Let all your efforts be directed to something, let [your mind] keep that end in view.
There are four laws of the attacker mindset. They are all heavily interlaced and interdependent. In this chapter, we will look at them and explore how to use them effectively.
Assuming you already have a contract and a contact in place, there's really only one correct place to start an attack—at the end. To start with the end in mind is the first law of AMs. But doing so is material to how the rest of the skills are used, too. You cannot blindly point to information about anyone on anything and then build and execute an attack. You need to know a couple of points to start: who you are attacking and to what end. The “who” is generally solved for you—the client typically approaches you or you will sell your services to them. Either the “what end” is defined by the client—who will know what they wish to protect but want to know how easily it can be accessed or destroyed—or the client will not define their assets as such, asking you to simply penetrate their defenses as deeply as you can.
Given that, there's an almost infinite list of objectives to be achieved for an impossibly large list of businesses the world over, so I won't try to list them all. But most often for a security professional, the items most likely on the list of objectives will be (a) gaining information or (b) gaining access to an asset. So, with those goals in mind, we have our immediate ends in sight.
This phase of the attack is the only one in which your AMs has absolutely no barriers or boundaries. At this point, you aren't particularly concerned with ethics—you're only looking for information or vulnerabilities to use against your target. The attack will later be adjusted for ethics and the after processes will be a direct result of them, but at least for now, your AMs can create, craft, and plan unincumbered, stopping only to consider scope.
Just as in chess, where the central objective is to checkmate the opponent's king by placing it under an inescapable threat of capture, your central objective is to capture your target's information or asset one move at a time. To do this, there is a short list of important things to be considered. Starting at the last to be considered physically, but the first to be considered in planning, we have the following:
I've had a job where my end goal was to move money from the bank to “my” account. My top question, “How to leave with the information or asset intact?” is pretty easy to answer on this one—it will be intact when it hits my account. But the second question on my list, “How to secure the information or asset?” becomes a bit of a headache, because to ensure safety of this transaction, I'd ideally like to be there to see it happen, to see it being sent. Having not actually robbed a bank before, I can't say for certain, but I feel sure it's not like in the movies where an 8-bit green bar fights to make its way across the screen, with the evildoer sweating and staring at it until it flashes “100%.” But whatever it looks like, I'd want to see it and know the attack was complete and a success. That was not possible on this job because I performed the attack via a series of vishing calls.
Putting the phone down after being assured too many dollars to disclose were indeed in the ether, on the way to my account, made that particular night a long one. Thankfully, although not for the security of the bank, the ungodly sum did show up in the account it was supposed to. Thanks to its appearance, I got to write a very detailed report. I also got to keep the original account's balance of zero dollars and zero cents afterward.
The two fundamentals to look at when forming an attack are your objectives and what your cover story will be. Working backward from the question at the top of that list, though, is a strong linear sequence that helps answer both. It will help you decide the equipment you require, as well as the number of people you need to execute the job. It also helps optimize other things, such as the time of day you should attack and the number of people needed to achieve the objective (economy of force) and how will they be used? Some might be at the physical location, whereas others are not physically there but instead in the network.
I had considered all of these things as I entered a very prestigious building in New York to, essentially, begin robbing it.
Robbing a bank is no easy feat, even if you are a pro. Where we last left off on this story in chapter one, I'd met with my team; I'd drunk copious amounts of hot chocolate because, apparently, I hated myself around that time and was trying to abstain from coffee. The team and I had gone over the plan until it felt like the words were meaningless and melding together, looked over the floor plans that we'd come into possession of through some very nifty OSINT, and looked over some of the interior pictures people had put on Facebook when they'd “checked in” for meetings, and so on. We were keeping to our plan of sending me in first, with all of us returning that same night. We were ready.
After doing some final checks on our communication methods (primary and backup), I was soon walking from our temporary office in the city to the target's main building. I knew the security surrounding the information and asset I was aiming to get to was mainly in the form of humans, which can often be a pesky hurdle. There was also going to be security in the form of technology. I knew from pictures I'd found online that there were motorized turnstiles, also pesky because they generally beep obnoxiously when you jump over them. But, as I told myself then and believe now, humans are often distrustful of technology, which is one way to neutralize both.
As I made my way toward the revolving doors, the mental games of chess I'd had been running in my mind up until that point ceased. I was only going over the details of my pretext now: Lawyer. Merger. Documents. Appointment. Late to meeting I knew had already started. Rinse and repeat.
