Want to boost cybersecurity? Embrace the attacker mindset
Thinking like a criminal trying to get into your home or organization can help identify vulnerabilities.
How safe is your home from burglary? One way to gain some perspective is to consider how you might try to gain entry to your home if you were a thief. You might start by checking for unlocked doors and windows, gaining access through your garage, or checking under the welcome mat for a key.
Using this process effectively could help you, the homeowner, identify and address any potential vulnerabilities to protect your property.
Taking this same kind of attacker mindset can be useful in digital environments as well. Understanding how cybercriminals think, their motivations and capabilities can help gain insights into particular vulnerabilities.
In today’s highly risky environment, that’s a posture and process every company should assume.
Humans: The 8th layer of security
Cybersecurity professionals often refer to people as the “eighth layer of security.” Why? Because most organizations invest heavily in technology solutions to help protect their systems and data but don’t spend nearly as much time and effort focusing on the human side of the issue. But people can represent the greatest risk to any organization’s data.
What are the other seven layers? This is specifically in reference to the Open Systems Interconnection model of computer networking adopted in the early 1980s. The seven layers of the OSI model include: physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer. The eighth layer is the human who interfaces with the application or the technology.
The attacker mindset
Security requires a particular mindset that only the best security professionals have. They see the world differently. They can’t use their non-custodial bitcoin wallet without wondering how easy it is to hack. They can’t place an order online without wondering about ways their credit card might be stolen. It’s their nature to question potential vulnerabilities.
Oft-quoted security guru Bruce Schneier said, “This kind of thinking is not natural for most people.”
And that’s the crux of it.
Maxie Reynolds is a former technical team lead at Social-Engineer LLC and an underwater robotics specialist who now focuses on building, deploying and maintaining subsea data centers. Reynolds recently wrote a book about the attacker mindset called The Art of Attack: Attacker Mindset for Security Professionals. Attacker minds focus on figuring out ways to exploit the eighth layer of security.
They don’t think about how things are supposed to work; they think about how they can get around how things work. To protect our IP and digital assets, we have to adopt this same way of thinking.
Thinking like an attacker
When we build something, we typically only imagine using whatever we’ve developed in the way we designed it to be used. We hardly think about how it might be misused or abused. We’re blind to the many issues and faults in our systems because of what’s known as “present bias.” We prioritize our short-term gains over the long-term good.
We humans also suffer from “optimism bias” — we believe that bad things just won’t happen to us or, if they do, they won’t be nearly as bad for us as they are for others.
It’s exactly these kinds of biases and blind spots that keep us from properly assessing risk and building security systems. You can only identify where and how your company might be susceptible to attack by assuming the perspective of a potential attacker.
One way of doing this is by using what’s known as the “cyber kill chain model.” A seven-step model originally developed by Lockheed Martin, it has been adopted widely by its customers.
The idea behind the cyber kill chain model is that by understanding the basic seven steps an attacker can take to break the chain at certain points, one can make it harder for them to do so by shoring up defenses and putting in strategic roadblocks at every step of the chain:
- Step 1: Reconnaissance. This is where the attacker would find out everything they can about your organization. They might do this by harvesting email addresses related to the organization, by looking at dark web data dumps or by doing social media profiling.
- Step 2: Weaponization. This involves using all of the collected information to craft a very specific attack.
- Step 3: Delivery of the attack. This usually occurs in the form of something like a text or email phishing attack or sending a malware-laden file for downloading.
- Step 4: Exploitation. This is where someone would actually click on a link within a phishing email or let someone in the front door who shouldn’t have access to the building.
- Step 5: Installation. This might not be necessary with all attacks but would involve something like a rootkit installation, or some other form of malware.
- Step 6: Establishment of command and control. The attacker is in the system and remotely able to manage it.
- Step 7: Acting on the attacker’s objectives. Collecting the information or causing whatever damage they had intended to cause.
Understanding the kill chain is helpful because attackers follow a general process, even if they’re not consciously aware of that process. They’re trying to understand their target, they’re trying to build the best attack scenario possible, and they’re launching the attack and reaping the rewards of their efforts.
By thinking the way attackers think — by embracing an attacker’s mindset — we’re better able to spot and fix vulnerabilities within our organization, both technological and human. Asking where your organization is most vulnerable is the best place to start.
Perry Carpenter is the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors and the host of the 8th Layer Insights podcast on The CyberWire network. He is the chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform used by more than 41,000 organizations.
Related: