, and far safer.
My final sentiments are a cloned copy of Tai T'ung, who, in the 13th century said of his book, History of Chinese Writing: “Were I to wait perfection, my book would never be finished.” Of course, I am not writing a history of the attacker mindset. I am setting out to show the full breadth of it and its modern-day uses and functions.
What This Book Covers
The idea behind this book is to document and teach the attacker mindset, without taking individualism and obliterating it.
Different strengths will have to be played to by all of us who use this book to build an attacker mindset and execute attacks. Nonetheless, I'll pick apart the attacker mindset so that we can find the commonalties and still leave room for each of us to apply our own personal brand to it.
The greatest and sharpest attackers are trained to see opportunities in the moment, and there's no way for this book to list the infinite opportunities an (ethical or otherwise) attacker might come across out in the field. But what it will teach is this: how to form the attacker mindset and how to apply it.
In the name of ethics, the final part of this book will explore the “tells” of an attack and what businesses, organizations, and institutions can and should do pre- and post-attack to protect themselves.
Finally, the end goal of the attack, after you've sprinted 18 flights of stairs, hidden under desks, been wedged in between two 20-foot containers, sweated the foundation off your thumb tattoos (all fun stories for later), and handed in the report, is to leave each company, boardroom, and client stronger for having employed you. It's almost all that separates us from the bad guys.
Here we go. Enjoy.
Chapter 1 What Is the Attacker Mindset?
War is 90 percent information.
—Napoleon Bonaparte
It is 5 a.m., and I still have an hour before I meet my team. I've been up for the last hour going over plans because this is how I always start my attacks: with a niggling amount of nervous energy, I pace the floor of my hotel room, playing a game of mental chess in my mind. I go over my initial approach, consider my possible moves if I do get past security, and then again if I don't, I start to wonder How will I pivot? The game of mental chess carries on. This is the most efficient and successful way I have found to hone my mental agility.
From this thought I dive into a myriad of others, imagining new ways I might get into the building, new ways to escalate my privileges and deepen my foothold after my initial breach, whether that starts in the basement or the lobby. If someone happens to ask me why I am in the basement, could I say I got in the wrong elevator from the parking garage and ask for help…?
I visualize the layout of the building internally—another luxury afforded by solid open source intelligence (OSINT) findings—and use faceless silhouettes to represent staff I might pass along the way. Sometimes I imagine them asking me questions; sometimes I imagine myself just nodding at them in silent acknowledgment. After all, the largest component of executing an artful attack lies in the attacker's ability to adapt to the people and surroundings in which they find themselves, even when those things are brand-new.
I continue to walk myself through it all a few times, picturing different obstacles: Would it be better just to tailgate, or should I walk in front of the building declaring myself a visitor? I imagine the payoffs of each and weigh them. Working the visitor system should give me almost unfettered access for the day, but it's a high-risk move, I tell myself, whereas tailgating in through a less visible entrance leaves me at the mercy of sloppy, albeit well-intentioned, employees holding any one of hundreds of fire and security doors open for me… . Taking a moment, I come to a conclusion: No, stick with the A-plan: go to security and get access, I tell myself.
The whole time I'm performing this mental pre-attack ritual, I am reminding myself of the same things over and over: get in, get the flags, never let them know you're a threat, and stay within scope. In my mind I am always making my way to the 38th floor, and I am always mentally preempting the challenges I'll face as I try to walk into the CFO's office and place a USB drive into their computer port. That's my job. And, although I like to warm up by running as many possibilities through my mind as I can come up with, I have yet to predict obstacles and pivots correctly