Take on the perspective of an attacker with this insightful new resource for ethical hackers, pentesters, and social engineers
In The Art of Attack: Attacker Mindset for Security Professionals, experienced physical pentester and social engineer Maxie Reynolds untangles the threads of a useful, sometimes dangerous, mentality. The book shows ethical hackers, social engineers, and pentesters what an attacker mindset is and how to use it to their advantage. Adopting this mindset will result in the improvement of security, offensively and defensively, by allowing you to see your environment objectively through the eyes of an attacker.
The book shows you the laws of the mindset and the techniques attackers use, from persistence to "start with the end" strategies and non-linear thinking, that make them so dangerous. You'll discover:
- A variety of attacker strategies, including approaches, processes, reconnaissance, privilege escalation, redundant access, and escape techniques
- The unique tells and signs of an attack and how to avoid becoming a victim of one
- What the science of psychology tells us about amygdala hijacking and other tendencies that you need to protect against
Perfect for red teams, social engineers, pentesters, and ethical hackers seeking to fortify and harden their systems and the systems of their clients, The Art of Attack is an invaluable resource for anyone in the technology security space seeking a one-stop resource that puts them in the mind of an attacker.
Table of Contents
About the Author v
Acknowledgments vii
Introduction xv
Part I: the Attacker Mindset 1
Chapter 1: What Is the Attacker Mindset? 3
Using the Mindset 6
The Attacker and the Mindset 9
AMs Is a Needed Set of Skills 11
A Quick Note on Scope 13
Summary 16
Key Message 16
Chapter 2: Offensive vs. Defensive Attacker Mindset 17
The Offensive Attacker Mindset 20
Comfort and Risk 22
Planning Pressure and Mental Agility 23
Emergency Conditioning 26
Defensive Attacker Mindset 31
Consistency and Regulation 31
Anxiety Control 32
Recovery, Distraction, and Maintenance 34
OAMs and DAMs Come Together 35
Summary 35
Key Message 36
Chapter 3: The Attacker Mindset Framework 37
Development 39
Phase 1 43
Phase 2 47
Application 48
Preloading 51
“Right Time, Right Place” Preload 51
Ethics 52
Intellectual Ethics 53
Reactionary Ethics 53
Social Engineering and Security 57
Social Engineering vs. AMs 59
Summary 60
Key Message 60
Part II: the Laws and Skills 63
Chapter 4: The Laws 65
Law 1: Start with the End in Mind 65
End to Start Questions 66
Robbing a Bank 68
Bringing It All together 70
The Start of the End 71
Clarity 71
Efficiency 72
The Objective 72
How to Begin with the End in Mind 73
Law 2: Gather, Weaponize, and Leverage Information 75
Law 3: Never Break Pretext 77
Law 4: Every Move Made Benefits the Objective 80
Summary 81
Key Message 82
Chapter 5: Curiosity, Persistence, and Agility 83
Curiosity 86
The Exercise: Part 1 87
The Exercise: Part 2 89
Persistence 92
Skills and Common Sense 95
Professional Common Sense 95
Summary 98
Key Message 98
Chapter 6: Information Processing: Observation and Thinking Techniques 99
Your Brain vs. Your Observation 102
Observation vs. Heuristics 107
Heuristics 107
Behold Linda 108
Observation vs. Intuition 109
Using Reasoning and Logic 112
Observing People 114
Observation Exercise 116
AMs and Observation 122
Tying It All Together 123
Critical and Nonlinear Thinking 124
Vector vs. Arc 127
Education and Critical Thinking 128
Workplace Critical Thinking 128
Critical Thinking and Other Psychological Constructs 129
Critical Thinking Skills 130
Nonlinear Thinking 131
Tying Them Together 132
Summary 133
Key Message 134
Chapter 7: Information Processing in Practice 135
Reconnaissance 136
Recon: Passive 145
Recon: Active 149
Osint 150
OSINT Over the Years 150
Intel Types 153
Alternative Data in OSINT 154
Signal vs. Noise 155
Weaponizing of Information 158
Tying Back to the Objective 160
Summary 170
Key Message 170
Part III: Tools and Anatomy 171
Chapter 8: Attack Strategy 173
Attacks in Action 175
Strategic Environment 177
The Necessity of Engagement and Winning 179
The Attack Surface 183
Vulnerabilities 183
AMs Applied to the Attack Vectors 184
Phishing 184
Mass Phish 185
Spearphish 186
Whaling 187
Vishing 190
Smishing/Smshing 195
Impersonation 196
Physical 199
Back to the Manhattan Bank 200
Summary 203
Key Message 203
Chapter 9: Psychology in Attacks 205
Setting The Scene: Why Psychology Matters 205
Ego Suspension, Humility & Asking for Help 210
Humility 215
Asking for Help 216
Introducing the Target- Attacker Window Model 217
Four TAWM Regions 218
Target Psychology 221
Optimism Bias 225
Confirmation Bias and Motivated Reasoning 228
Framing Effect 231
Thin- Slice Assessments 233
Default to Truth 236
Summary 239
Key Message 239
Part IV: AFTER AMs 241
Chapter 10: Staying Protected - The Individual 243
Attacker Mindset for Ordinary People 243
Behavioral Security 246
Amygdala Hijacking 250
Analyze Your Attack Surface 252
Summary 256
Key Message 256
Chapter 11: Staying Protected - The Business 257
Indicators of Attack 258
Nontechnical Measures 258
Testing and Red Teams 261
Survivorship Bias 261
The Complex Policy 263
Protection 264
Antifragile 264
The Full Spectrum of Crises 266
AMs on the Spectrum 268
Final Thoughts 269
Summary 270
Key Message 271
Index 273