A long habit of not thinking a thing wrong, gives it a superficial appearance of being right… Time makes more converts than reason.
Processing information to weaponize and leverage is a neccessary cognitive skill to get into the attacker mindset and use it to its greatest potential. To process information, you have to collect it. You can collect information four main ways: by obtaining, observing, theorizing, and inferring. If you choose the latter two, you will then have to search for information to validate your thoughts.
After you have collected the information, you have to parse it. You will then put it in one of these three buckets:
Once you've decided which bucket the information should go in, you have to weaponize it within its limits, which means not stretching the information for more than it's worth. For example, knowing a company uses Splunk doesn't permit you to call up impersonating a system administrator, security engineer, or Splunk administrator. You will likely not have enough information to fulfill your call objective if you hope to learn more than just how the organization reacts to your advances. For example, you cannot infer from a company's use of Splunk which other software it uses. Splunk itself is a software platform that can search, analyze, and visualize machine-generated data gathered from websites, applications, and so forth. It is helpful enough to go into the recon and pretext buckets, but you will need more than that information alone.
You have to collect information to process it, but in many instances, you must observe information, too. In this chapter, we will deal primarily with observation. Observation is not just passive viewing—it's an active mental process. French physiologist Claude Bernard (1813–1878) distinguished two types of observation: (1) spontaneous or passive observations, which are unexpected, and (2) induced or active observations, which are deliberately sought. Effective spontaneous observation involves first noticing some object or event haphazardly. The thing noticed will usually become significant only if your mind either consciously or unconsciously relates it to relevant knowledge or remembered past experience. However, consciously choosing to think about something that you know nothing about might lead you to reasoning, further research, or inference—which will require a healthy dose of curiosity and persistence.
Observation is a tricky subject, though. Simple observations can be computed in multiple ways. Through the lens of observation, we'll discuss intuition and heuristics, rationale, and reason, all of which we will have to, at some point, rely on as attackers. This is why picking apart observation is so vital; with the ability to observe your surroundings and targets accurately, you can process information with more confidence and a higher likelihood of effecting real influence.
Observation's driving force is attention. I once worked on a job that required detailed and ‘‘in the weeds’’ type of observation to achieve any meaningful facts. In this case, I was passed 10 or so images that were seemingly benign. They were images that I hoped would reveal the location of someone being tracked due to their criminal activity. Figure 6.1–Figure 6.4 show some of the images.
My observations of Photo A started with an unfair disadvantage; I live in Los Angeles and recognized right away where that photo was taken—this went from observation to inference quite quickly.
There were three other facts I was able to identify, the first almost immediately, although the rest took some research. The first thing I noticed was that a woman's bag is pictured and potentially taken from her point of view. The image also shows pre-tuned radio stations; 102.7FM is KISS FM, and 101.9FM is KSCA, a commercial FM radio station licensed to Glendale, California and broadcasting to the Greater Los Angeles area. It is also a Spanish-speaking broadcast. The audio system console shown strongly resembles that of a Ford, possibly a Ford Focus, although that took some further research to find. An ExifTool metadata probe of these images also showed that they were taken on a Motorola phone.
Photo B contains a bit of a gift as far as investigations go: a receipt.
From here, you can see that the image must have been taken on or after 05/18/2020. The time is printed as either 14:48 or 14:46.
Photo C shows a mask, from which I can infer this picture was taken no earlier than 2020 due to COVID 19—not many of us in the West were wearing masks prior to that, and there is no evidence to support either of the people (the driver or the picture taker) were in the medical field. The mask also has what appears to be makeup transfer on it, further leading me to believe that the man I was tracking was with a woman. The one other thing to note is that the cable doesn't appear to be an iPhone cable. I cannot say for certain, since I don't have that expertise, but I would say that the ExifTool data I found supports this theory.
Your brain isn't wired to see everything. It focuses on specific things—such as the fact that Photo A and Photo C are two completely different cars—and filters out everything else. Some of you may have neglected that detail, whereas others noticed it. That level of observation is to your benefit most of the time because, if you paid attention to everything, you'd often miss what's important.
Because your brain is hardwired to disregard details and you are, essentially, incapable of appreciating more than just a sliver of your surroundings, you must train your brain to reconsider what it sees as important. To train yourself in this way, it is extremely helpful to understand why our brains function the way they do. In every sensory moment, our brains are swimming in a deluge of input. The information that you are aware of or can recall later is relevant to you at that specific time. Let me explain: If you're a tourist in a new city, the type of stores you notice (and later recall) will differ depending on your interests and needs at the time. If you are hungry or thirsty, you'll most likely notice cafes and restaurants. If you are interested in architecture, you will likely notice buildings and be able to recall them in better detail than someone else, say, just looking for a cab. If you're scanning a guest list for your name, you are not likely to notice names with configurations different from your own. If you're looking for a friend in a crowd with brown hair, you will not focus on people with any other color of hair.
