The Art of Attack. Maxie Reynolds

Читать онлайн книгу.

The Art of Attack - Maxie Reynolds


Скачать книгу
field. However, as a trained pen tester there will also be crossover.

      The tagline I've used to put attacker mindset into shorthand over the years is: there really is nothing good or bad, but your attacker mindset makes it so—this line is effectively how this book came into being: Countless hours of trying to teach people the art of the attacker mindset allowed a reduction of it to that statement. The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack and its objective.

      The attacker mindset should be taught to those who need it most—those who we, as a society, want to protect from malicious attackers. Companies should use physical testing as well as network testing to evaluate their security postures regularly, which will help build their populations' intuition and security. The attacker mindset should be used in boardrooms and other government and corporate settings as a way to scrutinize and analyze blind spots and vulnerabilities. Members of the cyber and information security communities should be consulted as think tanks and task forces. So, my aim is for this book to speak to those decision makers as well.

      However, because I will look at the attacker mindset through the lens of a security professional, this book is first and foremost intended for those who wish to partake in a modern battle of stress testing and ethics: security professionals. Ethics and morals will come into play quite a bit. Knowing how to portray the bad actors is not the same as actually becoming them. The line that separates us from them is the line of ethics.

      There's also a case to be made that says ordinary individuals can benefit from learning about AMs. Awareness of how this mindset might present itself can prove pivotal in assessing whether an attack is being mounted against you and what to do if it is. Because of this, my aim for The Art of Attack is for it to be useful for the general public, too.

      My final sentiments are a cloned copy of Tai T'ung, who, in the 13th century said of his book, History of Chinese Writing: “Were I to wait perfection, my book would never be finished.” Of course, I am not writing a history of the attacker mindset. I am setting out to show the full breadth of it and its modern-day uses and functions.

       The idea behind this book is to document and teach the attacker mindset, without taking individualism and obliterating it.

       Different strengths will have to be played to by all of us who use this book to build an attacker mindset and execute attacks. Nonetheless, I'll pick apart the attacker mindset so that we can find the commonalties and still leave room for each of us to apply our own personal brand to it.

       The greatest and sharpest attackers are trained to see opportunities in the moment, and there's no way for this book to list the infinite opportunities an (ethical or otherwise) attacker might come across out in the field. But what it will teach is this: how to form the attacker mindset and how to apply it.

       In the name of ethics, the final part of this book will explore the “tells” of an attack and what businesses, organizations, and institutions can and should do pre- and post-attack to protect themselves.

       Finally, the end goal of the attack, after you've sprinted 18 flights of stairs, hidden under desks, been wedged in between two 20-foot containers, sweated the foundation off your thumb tattoos (all fun stories for later), and handed in the report, is to leave each company, boardroom, and client stronger for having employed you. It's almost all that separates us from the bad guys.

      Here we go. Enjoy.

Part I The Attacker Mindset

      War is 90 percent information.

       —Napoleon Bonaparte

      It is 5 a.m., and I still have an hour before I meet my team. I've been up for the last hour going over plans because this is how I always start my attacks: with a niggling amount of nervous energy, I pace the floor of my hotel room, playing a game of mental chess in my mind. I go over my initial approach, consider my possible moves if I do get past security, and then again if I don't, I start to wonder How will I pivot? The game of mental chess carries on. This is the most efficient and successful way I have found to hone my mental agility.

      From this thought I dive into a myriad of others, imagining new ways I might get into the building, new ways to escalate my privileges and deepen my foothold after my initial breach, whether that starts in the basement or the lobby. If someone happens to ask me why I am in the basement, could I say I got in the wrong elevator from the parking garage and ask for help…?

      I continue to walk myself through it all a few times, picturing different obstacles: Would it be better just to tailgate, or should I walk in front of the building declaring myself a visitor? I imagine the payoffs of each and weigh them. Working the visitor system should give me almost unfettered access for the day, but it's a high-risk move, I tell myself, whereas tailgating in through a less visible entrance leaves me at the mercy of sloppy, albeit well-intentioned, employees holding any one of hundreds of fire and security doors open for me… . Taking a moment, I come to a conclusion: No, stick with the A-plan: go to security and get access, I tell myself.

      The whole time I'm performing this mental pre-attack ritual, I am reminding myself of the same things over and over: get in, get the flags, never let them know you're a threat, and stay within scope. In my mind I am always making my way to the 38th floor, and I am always mentally preempting the challenges I'll face as I try to walk into the CFO's office and place a USB drive into their computer port. That's my job. And, although I like to warm up by running as many possibilities through my mind as I can come up with, I have yet to predict obstacles and pivots correctly


Скачать книгу