I walked inside looking to the reception desk, stretched out somewhat menacingly over the sterile-seeming foyer. I almost stopped dead in my tracks. It took every bit of self-discipline not to look around in search of what I had always imagined I'd find upon entering the prestigious lobby of a well-known, reputable bank. There was no guard. There was ostensibly no security personnel present.
My initial feeling was one of relief—this meant that there was no one to stop me. Mere milliseconds later my brain was throwing me a curveball in the form of paranoia. If security wasn't at the desk, were they watching me from the sky? Stopping myself from a 360º spin to check for any security in my general vicinity, I immediately curved to the right as if it had been my intention all the time and headed for the turnstiles. I reached into my pocket as if this was not the first time in my life I was pulling this card from it and scanned it on the machine's reader. As if I expected it to open, I pushed my briefcase into the glass doors of the turnstile that, for the people who actually had access, would've normally whooshed to the sides by now.
Nothing happened. Obviously.
I tried the card again, pretending I expected the typical results. Still, though, no one appeared.
“Hello?” I shouted over the barrier, hoping someone would hear me and turn up. Moments later a security guard appeared from the side of the turnstile I wanted to be on. As he approached, I remember wishing that I'd hit the building at a busier time because congestion would've been imposed a greater sense of urgency on him to fix the problem—it would've said for me, “Let me in so that all of these other fine folks not aiming to rob you can get to work.” But that isn't how jobs work. You have to take what you are given and be agile enough to respond to the circumstances as they unfold.
“Having issues?” he asked calmly.
“I am. This turnstile won't let me through, and I'm late,” I said gently, almost like I was defeated, rather than in a rush. My play on humans’ distrust of technology was in full swing.
“I am sure we can fix that,” he said, maintaining eye contact. “Try this one!” he said, gesturing to the turnstile one over.
Aw crap, I thought to myself, Why didn't I think of that! I had obviously pictured him just letting me through the side gate; I had not envisioned him making me try all the turnstiles so we could both be certain my keycard was a dud. Well, I thought as I walked to the next turnstile, just stick to law 3: adhere to the pretext.
You'll remember we started this chapter with eight questions:
Up until the point I just described, standing in a Manhattan bank's lobby, I knew all of the answers to these questions. Certainly, I'd known some in more detail than others. For example, I knew the answer to the first question (leaving with the information or asset intact). The answer was to walk out with my phone on me because it would be housing photos of this attack, as the client had requested, and I knew I could further secure the asset by sending those photos to my company's secure portal periodically as I moved around the building. This also took care of the next question you should ask and answer when committing to a job: securing the information or asset (to ensure you maintain custody of it).
As for “Location(s) of information or asset?” I was aware that the CFO's office was on the same floor as three of the bank's largest meeting rooms. This knowledge helped lead me to impersonate a lawyer, given I also had found information pertaining to an imminent merger that had hit some speed bumps.
The security surrounding the CFO's office was minimal after the ground security.
I knew the weak point in the security was the information I was able to find out online—no one should be able to duplicate a guest badge that they've found online to get past a business's defenses.
Pretext for approach and entry was informed by all the previous answers on the list combined with OSINT that had led to the discovery that the business was in the middle of a large merger and acquisition (M&A). I knew that, as long as I wasn't discovered right away, one pretext would be sufficient to get the job done. It was designed to get me from the front door to the target's office and complete that portion of the mission.
Economy of force was the easiest question to answer in this case because it was decided by scope. I was slated to go in during the day, but we were also engaged to do night break-ins too. We were instructed to try all entrances and exits on our night trip and achieving that, especially in a skyscraper in New York City, would take a team.
In case you weren't convinced, there is evidence that points toward the end as a starting point being the right place. In philosophy it is often accepted that all things are created twice—first in the mind, and then in the real world. Physical creations follow mental ones, from the computer I'm typing on to the book you are reading. This book started off in my head, and now it exists outside of it. The same thing is true of my computer and the desk it sits on, along with almost everything else in the room. Attacks should be no different; beginning with the end in mind is to visualize your specific project the way that you want it to end up before you begin pursuing it. This results in greater precision than pinballing your way there. Again, this is not a form of “manifestation”—it's a form of agile planning. The main reasons this “begin with the end in mind” philosophy is so important come down to clarity, efficiency, and your objective, each of which we will briefly look at in the following subsections.
Remarkable clarity comes from knowing exactly where you want to end up. As you've witnessed multiple times throughout this book already, there's nothing more clarifying than an objective. When you have it, you are able to plan accordingly with only that in your crosshairs.