If I am walking into my friend's house for the first time, I don't need to know what color their front door is—that's rarely served me before. Thankfully, society went with using street names and numbers as a way to identify house positions and not the color of the houses and their parts. If we'd have gone the other way, my brain would've been taught that color and hue were the important details to observe and remember as they relate to homes, which is the key here: you can re-teach your brain what is important to notice, especially relating to engagements. In other words, you must use your limited resources wisely and to attend to those features that are most important. It might sound counterintuitive that the best way to train yourself how to observe efficiently is to learn what to ignore. But you must build up this skill over time.
In building observation as a skill, and a sort of ‘‘muscle,’’ there is good news: you literally can't do it wrong. Observation is in the eye of the beholder, after all. However, the areas that may serve you best to build up and train on, specifically for AMs, would be as follows:
If information is what forms intuition, there must be a heavy connection between observation and intuition. However, there's another variable in how we calculate information and come to a conclusion: enter heuristics. Heuristics are mental shortcuts; they aren't guaranteed to be logical or rational, but they help a person reach a decision. They reduce cognitive load and can be effective for making immediate judgments. The downside is that they can result in irrational or inaccurate conclusions.
Heuristics are quite useful in making quick decisions. Heuristics are based on simple logic that is self-evident. But self-evidence isn't always accurate and comprehensive. For example, imagine your doctor used only heuristics to diagnose you. You go in with symptoms that include fever, chills, headache, fatigue, muscle and joint pain, and swollen lymph nodes—these are symptoms all pretty common with the flu. But actually, you have Lyme disease. Your doctor cannot (and hopefully does not) use only what is empirical evidence to reach their diagnoses. Other types of information are also critical—the observation of data, like blood tests, for example.
In the early 1970s, an alternative theory proposed that people use heuristics instead of rationally weighing relevant factors to make judgments much of the time. An example of a heuristic-based judgment is the now famous case of “Linda,” originally documented by Amos Tversky and Daniel Kahneman (1982, 1983) in their paper, titled, ‘‘The Conjunction Fallacy in Probability Judgement,’’ published in the Psychological Review in 1983, volume 90, number 4, page 229). When participants read a paragraph about Linda (in italics below), the vast majority fell prey to an error.
Around 80 percent of people thought that the first statement that followed the paragraph was more likely to be true than the second. This cannot be, though. The first statement cannot be more probable because it includes the second. The supplementary information is not aligned in any way with what we first read about Linda. The probability of the first statement is ranked higher than the second simply because it is more similar to the given description of Linda. This is what is called the similarity heuristic. Most of us use this sort of method to judge, rather than our knowledge of probability. It turns out that statistical analysis is a mysterious thing to most folks.
However, this is not to say that heuristic diagnosis is not valuable. Using heuristics can be an intellectual skill. The ability to determine in environments what is likely, even if you don't have all of the information, can be a massive help. But why do I say this? Why show you that heuristically thinking is flawed only to pivot and show you it actually has value?
Two reasons: The first is that, using any type of heuristic as an alternative to logic and reasoning, should not be tolerated. There is room for this mode of thought, but it should not be your standard. The second is that there are times as an attacker that you will have to rely on heuristics. For example, in the story I told you earlier about the Manhattan bank I was trying to get into, I used the available heuristics to determine that no one would see me sucking in my tummy like a circus performer as I bypassed the security turnstile. The self-evidence I was using told me that no one was around—I heard no footsteps or voices, or any movement at all. And glancing over the upper walls and ceilings made me think that no security cameras would capture me in the act. Using this mode of thinking as a standard can be hard to get out of for some people. Logic and reasoning are not the most natural modes of thought for everyone. However, there's one good exercise to use to learn if you're using heuristics: ask yourself if the evidence you're seeing would stand up in a court of law. I could not have gone into a court and categorically stated that there were no cameras around. I could only say that to the best of my knowledge and based on empirical evidence, there appeared to be no cameras around.
To reiterate, using heuristics is advantageous when finding an optimal solution through reasoning is either impossible or impractical, such as when in a time crunch, or when faced with a decision for which no data is available or the data is thought to be heavily flawed or skewed.
Intuition refers to our ability to know or understand something without reasoning or proof, also known as a gut feeling. Some athletes exhibit levels of intuition that are beyond all reckoning. In Major League Baseball, for example, a pitch takes less than half a second to reach home plate, but a batter cannot afford to wait that long to put their body into action. The player's muscles, nerves, and brain manage to work together to hit the ball in an astonishingly short amount of time.
