Thinking Bad for the Sake of Good

Having and Using Attacker Mindset Doesn’t Have to be Bad. 

Mental diversity in terms of security can make our communities and companies safer. However, if no one is actually thinking like the attacker then we are essentially fighting an invisible, unknowable force – and how can you win when you’re up against such an entity? In The Art of Attack, out June 2nd 2021, I argue all companies, organizations and agencies should: 

A) employ tactical and combative methods internally through attacker mindset to identify security gaps  

B) be willing to change, employing corporate humility, to mitigate vulnerabilities and security gaps 

This is the simple formula that explains how the most secure companies do the impossible and remain ahead of attackers. Innovative companies use it to change their position from defensive to offensive. Resilient companies use it to become antifragile. But all companies require it. Additionally, we are all at risk if the companies we interact with don’t employ this mindset in their security programs. 

Companies and government alike must always be able to identify dangerous shortcomings and react to any glaring limitations in short course. If they can't or aren't trying, they aren’t being proactive. They aren’t invested in security. Yours, mine or their own.  

THINKING LIKE AN ATTACKER ISN’T BAD; TEACHING IT TO THOSE THAT DON’T WISH TO HARM US, BUT TO PROTECT US, WILL GREATLY IMPACT OUR SUCCESS IN INFORMATION SECURITY GOING FORWARD.  

The following post is a brief overview of what Attacker Mindset (AMs) is and why it’s important for the future success of security. 

AMs is all around us, it’s usually referred to as “expertise.” Great athletes have it – they know their opposing team, they know their strengths, they have a play. Great lawyers have it – they know the law and they apply a narrative to work with it and win any given case. We’re going to explore AMs through the lens of security and labeling that with something as broad in definition as “expertise” would be counterproductive. Attacker mindset in security is acting like the enemy for the long term good of a company or organization. It is a set of cognitive skills applied to four laws.

Cognitive skills: 

• Curiosity 
• Persistence 
• Leveraging Information 
• Self-Awareness 

The Four Laws: 

1. Weaponizing information for the good of the objective

2. Every action taken must be in support of the objective

3. Pretext can never be broken* 

4. Start with the end in mind 

*This law (3) actually means that the attacker is never “themselves”. They are always in character for the sake of the second law. 

Engaging and operating under this mindset means interpreting a set of circumstances from it in a fixed way, but never allowing it to lead to a fixed result. 

WHY DO WE NEED IT? 

Think like the bad guys with the intent of the good guys. 

This untangling and laying out of AMs is not to teach people to be malevolent or immoral; It’s actually a bid to teach security professionals to be ethical and virtuous – testing people, companies and security for our greater good.  Teaching the attacker mindset to those that don’t seek to harm us, but to protect us, will greatly impact our successes in information security going forward. These people should be allowed to test the rest of the business population before the real bad guys do (as an internal source or external). By enabling this, we allow the improvement of security, offensively and defensively, by allowing businesses to see their environments objectively. A lack of offensive strategy is the defining threat of our generation; Analysis through sharp AMs solves this. 

The greatest and sharpest attackers are trained to see opportunities in the moment and there’s no way to list the infinite opportunities an (ethical or otherwise) attacker might happen across, but what AMs should teach is this: how to form the mindset and how to apply it. If a company is not looking at themselves through the lens of an attacker, they are not serious about security.

CRITICAL THINKING AND AMs 

CRITICAL THINKING CANNOT BE BRANDED. 

Critical thinking can be thought of as the ability to identify a problem and solve it using logic and creative reasoning. Where information is concerned, critical thinking is the ability to analyze information through consciously controlled logic, or thorough examination of a problem. Critical thinking is the intersection of visual memory, attention span and the prediction of consequences coming together to drive decision making. 

This brings us to the overlapping topic of critical thinking in the professional workplace and as a feature of AMs. “Critical thought” is–annoyingly–a trending buzzword at the moment. It’s desirable in most professional offices, but almost certainly being conducted in the antithesis of its core role more often than not; being told to critically think to reach some arbitrary conclusion by your superiors, teammates or any other faction within you working environment is the great suppressor of critical thinking. What you are actually being told to do it perform a culturally subjective analysis. I am against this in its entirety. If you have gotten into the habit of this and think that your critical thought should lead you to the same conclusions as those of your peers or co-workers, you may have to work to undo this thought process. Ams will thrive through this sort of mental shift.

Critical thinking interwoven with your attacker mindset is powerful. 

As an aside, in a brilliant study by Google on high performing teams, psychological safety was a bolstering factor of a strong, effective team. If a team member cannot overcome a mistake quickly, without fear of persecution from other team members or management, then it will break down and ultimately become unproductive. The same is true for red teams, blue teams, social engineering teams and all that employ AMs. So thinking critically cannot cannot be “branded” or culturally aligned and it cannot be punished. It’s only a good thing.

Finally, cultivating an industry whereby AMs is a requirement is our best hope to close the security gaps that are so obvious if only you know what to look for.

Written by Maxie Reynolds

#socialengineering #informationsecurity #attackermindset #defense #offense #offensivesecurity #businesssecurity #ams #criticalthinking #redteam #blueteam