The Art of Attack. Maxie Reynolds
Чтение книги онлайн.

Читать онлайн книгу The Art of Attack - Maxie Reynolds страница 9

Название: The Art of Attack

Автор: Maxie Reynolds

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная компьютерная литература

Серия:

isbn: 9781119805472

isbn:

СКАЧАТЬ that allows repurposing of information when a situation calls for it and the agility to adapt the information in ways not always intended by the source; and finally, this mindset requires self-awareness. Self-awareness is invisible. No one can “see” that you are self-aware, but almost everyone can feel if you are or not. You must leave people feeling however you need them to in order to fulfill your objective. I will cover this in a later chapter on target psychology.

      It's silly to argue about the “true” meaning of a word—a word means whatever people believe it to mean—but for me, “hacking” information through AMs means using information in ways unanticipated by the original source. Just as a hacker uses something in a way it was not intended to be used, an attacker uses information in a way it was not intended. This gives AMs a sense of neutrality on the surface, but delving a little deeper into it, it encompasses the art of the mindset seamlessly: information exists, and we are free to process it and apply it however we want. A great attacker will always apply information for the good of the attack; they will always bend and twist the information in a way that furthers the mission or gains the objective.

      There are two main states of attacker mindset: there's before the vulnerable information has been carved out and there's after. One commonality exists between them: every step you take as an attacker must go in the direction of the objective. The nature of AMs means it boils down to forming information around the objective, inferring in cases, leveraging information where possible, and concealing other information where needed. These are the core competencies that make up AMs, and we are about to start untangling them. But it is prudent to note that you do not need the skills to understand the laws of AMs, and you do not need the laws to use the skills. It's the application of the skills against the laws that makes the mindset:

       The first law of AMs states that you start with the end in mind, knowing your objective. This will allow you to use laws 2, 3, and 4 most effectively.

       Law 2 states that you gather, weaponize, and leverage information for the good of the objective. This is how you serve law 1.

       Law 3 says that you never break pretext. You must remain disguised as a threat at all times.

       Law 4 tells you that everything you do is for the benefit of the objective. The objective is the central point from which all moves an attacker makes hinge. You cannot diverge from the objective set out because of law 1.

      It is the interwoven use of five cognitive skills that form the backbone of the attacker mindset:

      1 You cannot become a good ethical attacker without a healthy dose of curiosity.

      2 Your curiosity will not pay off without persistence.

      3 You will have nothing to persist in if you cannot take in information and leverage the most mundane of it correctly.

      4 You will need to have mental agility enough to actively adapt information in the moment.

      5 If you have all of these skills, you will still only succeed if you have a high level of self-awareness, because you must always know what you bring and how to leverage it. Self-awareness will allow you a higher level of influence over someone else. These five things play a role in every job you will get as an ethical attacker looking to succeed.

      Defenses against attackers generally center on building technological protections to combat ever-lurking adversaries. Businesses typically try to fortify their assets by closing off the most obscure entry points, which is commendable. But it becomes irrelevant if they leave the front door wide open rather than employing an active defense. Attackers are often relentless and dogged types (and need to be in order to succeed). Protecting against this can be difficult, because the threat is somewhat faceless and motionless until one day it's not—how can we truly protect ourselves against such a faceless, shapeless entity, you may wonder? Something that doesn't seem like it's a threat at all until one day it appears, and it is tangible, dangerous, and consequential. Looking the threat in the face leaves most companies wondering how they could have missed imagining the scenario in which they find themselves, and the truth is there are infinite attack scenarios. Imagining and barricading against them all is futile. Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It's the closest thing to a security panacea I will see in my working lifetime, of that I have no doubt.

      Also, as I have said in the introduction and countless times before, whether it be when asked by people curious about my profession or in interview and training settings, putting the word ethical, or some variation of it, before the word attacker will not make the words that follow invisible to malicious actors. I also cannot control who buys this book. But I believe that learning to think like a malicious attacker can and will help us, as security professionals, get ahead, stay ahead, and beat them. We take their power when we can think like them, but with a purer intent.

      As a society, we test everything: we test our cars to see how they'll fare on impact, we test buildings for structural safety, we even test markets before launching products. We train our emergency personnel, too, and rightly so. We wouldn't simply place a person in front of a burning building with a hose expecting them to put it out; we test our firefighters, give them experience and build their skills. The same goes for many other professions. As businesses, we can and should test everything. “Everything” includes human-based defenses. Testing people against ostensibly malicious attacks is tactical, daunting, and dynamic, but it works as a way of upping security, and it's the next great defense in security for businesses, and for us all. One of the most effective ways to uncover flaws and weaknesses in a business's security posture is to carry out planned attacks, exposing gaps in their defenses before a malicious attacker can take advantage.