Once the ball leaves the pitcher's hand, it travels at around 85 to 95 mph, taking only 400 to 500 milliseconds to reach home. Information about the pitch—its speed, trajectory, and location—takes about 100 milliseconds, or a tenth of a second, to go from eye to brain. It takes another 150 milliseconds for the batter to start a swing and get the bat over the plate. This leaves about a quarter of a second at most for the hitter to decide where to swing the bat. This is a form of intuition at play.
Malcolm Gladwell begins his book Blink (Back Bay Books, Little, Brown) by telling the story of the purchase of a seemingly priceless Greek statue known as a kouros by the Getty Museum in Los Angeles. Before purchasing the statue, the museum carried out its due diligence, consulting with scientists and lawyers who all concluded the piece was the real thing after scientifically testing the materials and perusing the documentation. They gave the seller a monstrous $10 million and then took it to show to some art historians and specialists in Greek sculpture. As it turned out, the Getty had been conned. The art experts they'd unveiled this statue to needed just one look to know that it was a fake. An immaculate, giant, smooth, sculptured-to-within-an-inch-of-its-life fake. To confirm, they did not need to test the statue's claim of veracity or spend countless hours studying it. Intuitively, they knew it was a fake right away.
Intuition, reductively, can be seen as the ability to draw conclusions quickly, without the need for deliberation or conscious analysis. High-caliber intuitive conclusions transpire when you can recognize a situation that follows a particular pattern you have seen before, have knowledge specific to previous situations that fit the pattern, or have general knowledge that's applicable to the new situation. So, if intuition is the ability to understand something immediately, without the need for conscious reasoning, how do you get to that point? An art expert didn't exit the womb as such. When was the last time any of you heard of a child who was able to consistently tell a Picasso apart from a Crayola sketch without study?
My position is that keen observation is the underlying and bolstering principle at play in intuition, at least to begin with. An art expert has, for example, seen so much in their specialized field, analyzed, and has given definitive answers on their assumptions so often that they are then able to build that experience into what is recognized as intuition. In other words, years of observing the real thing can make spotting a fake insanely easy.
Another example that showcases the successful use of intuition comes from expert chess players. Chess experts have gone through a process of perceptual learning, allowing them to intuitively recognize chess configurations as units rather than having to analyze every configuration presented during a chess game. Intuition is formed from experience and acute observation.
Because intuition is based on a large number of variables whose relationships are difficult to classify, intuition cannot be programmed, which, in cybersecurity at least, is perhaps it’s most brilliant value. Intuition is personal, and it becomes better with practice and experience. It is something that can be used to your own advantage as an attacker. I suspect that a strong correlation exists between time spent ethically attacking and increased intuition. Responses become more automatic as less concentration is required for technique. When needed, an automatic response during a crunch-time scenario will improve your performance. Overthinking due to nerves or anxiety will cause your AMs to slow down, so improving the skills of your offensive attacker mindsets (OAMs) and defensive attacker mindsets (DAMs) will also refine your intuition capabilities.
However, without years of experience or a specialized background, your intuition alone cannot be trusted. You will have to build it up over time. Attackers with a strong mental game are better at quickly dealing with those unexpected moments, disallowing them from detracting from their focus. Again, I arrive at the conclusion that mental games of chess played with information you have about an attack will result in easier successes and improved agility and intuitive moves. Nothing will beat experience itself, of course. You can get this from capture-the-flag events (known as CTFs), lab practice, hypothetical attacks, and real jobs. For a list of known resources, see the notes section of this book on its website (www.theamsbook.com).
Using reasoning and logic above heuristics and intuition is more resource intensive for the brain. Also, most of the problems that you will face in a day are not mathematical or logical in nature. However, reason must be employed when the stakes are too high to rely on using intuition alone and where data is available.
Most recently at Social-Engineer LLC, where I currently work, we intuitively agreed that we faced an insider threat. All of the signs were there. For example, the employee was accessing information without any explicable need and downloading it. The employee had a growing number of devices and locations with access to sensitive data. They were voicing disagreement with coworkers and were performing poorly, connecting with clients out of band and working very odd hours. Intuitively, they felt like an insider threat. It turned out this person wasn't. But it felt like they were. To usher the feelings we had to the side, we looked at all the facts, and the person was just not performing. There was no malicious intent or threat. A balance has to be struck between intuition and reasoning—guessing and parsing the data—a lesson I later discovered in a revered Manhattan bank. Let's jump back to that New York skyscraper and pick up where the story last left off, first taking a look at something you can never plan for: luck.
