There is nothing either good or bad but thinking makes it so.

—William Shakespeare

I was recently told by someone I consider to be a subject matter expert that introductions in books, although seldom read by typical readers, are meant to respect the reader. Introductions are not intended to insinuate to readers that they will only understand the book's subject matter once they've read it cover to cover. Instead, the introduction should tell its audience how the core message of the book will be broken down. I think this is true, so this introduction acts only as a way to summarize what's to come, not to aggrandize it.

The core subject of this book is the attacker mindset, the gathering, processing, and applying of information for an objective. That's the key takeaway of this book. If you stop reading now, you will have received its central message. However, what I'm hoping will keep you reading, rather than repurposing the book as a doorstop, is that the whole book is about how to do this as an attacker—how to process and apply information for the benefit of the mission.

The Art of Attack looks at all aspects of the attacker mindset (AMs), focusing on the cornerstone pieces. In breaking these pieces down to their fundamental components, the book empowers you to build them back up into something recognizable as your own brand of attacker mindset. I will describe the principles of this mindset and how to interweave them with the process most attacks follow, namely: reconnaissance, initial approach, privilege escalation, redundant access, and escape. Through this attacker lens, this book explores tools you can implement as attackers and the psychological principles, too. I will also call out all the times you should take snacks with you on a job, which doesn't seem important now, but wait until you've been trapped in a bathroom stall for six hours.

To help you remember the material packed into this book, I'll provide stories (both successes and fails), which should make transferring AMs from theory into practice much easier. As a practitioner of social engineering, I will mainly concentrate on examples of the attacker mindset in my stories from the field. However, as a trained pen tester there will also be crossover.

The tagline I've used to put attacker mindset into shorthand over the years is: there really is nothing good or bad, but your attacker mindset makes it so—this line is effectively how this book came into being: Countless hours of trying to teach people the art of the attacker mindset allowed a reduction of it to that statement. The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack and its objective.

I wrote this book solely to teach this mentality, but each of you will build your own version of it that reflects your strengths and weaknesses. This book should teach you how to think, not what to think. It contains chapters on open source intelligence (OSINT) and social engineering, too. However, other books and courses exist that break down how to perform OSINT and how to become a social engineer (SE). My aim is to show you how those fit into the AMs's executive functions.

Who Is This Book For?

The attacker mindset should be taught to those who need it most—those who we, as a society, want to protect from malicious attackers. Companies should use physical testing as well as network testing to evaluate their security postures regularly, which will help build their populations' intuition and security. The attacker mindset should be used in boardrooms and other government and corporate settings as a way to scrutinize and analyze blind spots and vulnerabilities. Members of the cyber and information security communities should be consulted as think tanks and task forces. So, my aim is for this book to speak to those decision makers as well.

However, because I will look at the attacker mindset through the lens of a security professional, this book is first and foremost intended for those who wish to partake in a modern battle of stress testing and ethics: security professionals. Ethics and morals will come into play quite a bit. Knowing how to portray the bad actors is not the same as actually becoming them. The line that separates us from them is the line of ethics.

There's also a case to be made that says ordinary individuals can benefit from learning about AMs. Awareness of how this mindset might present itself can prove pivotal in assessing whether an attack is being mounted against you and what to do if it is. Because of this, my aim for The Art of Attack is for it to be useful for the general public, too.

Finally, every chapter in this book, every paragraph, every sentence, has the capacity to offend or irk someone. Those with a detailed military background will need all of their patience to forgive what cannot be known about warfare recon without having been in the thick of it; those who guard the realm of the ethical hacker will need to find a way to subside their rage given this book speaks as directly to malicious attackers as it does ethical. Alas, I cannot control who reads this and what they do with the information within it. For those very sensitive or pedantic, putting the word ethical before the word attacker will not make what I say in this book invisible to any malicious actors reading it. To subside this rage, all I can offer is this: as a society increasingly in need of effective security measures, focusing on the need to better understand attacks and attackers is prudent. Understanding how and why an attacker performs is one thing—and it's important. But being able to think like them, looking at ourselves through their eyes, we become more powerful, more dominant, and far safer.

My final sentiments are a cloned copy of Tai T'ung, who, in the 13th century said of his book, History of Chinese Writing: “Were I to wait perfection, my book would never be finished.” Of course, I am not writing a history of the attacker mindset. I am setting out to show the full breadth of it and its modern-day uses and functions.

What This Book Covers

• The idea behind this book is to document and teach the attacker mindset, without taking individualism and obliterating it.
• Different strengths will have to be played to by all of us who use this book to build an attacker mindset and execute attacks. Nonetheless, I'll pick apart the attacker mindset so that we can find the commonalties and still leave room for each of us to apply our own personal brand to it.
• The greatest and sharpest attackers are trained to see opportunities in the moment, and there's no way for this book to list the infinite opportunities an (ethical or otherwise) attacker might come across out in the field. But what it will teach is this: how to form the attacker mindset and how to apply it.
• In the name of ethics, the final part of this book will explore the “tells” of an attack and what businesses, organizations, and institutions can and should do pre- and post-attack to protect themselves.
• Finally, the end goal of the attack, after you've sprinted 18 flights of stairs, hidden under desks, been wedged in between two 20-foot containers, sweated the foundation off your thumb tattoos (all fun stories for later), and handed in the report, is to leave each company, boardroom, and client stronger for having employed you. It's almost all that separates us from the bad guys.

Here we go. Enjoy.