There's another, often underrated benefit of this strategy: when you begin with the end in mind, you'll also gain clarity as to what not to pursue. If your goal is to get onto a network without detection and maintain persistence, you would avoid using any noisy tools. If you were aiming to get into a facility that did not allow cameras or phones but where your objective was to photograph the inside and walk through the front door (it has happened), you would not walk in with your devices on you. In this case, I attempted to hide devices around the perimeter and upon getting in, I waited until I could tailgate out a back door, collect the device, and come back in. I did eventually get arrested on this job, because I was viewed on camera with my phone in my hand taking photos. Was it my best moment? No. Am I still proud of trying? Also no. I had to go to a chiropractor for about three months after that arrest. They do not pin you to the ground softly. The better idea here would've been a piece of jewelry with a small camera inside. In hindsight, that's definitely a better idea.
Starting with the end in mind provides a straight shot to clarity holistically and that's valuable.
When you begin with the end in mind you gain clarity, which will naturally help you become more efficient. You'll be able to plan and strategize for the best route to your goals. Let's say your job is to break into a bank and get to the vaults. That's your goal. Great, you can now plan the most efficient way to achieve it. Instead of chasing erroneous objectives, you'll focus on just the steps you need to take to get to the vaults. I would, in a case like this, set myself up for success weeks in advance—months if the scope and project timeline allowed for it by vishing the facility first.
Efficiency comes from always pushing in the direction of the objective. This will always generate efficient results.
Finally, when you begin with the end in mind, you gain purpose. Some clients come with a loose set of goals. Most typically, you will hear the words, “Just whatever you can get.” These are generally preceded or immediately followed by a beautiful sentence that goes something like, “But there's no way you will get in anyway.” I tend to listen to neither.
If I am told to get “whatever” I can, I will research the most damaging thing I can get. This is not to humiliate the client; it is to illustrate how dangerous their mindset is. They should be able to identify what is most precious to them.
If they tell me I won't get in, I always feel a sense of relief for my attacker life—their security is likely lacking because of exactly this mentality and “security ego,” as I like to call it. Security ego is the best thing to happen to an attacker, ethical or not. It's also the worst thing to happen to both a business and me afterward as those report and awareness programs tend to be very long.
The key here, though, is focusing on what you really want to achieve in any given engagement and working toward that only. You don't have to get caught up in every security flaw and attack it, but you should note it for your client. As has been previously discussed, your job is not to give a play-by-play of your attack. It's to tell your client what happened, while also painting a picture of their whole security landscape as you saw it.
So far, we've covered the “what” and “why” in regard to beginning with the end in mind. Now, let's tackle the “how.” There are five steps.
When you begin with the end in mind, you set yourself up for success. There's no better way to identify what you actually need, why it's important to get it, and how to get it. To implement this philosophy into your AMs, you can follow these five steps and build on each for your own projects:
The true art of the attack doesn't come from being able to act like an attacker—it comes from being able to think like one. For instance, when a company puts out seemingly innocuous information, it's the attacker's mindset—their thoughts, outlook, and approach—that molds it into exploitable intelligence to be used against them. The ordinary reader or listener will simply process the information as intended by the source, and an ordinary person will take the information and search for more of the same if curious; a good attacker will use it as a starting point, exploring a surplus of information through the lens of their objective, disregarding all that cannot be used in a future attack and building on all that can. An attacker only gathers information to build, forward, and execute an attack. Information is the star of the show.
Picking this apart, there is one other thing that is crucial to successfully adopting and maintaining this mindset: the tieback. Similar to the callback in comedy, the tieback is the act of binding information to the needs of the objective. If the information you are sifting through is not beneficial for pretexting or using information against a target; it should be disregarded. There's not a set list of things that do and don't matter—the objective dictates these kinds of things. Intuitively parsing information as it comes to you is a deft skill that cannot be overlooked in the name of both efficiency and AMs sharpness.
Let's look at a simple example to start. If I am gathering information on a single target, with the objective to compile a seemingly legitimate phish, nearly any information becomes valuable and potentially weaponizable. Knowing the make and model of their car is valuable if I want to make them think they have a ticket and send them a link to view all the related information, but I'd have to consider whether a personal message like that would go to their work email account. The name of their child's school is valuable if I want to register for a one-on-one session to discuss the progress their child is making. None of this is valuable if I need to phish them using a professional pretext, as dictated by scope. Their home address is valuable if I want to phish them from HR, citing a mistake in their details. Sometimes you may need to know little else about a person other than the country they live in. For instance, if I know a target lives in the UK, an SMSish from Royal Mail is a solid bet for a click. In the United States, the US Postal Service is a likely candidate to get a click. For a phish, I mainly just need their email address to be factual. I can use almost any other information I come across to build into a phish, taking personal and professional information and tying it back to the objective.