No one ever said an element of luck is not involved in attack execution. Two in a row is something to be marveled at, though. That the man I'd hitched a ride with was a bank employee—that's luck checkbox number one. Luck checkbox number two was a direct result of that: as I walked around the 35th floor, nodding to people as if I was their coworker and this was not the very first time they were seeing me, I happened across an empty desk. It had only a few things strewn across it, but among them was a sight so beautiful, wonderful, and surreal that I almost choked on my own happiness. A key card sat there, on its back, looking up at me as if it no longer wished to be alone. I scooped it up, slid it in my pocket, and listened for any sounds that signaled a change in atmosphere. My peripheral vision seconded this analysis; thankfully, no excuses were needed as to why I was hovering around an empty desk, slyly snatching things off it. No one had bothered to look up—which, looking back, is probably luck checkbox number three. I would like to amend my earlier statement: no one ever said an element of luck is not involved in attack execution. Three in a row is something to be marveled at, though.
I moved through the office, completing a loop that ended back at the turnstile I'd very recently circumvented. I looked at the gap I'd slid through only minutes before, thankful I didn't have to do it again. Tucking your pelvis in and squashing your own butt down is an odd activity to do once in a day, never mind twice. I simply swiped my way to the 38th floor, never looking back. I stepped out of the elevator onto the floor I'd been assured I'd never make it to. A sense of smugness that should be punishable filled my body. And it was; that feeling was, in the end, my downfall.
I fell into my most used character—comfortable with her surroundings, with the air of “I have a right to be here” about her. A group of men walked toward me, chattering among themselves. Ordinarily I would only nod at them or smile ephemerally. Talking with a group that's all one gender intuitively feels like a bad idea, as the opposite gender in a group of one. However, I was still high on smugness, so I went against my own intuition, reasoning, and logic and talked to all of them at once. My apparently new and strong idiocy allowed me to start the conversation with the stellar salutation of “Hey!” I said it to the whole gaggle of men, now only feet away from me, apparently attempting to stop all of them in their tracks. I continued with the equally brilliant “Where's the CFO's office? I have papers for him!” I lifted the briefcase up a little as if it were some sort of proof.
Fail 1: I stopped a whole group of men with no good reason. There are name signs on the doors. I could've looked for the office or asked one person.
Fail 2: I told them what I was there for. They didn't need to know, and I left myself with negative ability to pivot. When already in and you are instigating interaction, let people ask. Don't just tell them everything. You will paint yourself into a very tight corner.
Fail 3: Let's pretend the CFO's name was Jeff. Well, Jeff's voice came from within the gaggle and said pretty abruptly, or at least that's how it hit me in the moment, “I'm Jeff. I am expecting no papers.”
Gulp. Idiocy and smugness are a bad combination.
Inanimate objects and large, mainly unchanging environments are one thing, but observing and understanding people is another skill entirely. When we perceive the stakes as high, most of us zone in on what we believe we should look for—situations like interviews, first dates, first fights, watching politicians on TV or attempting to work out if your other half is lying to you—for these, we wake up, take in more, and base a lot on our findings. Unfortunately, most of us also tend to slack off during the everyday interactions. Nonverbal communication, though, is our most honest and reliable way of transmitting information—even that which we might not want communicated. Therefore, having the base knowledge and tools to understand it are of the utmost importance as an attacker. First, let's sort out some myths of body language and nonverbal communication.
A friend, Friend, mentor, and former FBI agent Joe Navarro tells me that there's no standard for catching a lie. A person's eyes glancing to the left, nose touching, and fidgeting are myths of deception. As Navarro says, not all throat-clearing and arm-crossing indicates something. He refers to these actions as self-soothers, the things we do to pacify ourselves in stressful moments. In fact, there is no silver bullet for detecting a lie. You can only detect comfort or discomfort, but that can lead to catching someone in a lie. Holistically, though, this topic of deception detection has very serious consequences. Historically and even recently, people have been tortured, prosecuted, and even executed when those in authority deemed them to be lying or complicit purely based on their body language. There's a large price to pay for wronged individuals because of the perpetuated myth that we, as humans, can “see” lies. With that myth now, hopefully, busted for you, let's look at the 10 commandments Navarro gives for observing people that will ring out the most information. They directly align with observing people as an attacker:
Another point about observing and making inferences on body language is that patterns are often idiosyncratic, so you may have to observe someone for a while, find their individual tendencies, then make assumptions and predictions based on those. This is known as capturing someone's “baseline.” If you're not paying attention and observing, you may miss these baseline behaviors, and so your chance of decoding someone's behavior as it pertains to you and the environment will be gone. To know if someone is showing comfort or discomfort in your presence, consider their baseline before your interaction where circumstances allow. This is where self-awareness can be used as a pliable, powerful tool. Being able to literally see how you are affecting someone gives you the chance to subtly readjust, and they will most likely adjust with you, consciously or subconsciously.
