I soon start to focus on making sure I've disguised myself as a threat. I've based my pretext off the OSINT I've found so far. For this bank job, I am a lawyer here to help wrap up the mergers and acquisitions deal that was all over the news only weeks ago, albeit without much context. It took a lot of searches and piecing together information to choose the nuance of this pretext; I am not just any lawyer, but a lawyer who is now needed to help the deal over the final few hurdles, equipped with an abundance of paperwork—my prop and my seeming legitimacy. And, unless the security guards happen to be a team of lawyers, I won't be found out by the typical questions people ask a lawyer: What are you here for? What firm do you work for? How long have you been practicing, what school did you go to? Do you know how I can get out of a parking ticket? I call these my pretext layers, and depending on the job, I might need to go many layers deep, to the point I need to know much more than you might expect, from common jargon to how a piece of machinery works.
The start point of the operation is as hermetic as it's ever going to be. I have my props, which in this case are an ID card from my “firm” and a portfolio filled with “legal documents,” categorized by tabs that have the words “Signed by [CFO's name]” and today's date. I also have a fake guest pass card that one of my teammates was able to print for me based on a picture of a legitimate one we'd found on Yelp. Blessed be Yelp. I have lock picks; I have my radio-frequency identification (RFID) duplicator and fobs just in case the opportunity arises to clone a working security card I can't slip into my pocket; and I have the most important thing I'll carry all day: my letter of approval. It is a piece of paper with my point of contact's name and number and a short statement asking anyone who detains me to contact him before the police. I also have my fake ID, although I am sans a snack, which is unlike me. The snack is not important. Yet.
With another huge thanks to mighty OSINT, I've already prepared my outfit for the day, too. I've had it picked out for about a week now, and it will be a big part of the operation. I've chosen it with meticulous care to be professional and versatile. This is not a job where I can wear a costume. I won't be going head-to-toe in scrubs or coveralls, like in some of my other jobs. I put on my wardrobe for the day with a sense of gravity and focus that I generally don't use for throwing on my usual working-from-home attire (sweats on the bottom, work-acceptable T-shirt on top). It is the middle of summer in New York, yet I have on a long-sleeved blue shirt under a white silk shirt, but for a good reason. There is a chance I'll need to ditch the top layer so that the security team can't quickly identify me by the color of my clothes, should someone start to become suspicious. I have a hairband tied around my wrist, too, to throw my hair up in case I need to hide its length and color. I've put foundation on the rather unfortunate tattoo I have on my right thumb. I'll be returning to this office soon enough, and I don't want anything about me to be too recognizable. These seemingly inconsequential things matter.
Finally, dressed and mentally prepared, I leave the room to meet my team. They won't be joining me, but they will be on standby in case of trouble, which is a company policy and one I've been thankful for on more than one occasion. After a pep talk, making sure we can stay in constant communication, I make my way to the bank's offices and try to break in, knowing that if it all goes well, I'll be out in time to do it a second time under the cover of darkness. I'll need my team for that and a few more games of mental chess.
Using the Mindset
The attacker mindset (AMs) is a set of cognitive skills applied to four laws. It is evident and relevant across all professions, trades, and businesses, although it often goes under the guise of expertise. Many people exhibit AMs qualities within their domain, as we will look at shortly. The Art of Attack, however, is about gaining and using this mindset for malicious activity over any domain—but in a way that ultimately results in the betterment of an organization's security.
The laws say that you must know your end goal, be able to constantly collect information that you can weaponize and leverage to achieve that goal, develop a pretext that you never let slip, and have every action you take be for the advancement of the objective. As you will see, the cognitive skills needed to uphold these laws in an attack are broad, but they all have a single common thread: they relate to information, and most importantly, information as you perceive it. There is no attack without information, and learning to tie it back to your objective is the essence of AMs.
A woman spills coffee on herself, and it burns her. We hear, “Someone had butterfingers,” and comprehend hot liquids scald.
A lawyer hears “The coffee was too hot” and the winds of a lawsuit. This particular woman's lawyer took facts and bent them and shaped them to fit the objective set out by the law. This is what the attacker mindset looks like at work. Your attacker mindset will differ from that of a lawyer's, but the central principles remain: the building of an attack is based on information as you perceive it; the execution is based on the information as you apply it. AMs is nothing more or less than a way of taking information in and applying it to an objective. The mark of a good attacker is the ability to repurpose information in ways not intended by the source. This is made possible by using the first and second laws of the attacker mindset: the first law states that you start with the end in mind, and the second law states that you gather, weaponize, and leverage information as a means to that end.
As an example, if you hear of a company holding a conference, you may be able to phish them by gathering information on who their vendors are and impersonating those vendors by way of vish (a call in which an attacker attempts to gain information or perform an attack), phish (an email in whch an attacker aims to gain information or gain access to a user's machine/network), or even in person to gain sensitive details or access. If they are holding the event virtually, a well-crafted phish will have a high probability of being undetected. You might start by finding out which platform they are holding the event on and phishing them, pretending to be that platform. You might be able to phish their attendees or their speakers, appearing as if you are in fact reaching out from the hosting company itself, gaining access to potentially thousands of people's sensitive data. Most people's reaction to that possibility is that this sort of attack would be illegal. This is actually up for debate, depending on where in the world you live. Some governments can authorize this sort of test if you have a bank account in that country, as an example. Typically, though, it will be a company that hires you, and you will not be able to test their attendees.
Let's look at another example of how this mindset can take seemingly innocuous information—in this case given by the source—and use it to create a vulnerability. Say you are able to circumvent a company's technical defenses upon searching current or historical job postings. In this example, a company was looking for a candidate who had “an overview or understanding of SAP product and service portfolio (SAP Cloud Platform Integration, SAP PI/PO, API Management).” They were also looking for that person to have “sound knowledge of JavaScript and Groovy Script. [Be] able to configure Sound NetWeaver. Should be comfortable with Java Programming. Nice to have worked in UI developments using SAP Web IDE \#.”
There's a lot of information in this that could prove vital in various attacks against this target, including network, web app, phishing, and vishing attacks.
A network attack is an attempt to gain unauthorized access to the target's network, with the objective of stealing data or performing other malicious activity. Thanks to this job posting, I know that the target uses systems applications and products (SAP) systems, which are tempting to perform an attack on because they store and manage the lifeblood of any organization: critical information and business processes. SAP systems can be based on different platforms: ABAP (Advanced Business Application Programming), Java, or HANA. We can assume this is based on Java, given the job description. The main SAP platform is SAP NetWeaver, and ExploitDB (www.exploit-db.com
)—a popular website repository—shows that vulnerabilities exist for version 7.4, one of which showed that SQL injections are possible. This type of attack allows attackers to inject their own evil SQL commands, creating requests and paving the way for access to critical data