Simply knowing where someone works is a great start to making a tieback—you can check online forums to search for records about the hardware or software the company uses and call when IT is citing issues with it.
For physical jobs, you will need to know the location, and you might want to know the shifts of guards to make getting in and out that much easier—that tieback of that information to the objective is easy. You might also want to look at the entries, exits, underground access points, aerial views, and surveillance spots—you should be able to tie all that back to the objective and work out how to use all that information. The rest will be specific to the location, including terrain, surroundings, staff numbers, likelihood of visitors, and likelihood of unfamiliar people going unnoticed or unchallenged. Most information you come across that exists in part outside of the organization, such as vendor or contractor information, is typically easier to weaponize and leverage.
I once broke into a large warehouse with the help of a very gifted pentester and social engineer who has asked never to be named. Our job was to get inside and access any computer terminal, taking photos as evidence. For this, we needed to know employee shift times and attempted to gain information on the types of locks they used and the type of computers through recon.
No matter the type of job, the same principle applies: you need to gather information, weaponize it, and leverage it.
The weaponization of information in the moment is also a vital skill that cannot be overvalued with regard to an ethical attacker's performance. There's a certain amount of opportunistic ability and situational agility that an EA must be able to apply when executing an attack. It is what I refer to as an attacker's opportunistic aptitude. It's the ability of the EA to see and act on opportunity in the moment, never letting their target(s) know it's haphazard. A level of opportunistic aptitude can be taught, but building it up into a deft skill will fall to the EA themselves. This ability to pivot while maintaining character and to focus on the objective falls under the umbrella of mental agility, specifically, “persuasive performance.” Agile, persuasive performance provided by an EA is the effective exploitation of human weakness through covert adversarial behavior. Bit of a mouthful, but broken down, it means that the attacker mindset, when executed properly, is versatile and adaptable and doesn't falter from the objective.
The critical finding here is that a plethora of information may exist for any one client you get. Your job is to be able to parse that information by applying it to the objective, both prior to the attack and when executing it. To parse information effectively and efficiently, I tend to think of it as a puzzle of sorts: if I can't get the information to fit to the central piece (the objective), I disregard it and move on.
In summation, the weaponization of information that is commonplace to everyone else is the true mark of a security expert with a strong, effective AMs—in both the act of attacking and the planning of it. The information you gather will go into three buckets: (a) useful for recon and building familiarity, (b) useful for pretext, and (c) not useful at all. But I am now getting ahead of myself. We will cover more about information processing in a later chapter, in Chapter 6, “Information Processing: Observation and Thinking Techniques.”
Now we move to pretexts. A persuasive performance is crucial in defeating an unwitting target. To be effective under your pretext, two things must be true. The first is that you must be able to play the part of your pretext accordingly—for instance, it would likely be detrimental to most operations for me to show up as a repair technician. I don't know enough about repairs of any kind to pull that off, nor do I easily fit the part of a repair technician. I could go as an inspector from a repair company, though—there to take notes and inspect some items.
With a pretext, you must be able to see clearly what other people think of you and lean into it when beneficial. This self-awareness will allow you to know your shortcomings, and it will allow you to play the parts that suit you. Attacker behavior is not politically correct, and neither are the biases you must play into.
The second thing is that pretexts must be built off of information. You cannot pull a pretext out of thin air and hope for the best. Just knowing that most companies have vendors doesn't give you the vendor pretext card. It certainly doesn't permit it without detailed searches of your target company's specific vendors.
Sure, there are times you will have to go in blind because the information doesn't exist. These are rare and extreme cases. However, inferences can still be made, and you will likely need to employ hardier recon tactics—likely military-level recon. Military-level recon takes into consideration the effects of forces like weather on the target terrain, and determines at what point the enemy can observe them. It also takes into account the target's known recon capabilities, typically things like infrared, thermal, light enhancement, and enlarging capabilities.
Military-level recon also takes into consideration route investigation: an attempt to obtain detailed information of a specified route and all terrain from which the target could influence movement along the route. Most often this is beyond the range of a job, with only the very immediate surroundings of the target environment being investigated. Some jobs, perhaps for government engagements, will require this level of recon.