Very broadly speaking, there are two types of self-awareness. Internal self-awareness speaks to how you see your own passions and morals—how you see yourself fitting with your environment and your reactions. It also helps you see your effect on others. External self-awareness means being able to understand how other people view you. If you can see how you might be affecting someone—what they may think of you and what you have done or are doing to lead them to that conclusion—you can then influence them to your own benefit and for the benefit of the objective.
Self-awareness is a staggeringly complex topic, so I have chosen to lace it throughout this book rather than confine it to one chapter. Self-awareness used with observation is powerful; it will let you see your effect on someone, and it will allow you the opportunity to influence someone subtly through your own body language, nonverbals, and all of your communication. Self-awareness used with observation is just as important as self-awareness used with interaction. You have to be able to look at someone, a perfect stranger in most cases, and accept that you do not know them, that their actions and reactions might not be familiar to you or even what you expect. But you must be able to observe and figure out how you are affecting them and begin adjusting your behavior. This encompasses all four laws of the mindset: you must know your end goal; you must be gathering information, at this point on the person who stands between you and your goal; you must keep yourself disguised as a threat; and you must use the information gained from observing and/or interacting for the good of the objective.
I often analyze people based on appearance—after all, you will likely never know if you are right or wrong about someone if they remain a stranger. You can use observation to take mental notes on your target, and it's a good way to build mental stamina, with others as the central focus. It's also a good way to satisfy your curiosity.
The caveat is that for many of the items I'll list, you will need a baseline to be accurate. A baseline is a state of behavior—essentially what is steady behavior for a person as you observe them. It serves as a standard against which to compare changes in behavior. Baseline behaviors include how people sit, where they place their hands, the position of their feet, their posture, and their facial expression. Establishing someone's baseline behavior allows you to determine when they deviate from it. Often sudden changes in behavior can be revealing.
An example of a baseline change might be the stillness that comes over someone as they are asked what they perceive to be a difficult question. If they are normally prone to fidgeting and animation—if that is their baseline—it will be easy to note when they become still.
People often employ pacifying behaviors, too. We use these to calm ourselves—touching our necks and touching our beards may help us calm down if we feel uncomfortable. As you now know, there's no one single behavior indicative of deception; there is no Pinocchio effect. There are only behaviors that are indicative of psychological discomfort or comfort. Someone sitting with their arms crossed doesn't signal anything other than a comfortable position if they sit like that every day. However, imagine a woman sitting on a bench in a park. You are observing her from a safe enough distance, and she doesn't appear to have noticed you. She seems calm and relaxed. However, a man sits on the same bench as her and she immediately crosses her arms tightly at her womb and scrunches up her shoulders. You can assume these are signs of discomfort given her baseline as you previously observed. Now imagine that man gets up and walks away, and the woman visibly relaxes. A few minutes later, another woman sits down at around the same spot the man did, and the woman makes no changes to her seemingly relaxed position. I can't categorically state that the woman doesn't like men or that she has any problem at all with men. But I can make some level of inference. I could infer that the first person who sat down startled her or that he reminded her of someone else. Ultimately, I know what changed, but I do not know why it changed.
Cultural norms and baselines have to be taken into consideration, too. For example, although the New York accent is really a pool of accents drawn together in large part, from the Italian, Jewish, Jamaican, Puerto Rican, Dominican, Irish, and hip-hop communities, New Yorkers speak very fast and are known to drop consonants (hence “talkin'” versus “talking”). There's a baseline indignation to the talk. And they are often emphatic in their delivery.
Finally, not every observation needs a baseline. You can just look at someone's nails to know they chew them. You don't have to see them stop or start doing it. You won't always know why someone changed their baseline behaviors, but if you are observant enough, you will know what changed and be able to adjust your own behavior if necessary to accommodate the situation and your goals.
So as you've seen, there is value in learning to be a competent observer of your environment.
When beginning this exercise, I look at the person's overall demeanor. Usually, I analyze their stance for this, quickly followed by the general emotion shown on their face at that moment. From there, given the chance, I make notes on their appearance from head to toe, including perceived age, clothing, how engaged they are in their environment, and from there, I can make inferences.
Now, it's important to point out that it doesn't matter if all of these extrapolations hold true or not—it's good for both mental agility and decision processing and making. However, if you are standing in front of a target analyzing these things, some of them may prove vital in deciding your next move—especially the latter four listed. These can show if you have appropriately engaged the target and, potentially, their internal emotional state.
Let's return to the earlier example of the security guard. If he appeared unkempt and somewhat disinterested, I would quickly assume he didn't care that much about his job, and it would help me talk to him. I'd be far more casual than if the opposite were true. But I would absolutely validate him by talking with him in such a way that he understood I was happily giving him my time. This could be accomplished through RSVP: rhythm, speed, volume, pitch. These four things, given only with my voice, could help me build rapport with him on a personal level, hopefully compelling him to act upon my wishes.
