The Art of Attack. Maxie Reynolds. Читать онлайн. Newlib. NEWLIB.NET

Автор: Maxie Reynolds
Издательство: John Wiley & Sons Limited
Серия:
Жанр произведения: Зарубежная компьютерная литература
Год издания: 0
isbn: 9781119805472
Скачать книгу
account information, and anything else stored in the database.

      A simple vish could be made with this knowledge to multiple departments in the organization to gain more information based on these findings or to weaponize this information immediately to attempt to gain forgotten credentials. You may be able to gain entry to a secure building upon learning of an upcoming event they are holding and vishing to find out which type of ID is required to enter. If it's their work badge, you may be able to find a clear enough picture online to re-create one. You may be able to circumvent a whole building's security team by finding out what time the guards change shifts.

      It's silly to argue about the “true” meaning of a word—a word means whatever people believe it to mean—but for me, “hacking” information through AMs means using information in ways unanticipated by the original source. Just as a hacker uses something in a way it was not intended to be used, an attacker uses information in a way it was not intended. This gives AMs a sense of neutrality on the surface, but delving a little deeper into it, it encompasses the art of the mindset seamlessly: information exists, and we are free to process it and apply it however we want. A great attacker will always apply information for the good of the attack; they will always bend and twist the information in a way that furthers the mission or gains the objective.

      There are two main states of attacker mindset: there's before the vulnerable information has been carved out and there's after. One commonality exists between them: every step you take as an attacker must go in the direction of the objective. The nature of AMs means it boils down to forming information around the objective, inferring in cases, leveraging information where possible, and concealing other information where needed. These are the core competencies that make up AMs, and we are about to start untangling them. But it is prudent to note that you do not need the skills to understand the laws of AMs, and you do not need the laws to use the skills. It's the application of the skills against the laws that makes the mindset:

       The first law of AMs states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.

       Law 2 states that you gather, weaponize, and leverage information for the good of the objective. This is how you serve law 1.

       Law 3 says that you never break pretext. You must remain disguised as a threat at all times.

       Law 4 tells you that everything you do is for the benefit of the objective. The objective is the central point from which all moves an attacker makes hinge. You cannot diverge from the objective set out because of law 1.

      It is the interwoven use of five cognitive skills that form the backbone of the attacker mindset:

      1 You cannot become a good ethical attacker without a healthy dose of curiosity.

      2 Your curiosity will not pay off without persistence.

      3 You will have nothing to persist in if you cannot take in information and leverage the most mundane of it correctly.

      4 You will need to have mental agility enough to actively adapt information in the moment.

      5 If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it. Self-awareness will allow you a higher level of influence over someone else. These five things play a role in every job you will get as an ethical attacker looking to succeed.

      Defenses against attackers generally center on building technological protections to combat ever-lurking adversaries. Businesses typically try to fortify their assets by closing off the most obscure entry points, which is commendable. But it becomes irrelevant if they leave the front door wide open rather than employing an active defense. Attackers are often relentless and dogged types (and need to be in order to succeed). Protecting against this can be difficult, because the threat is somewhat faceless and motionless until one day it's not—how can we truly protect ourselves against such a faceless, shapeless entity, you may wonder? Something that doesn't seem like it's a threat at all until one day it appears, and it is tangible, dangerous, and consequential. Looking the threat in the face leaves most companies wondering how they could have missed imagining the scenario in which they find themselves, and the truth is there are infinite attack scenarios. Imagining and barricading against them all is futile. Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It's the closest thing to a security panacea I will see in my working lifetime, of that I have no doubt.

      Also, as I have said in the introduction and countless times before, whether it be when asked by people curious about my profession or in interview and training settings, putting the word ethical, or some variation of it, before the word attacker will not make the words that follow invisible to malicious actors. I also cannot control who buys this book. But I believe that learning to think like a malicious attacker can and will help us, as security professionals, get ahead, stay ahead, and beat them. We take their power when we can think like them, but with a purer intent.

      As a society, we test everything: we test our cars to see how they'll fare on impact, we test buildings for structural safety, we even test markets before launching products. We train our emergency personnel, too, and rightly so. We wouldn't simply place a person in front of a burning building with a hose expecting them to put it out; we