How to Think Like an Attacker: Advice from the (Not So) Dark Side

We spend a lot of time talking around and about bad actors, but what if we sourced them to teach us about this industry instead? We know they exist and we know they’re working towards obtaining the sensitive data on our networks. But how do their minds work and how do they work differently than those on the ethical side of hacking? Let’s look at what sets bad actors apart and how you can leverage that information towards your future security initiatives.

1: Bad Actors Have Time

On average it takes 250-300 days to detect a breach – so bad actors aren’t exactly pinched for time when it comes to finding a way to your sensitive data and exploiting it. In reality, they aren’t working against a clock – but against you and the time it takes before you find that they’ve gained access into your organization. But there are tools that you can use and a mindset that you can operate out of to start putting pressure on them.

So, what solutions do you have in place to identify breaches? Is this something that you can address like increasing the number of times you are pen-testing your systems? Staying vigilant of your environment to detect bad actors pathways and trying to stay as far ahead of attackers as possible is beneficial – even if you feel like you’re always one step behind them. Remaining watchful over your environment puts pressure on bad actors and quite possibly deters them from continuing to try to infiltrate your environment because you’re now operating out of awareness. If your solutions aren’t consistently monitoring, are you able to consistently test or outsource to a team that can? Find a way to better narrow your focus to make the most of your time and money.

2: Attackers are Ahead of the Skills Gap

Bad actors just get to work. Meanwhile, businesses require certifications, degrees and quite possibly training on the security solutions and tools that the attackers already know and have experience executing. Training is important for learning what to look for in order to find access points into an entity. However, most of that comes from real-world experiences which bad actors are obtaining earlier than those that sign up to complete a certification that verifies they know what they’re doing. Learning in the field provides hackers the opportunity to learn more dynamically and forge their own path – quite literally.

If your organization is looking for the best talent to work as an ethical hacker on behalf of your company, look to see how you can get involved with local education systems to help build talent and promote the benefits and need for people to join the industry, and to do so early.

3: Have Little Concern for Security Software

Security software and antivirus programs are well-known by bad actors as this software is often the first line of defense for businesses and the first challenge for attackers. They are well versed in the strengths and weaknesses of these programs because most of the details can be found easily online as these software companies are fairly transparent through the new software releases to fix the bugs or glitches found by the product teams. That means, even with these programs installed on your devices, you’re not invincible from an attack. If anything this can be an easy gateway for bad actors to infiltrate because they are aware of many existing gaps already – unless properly managed.

It is still, and will always be, crucial to consistently apply software upgrades to your system. Make sure you are remaining on top of this seemingly small task to try and stay ahead of the potential gaps in your security software and remediate any bugs within the program itself. However, don’t solely rely on this to protect your organization. Remember, you have to account for human error in a multitude of ways; phishing schemes, not using a secure sign on and more.

4: Defense in Depth

Relying on only one precautionary tactic is not sufficient, nor wise. There should be layers of coverage, creating “walls” around your data that protect you by creating a more difficult environment to enter. This gives you the chance to safeguard your information while prolonging the time in which bad actors can access different attack paths.

So what solutions should be standard? Investing in intrusion detection and prevention systems is critical to stay ahead of a skilled bad actor. Pen-testing is incredibly valuable and possibly the most effective investment you can make for your company because it will test all of these solutions to make sure they are effective.

5: Attackers Target Weak Links, Almost Always People

Oftentimes, adversaries research targets with elevated privileges and attack their lightly defended home systems to laterally enter their corporate systems. They don’t have a scoping document that limits their behavior or time that they can spend on a project – as discussed in the first bit of advice. Once adversaries find the weak link within your organization, they will continue to penetrate through the network until they reach the most sensitive data they can get their hands on. For those that work as ethical hackers, pen-tests are often limited by a scope set by both parties. There may be limitations to how far you can push the bar in ethical hacking – but that’s where the ethics come into play. Are you working on behalf an organization in hopes of preparing them for attacks or are you working against them?

The theme of this entire post is to Think like an Attacker. Don’t let the fatal flaw of your business be that you don’t thoroughly and consistently test and then act upon the results of your pen-tests. These tests show how an attack would enter and pivot through your system and are a crucial part of any security infrastructure.