However, if the security guard looked straight at me, unwaveringly, without a normal blink rate, with his whole body pointed at me after I've just explained my need for access, I might poise myself to be asked a rather probing question. This sort of follow-up body language could mean he is looking for more information about me: he remains unconvinced. Of course, this is impossible to say without a baseline and should be taken as an example only. But observation over time will help you parse body language and nonverbals proficiently.
Observation is a core underpinning of gathering and processing information. Seeing is not observing, and traditional observation is not the same as the type needed for use by an attacker. AMs observation is a rigorous activity. To become effective and efficient at it, you have to train your attention as an attacker, learning to focus on relevant features and disregard those that are less noticeable. Your brain is already taking them in. One of the best approaches is through the old-fashioned practice of taking field notes: writing descriptions of what you see in a given moment. Try taking notes with a limited word count or with limited paper real estate—this will force you to make decisions about what's important and what's not. You might also consider keeping careful records of your observations, quantifying them whenever possible.
As an attacker, you must actively engage your curiosity: organize and analyze what you see. Although we all want to type queries into Google, hopefully getting an answer that aids progression in an engagement quickly, we should all be able to synthesize and interpret the material we find ourselves emersed in. This is an essential capacity needed to navigate attack life cycles and become a brilliant attacker. You might want to Google the exit points for a building, but if you saw a line of employees to the side of the building as you pulled into the parking lot, you could then infer that an exit (or entrance) is close to it.
A high capacity for observation will also allow for the detecting of patterns. Combining that with your experience is what allows you to predict what happens next, which is another important skill as an attacker. For instance, knowing that the security guards' shifts cross over at 7 a.m. allows you to predict the best entry times (between 6:55 a.m. and 7:05 a.m.), the best exit times, and, if burned by one, when the best time to try again. It also brings into play mental agility once more; you might have intel that had led you to believe one thing, like the back entrance is to the back left of the building, only to get there and see a much better ingress opportunity.
Think of it like learning to drive: you get the mechanics of driving down, but actually reading the road is what keeps you safe. You start to understand typical road patterns and on-road etiquette. The more you observe of the world and people, the better you become at detecting patterns. Subsequently, you get better at predicting what will happen next and, invariably, the better attacker you will become.
Lastly, ordinary members of the public, and indeed the typical workforce, use observation to collect information and then move on; AMs urges you to return to observing again and again, engaging in the cycle of observing, recording, testing, and analyzing many times over. It's a lot more work than just looking, but it will help you hone attacker offensives and build intuition for those times when reasoning is too costly.
Tversky and Kahneman did not suggest that every judgment we make is made intuitively or via heuristics; they theorized, and arguably confirmed, we have a strong tendency to use intuitive processes to make many judgments. Kahneman claimed judgments are made from two different systems. One is intuition, regarded as quick, automatic, and implicit. It uses associated strengths to arrive at solutions. The second system is reasoning, considered to be exacting and deliberately controlled. If no intuitive response is accessible, then reason will be used to arrive at judgment. Steven Sloman, professor of cognitive, linguistic, and psychological sciences at Brown University, once stated that the systems work hand in hand as “two experts who are working cooperatively to compute sensible answers.” You can find more on Sloman in the notes section.
No matter how you train your brain and what happens in any one isolated incident, this observation and analyzation process allows you to pay more attention and witness more of the world. The real challenge is deciding what to explore in observation and what to disregard. To practice, you might choose to observe your immediate surroundings each day—people, too—letting your brain note all the small things you rarely take into consideration and studying them with a renewed sense of curiosity.
There is one other key to observation: how you will be observed as an attacker. You now know as much as I do about how the brain observes its surroundings. You should be able to use this knowledge against your targets. The best analogy I have involves magic. Magicians don't actually make things disappear or conjure changes out of thin air. Instead, they engage in actions that misdirect our attention. As an attacker, in phishes, in vishes, and when attacking in person—and this applies to pentesters, too—there is a similar situation at play: you are creating an illusion, which ultimately is your pretext, that redirects the target's attention. You want them to observe the illusion you are presenting, the details you have thought out, and the narrative you're painting for them. You are using their narrow field of observational capacity against them. I will cover this topic further in Chapter 8, “Attack Strategy.”
