For people and businesses alike, it’s daunting and nerve-racking to be continuously warned by mainstream media and influential communities about an imminent threat; an attacker that is both faceless and shapeless. However, the threat is a real one and it can strike from anywhere and at any time. The good news is that there are ways to avoid the threat or sidestep it in most cases. And, when confronted with it head on, a specific mindset can be adopted that will help neutralize that threat and any that follow. In other words, to beat them, join them. To learn how, read on.
“Sometimes you have to see yourself through the eyes of those that want to do you harm.” — Maxie Reynolds
Spies and Conmen—Us and Them
Malicious and ethical attackers use the same means, the same strategies and the same principles to attack and gain their objectives. Most often, the objective is to gain assets, intellectual property (IP) or other sensitive information from a business or individual. Intent, though, matters. As ethical attackers and social engineers, we are the intersection of corporate spies and conmen, with a helpful auditor thrown in for good measure (and ethics). When we enter people’s places of work, instead of leaving with their assets and IP at the end of a job, we leave them with a full and clear picture of their vulnerabilities and how to eliminate them. Through this lens, let’s look at how an attacker sizes you up, decides on an attack vector and executes. Instead of leaving what’s invisible to you open as a means of entry to attack, this post will help you think like us, the ethical attackers, to define your vulnerabilities and removing them. As a result, you stop the malicious attackers from exploiting your weaknesses.
It’s a Mindset
Attacker Mindset (AMs) is something that’s used by a specialist. It is nominally known as “expertise,” however that is perhaps too broad a definition. A good lawyer should possess a strong AMs for example. They should hear the same information we, as normal pedestrians, do and come to a completely different outcome. For example, you may recall the McDonald’s debacle in which a lady spilled hot coffee on herself and her lawyer got Mcdonald’s to pay her millions of dollars.
Most people heard that story and thought “hot liquids burn!” Her lawyer heard the winds of a lawsuit. This is a great example of AMs. All of us had the same information, but the lawyer took the information and found out more. He then tied the information back to his objective and successfully took the route that led to an arguably rightful payout for the injured woman. This of course is not to diminish her injuries. They were serious.
The Power of Information
AMs, in the context of security, means weaponizing information and leveraging it in a similar way to a lawyer. A strong mindset will never let an attacker stray from the path of achieving their objective. If their objective is to get into your Security Operations Center (SOC), they will achieve that through a series of steps that never diverge from the direction of the objective. And they will use a business’ own information against it. For example, suppose a company releases details of a vacant job post they want filled. The post states that the person must be able to “utilize Slack and JIRA for internal communications and issues reporting.” An attacker now has a very good platform from which to vish (voice phish) employees to gain information and credentials, which might ultimately allow them to log in and wreak havoc in that business’ environment.
Defense is Process
What can we do? What mindset can we adopt to defend ourselves from those that wish to do us harm with information we thought was innocuous? The same one used against us, at least at first. Take on the viewpoint of an attacker. Look at the information available online about yourself and ask how it could be used against you. When you’ve got a clear view, mitigate and educate. Tell your employees that an attack is possible. We concentrate our vishing, SE Vishing Service (SEVS) around this, as well as our Social Engineering Risk Assessments too, educating people and not using robots. That process is, at the end of the day, what will save them. AMs will help us, as companies, see where we need to be saved.
Processes that are stuck to are the bane of an attacker’s life. Let’s use them.
Written by: Maxie Reynolds
Sources
https://theamsbook.com/
https://www.caoc.org/?pg=facts
https://www.social-engineer.com/services/vishing-service/
Images
https://unsplash.com/photos/jX6WXNkvsPs
https://unsplash.com/photos/dh3JrDKhMcY