Military “reconnaissance-in-force” is a deliberate combat operation designed to discover or test the enemy's strength, dispositions, and reactions or to obtain other information.
Whether your job dictates that you direct effort to military-level recon or red-team/social-engineer–level recon, the common thread still remains: information is key. A scrap is not ideal, but it will do. And if you use laws 1 and 2 against that scrap of information, you will end up with more than you started out with.
A pretext is one of the most powerful and unique laws of the four. It exists to serve the others, but the others cannot function without it. Delving back into the world of spies, a good spy could know their desired goal, gather and weaponize information, and attempt to apply that information for the good of the objective. They would immediately be in Guantanamo if they wandered into their target's environment and laid the truth out. Pretexting is important.
Take Adolf Tolkachev. He was a chief engineer at the Soviet Radar Design Bureau, which focused on the development and prototyping of advanced aero-navigational systems. Tolkachev had the highest-level access to Soviet state secrets. He approached a CIA agent in 1977 at a gas station in Moscow and slipped him a note stating that he wanted to become an American spy. The CIA was naturally suspicious of a KGB trap, so they said no to Tolkachev—on multiple occasions. Finally, his attempts met with success and the CIA gave him the codename “Sphere.”
Tolkachev was stable and believable in his role—he fit it perfectly. He remained an engineer, and so the KGB never suspected him of being a spy. Tolkachev used his own devices and procedures to get information to the CIA since he realized many of the procedures provided were simply ineffectual. For example, he modified a civilian camera and used it instead of the camera provided to him for his endeavors. He knew it would not fit his pretext and would actually be a point of potential failure. Through his pretexts, Tolkachev revealed top secret research documents on weapons to be created years into the future, including details such as air-to-air missiles, surface-to-air missiles, and fighter aircraft information. As a source for the CIA, he reported detailed data on new Soviet weapon systems that would not have been available for years, if ever. Tolkachev provided complete documentation before the systems were even fully operational.
Tolkachev never broke character and would have likely never been caught. He used all the laws together and had skills beyond reckoning. He never gave anyone pause for thought. Despite being very careful, he was captured by KGB in 1985 after CIA officer Edward Lee Howard, who defected from the United States to the Soviet Union, outed him.
As ethical attackers, we cannot quite operate like spies. There must be demarcations set that you cannot use your sexuality, looks, or compelling or coercive promises and lies to gain entry—actual network pentesting being the exception to the rule. In all other cases, a pretext whereby you talk with another human must be ethically aboveboard; otherwise, you become unable to teach someone what they should've done in a situation where they failed. As an example, I would likely let someone into a building if they threatened to kill my family. There is no teachable moment there, and we must operate well above that to prove vulnerabilities in an organization's security. It's also ethically wrong and absurd to flirt your way into a building. By nonparticipation in these sorts of actions, you are not ignoring they might work and leaving the client open to that risk. Your job is to get past security defenses and then implement or suggest processes that keep all others out that may try—however they may try. Your pretext doesn't have to be nasty. You prove a better, stronger, more valid point by using more vanilla pretexts, showing that if something as weak as a “new employee” without their card can get through their defenses, anyone can.
This is a very straightforward law. You do not deviate from your given course. You cannot switch directions, physically or figuratively for your own personal gain, for your own personal curiosity, or for any other reason. Like a spy, you can apply the first two laws to your mission, but if 3 and 4 are not also applied to the mission, you face an internal conflict and mission failure.
Everything you do has to be for the good of the mission. It might be for the short-term good, like switching pretexts or exiting a building or even a network before it is optimal. This could be so that you appear to be operating like your supposed peers—leaving at the end of the day if you cannot hide in plain sight or actually hide. You might need to switch pretexts depending on where you are in the mission; a network pentester has to disguise their traffic when exfiltrating data, which is likely done differently compared to how they first gained access to the network. In the same way, a physical pentester has to hide their real self the deeper they get into an environment and the longer they are there. They might gain access as a cleaner at night but transform into a nightshift worker when entering the server room. Like Tolkachev, you might modify or even forgo equipment altogether if it will prove to be a distraction from your pretext and so to the good of the objective.
No matter if the gain is for long or short term, you must not do anything just for the sake of doing it. You must at least believe that each step you take will move you in the right direction—the direction of achieving the objective.
There are four rules of the mindset. They must all work together in order to obtain success.
An attack should be kept to its simplest form. Starting from the end of the attack and backing into it is the most efficient, clarifying process and strategy you can use.