Critical thinking is a rich concept, but because of this, its operational definitions don't yet exist in a concise or cohesive way in literature. It has a definition, of course, but just saying that it is the ability to “use reasoning, applied logic, and to make judgments” is lacking, more so in the context of AMs. This definition, or any slight variation of it, probably won't serve us in taking critical thinking from the abstract into our arsenal. Critical thinking has also become a recognized construct in philosophy, education, psychology, and professional services. Unfortunately, its existence in those fields only serves to more greatly fragment what are considered to be its core functions. But as an attacker, you must have a working knowledge of critical thinking and know how it pertains to your specific field. Information processing is where critical thinking and AMs meet. Information is the lifeblood of the attack; using reason and logic against that information is often all that stands between you and success in an attacker situation. Critical thinking has to go hand-in-hand with mental agility, which is the ability to apply information successfully to your circumstances and objective.
To successfully understand critical thinking as it pertains to you as an attacker, let's return to our chess model. In chess, visual memory, attention span, and the capacity to predict and anticipate consequences are used to evaluate alternatives. That all sounds a bit fancy if you don't play or understand chess, but ultimately it boils down to this: all of that is demanded from each player because of the objective of chess. The name of the game is to checkmate the opponent, leaving them no legal way to remove their king from attack. The same is true when predicting and executing an attack: you must be able to think through your moves and their possible consequences (ensuring you're keeping the end in mind); you will have to be able to maneuver through the conditions set out for you, too (the scope). Just like the objective in chess, you use your objective in the attack to drive your decision-making at all times, aiming to checkmate the target, although typically without them knowing. And never leave yourself at risk, which is most often achieved with a solid pretext.
Sometimes you will have to make rapid decisions where extensive critical thinking is not an option. Other times, you will have weeks or even months to apply critical thinking skills. Critical thinking is an important part of performance. Mentally manipulating information to make effective decisions requires two things: the first is information; the second is the ability to evaluate it and arrive at a decision or result. This makes thinking critically seem like it's just the simple processing of information (found or given) and arriving at a conclusion, and I suppose that covers a big chunk of it. In any case, critical thinking is, to me, ultimately how you as an attacker judge something. It is you who assigns weight to the items you are judging. Robert Ennis, one of the leading researchers on critical thinking, believes critical thinking to be “reasonable, reflective thinking that is aimed at deciding what to believe or whatto do.”
Deciding what to do as an attacker has two parts. First, you have to know why you're doing what you're doing (or trying to do), which is law one of the mindset. Then you have to decide how best to achieve that end state or goal. So, critical thinking is applicable whenever you're trying to decide what to believe or what to do. Thinking critically about a question or problem is likely to lead to the right answer or solution. By thinking critically, you increase your chances that your beliefs will be true and your actions effective. As David A. Hunter says in A Practical Guide to Critical Thinking (Wiley, 2nd edition, 2014), “Thinking critically may not guarantee that you get the right answer; but a good case can be made that unless you think critically you will get the right answer only by luck, and relying on luck is not a wise policy.” Both Hunter and I are in agreement about the following, too: critical thinking has more significance and substance than just being close to truth. Critical thinking is also freedom. Making up your own mind about any action is essential in every aspect of life and in every aspect of being an ethical attacker.
Here is another high-value benefit of critical thinking: there are times when you find or receive information that is either incomplete or unreliable. Evaluating its quality becomes paramount for competent decision-making. This happens in the OSINT phase of a job and in real time as you enter an environment.
The popular rehashing of Helmuth von Moltke the Elder's concept states that “No plan survives contact with the enemy.” Believing this to be true, then critical thinking in the moment is more important than critical thinking in planning. In other words, engagements rarely occur in accordance with the original plan. To be clear, this isn't me advocating on behalf of critical thinking being punted in the primary stages of an engagement; rather it's the opinion that both matter—thinking critically in terms of the plan and critical thinking in terms of pivoting. In other words, in-the-moment critical thinking will matter in any case; critical thinking in planning will only matter if it all goes to plan. It. Rarely. Goes. To. Plan.
It is of the utmost importance to note that critical thinking in physics is different from critical thinking in design or security. The standards and methods differ from one discipline to the next, but there is a fundamental essence of critical thinking that remains the same across all disciplines: you're using reasoning above all else to arrive at your outcome.
Being able to think through information and taking it in order to analyze it is a skill in which the process is invisible, but for which the outcome is astoundingly valuable and often seen by everyone. This is critical thinking: an invisible process with a detectable outcome.
Critical thinking, for me, goes like this, whether I'm pressed for time or sitting with an abundance of it: I fast-forward to the end goal (spoiler alert: I live for law one). For clarity, that end goal might be just a building block of the overall objective (the vector), like getting into an elevator in a secured building. But it also might be the core objective of the attack (the arc). This is vector versus arc, and both exist in tandem as you are actively attacking a target. You care about the main objective, and you are always working toward it, but you may have to break it down into smaller chunks to achieve it. Knowing both exist and having each matter to you simultaneously will help steer you to short-term and long-term success, even if the two aren't aligned completely at all times—like getting out of an elevator on the 35th floor when you need to be on the 38th in a rather secure building.
There is another school of thought that considers critical thinking as the ability to scan the environment and create solutions for complex problems or barriers. Pushing both of these philosophies together is probably the closest to a well-rounded description as is possible to get of critical thinking in conjunction with AMs. Smashed together as such, critical thinking can be thought of as the ability to identify a problem and solve it using logic and creative reasoning. Critical thinking is the intersection of visual memory, attention span, and the prediction of consequences coming together to drive decision-making.
Rounding off this concept of vector versus arc or short-term versus long-term actions and goals, you can think of it like this: similar to seeing the situation from a bird's eye view instead of a path, the arc is the whole picture. The vector is a step to get there. The arc is the focus on the outcome; the vector is the shorter steps to get there. Both are needed to get the job done.
Critical thinking, defined as the intersection of visual memory, attention span, and the prediction of consequences coming together to drive decision-making, is lacking in today's world, possibly because information is so readily available to the general population without much need or motivation to check whether it's valid. The same is true of students in large part because of how the education system is set up. Academically, critical thinking as a skill is deficient because education in nearly all forms traditionally relies on the collection of content knowledge. This approach neglects to teach the reasoning skills that can process such knowledge. In short, education and training may not have kept up with changes in skill demand for today's society where problem solving and analysis can often outplay status quo beliefs. Your job as an attacker isn't to collect information—your job is to process it, weaponize it, and leverage it.
This brings us to the overlapping topic of critical thinking in the professional workplace. “Critical thought” is—annoyingly—a trending buzzword in workplaces the world over at the moment. The concept of it is fashionable and desirable in professional offices but almost certainly being conducted in the antithesis of its core role; being told to critically think to reach some arbitrary conclusion under the guise of critical thought by your superiors, teammates, or any other faction within your working environment is the great suppressor of critical thinking. What you are being told to do is perform a culturally subjective analysis. I am against this in its entirety. If you have gotten into the habit of this and think that your critical thought should lead you to the same conclusions as those of your peers or coworkers, you may have to work to shed this habit. Organizations can thrive through this sort of cultural shift.
Company culture is a large talking point. Culture is not something that can be designed, per se. A company's culture is the byproduct of consistent behavior; it is what a company's employees (of all levels) do consistently. It is not what is written in the company's handbook nor what is touted through the intranet or at staff meetings. It is, simply, how employees interact, are treated, and behave most often. This is important to note if you are an “in-house” red teamer or attacker. You cannot and should not be expected to operate under the same cultural expectations and restraints as a regular employee. You should not be concerned with the company's culture at all unless it serves you in terms of social engineering and aligning your persona with what is typical within the company.
To me, the job of the employer is to give information and be willing to consider your evaluation of it. Your job is to present your analytical findings in a professional way and to take critical feedback that definitively exposes holes in your thinking. All workplaces should foster critical thinking abilities in this way, because alternative thought has the potential to be the greatest defender in environments where individuals, facilities, and critical infrastructure face a heightened risk of attack or downfall due to outdated methodology and ideology.
Self-branded, useful critical thought can make you valuable to those who want to hire you: you do not think like them culturally; you are not predictable because of the organization you work for.
To get to the bottom of critical thinking and how to use it as an attacker, you might find it helpful to conclude whether you are an episodic or dispositional critical thinker. Episodic is a state or process that's limited in time; dispositional critical thinking is a tendency to behave in certain ways most of the time. In any case, the same skills are required, but for those of you who identify as an episodic critical thinker, a prompt may be necessary to kick you into gear.
Critical thinking is heavily related to problem solving, but that is not its only function. Critical thinking is a process that serves many other cognitive tasks such as inference making, evaluation of information and sources, and reasoning. Also, critical thinking has some connection with heuristic analysis. In cases where there is poverty of information or something is completely novel, critical thought may defer to heuristics. Critical thinking skills also involve the unbiased extraction of information from text done through the dynamic process of questioning and reasoning. Critical thinking also encompasses forming and testing hypotheses. The skills have been categorized into four types: interpreting, reasoning, assessing, and monitoring. One of the greatest uses of critical thought is decision-making.
Critical thought serves decision-making because it allows the evaluation of information. In the applied setting of AMs decision- making, forming models of your own actions in regard to target decision-making, then using those models to develop proactive, predictive, and reaction plans, can improve the accuracy of your assessment of engagement situations. This speaks to the mental model of chess, which we have discussed throughout. In performing this game of mental chess in your mind, making up scenarios based on possible happenings and reactions you might come across on an engagement will help build mental agility and, over time, improve their accuracy.
Critical thinking will eventually turn into a type of intuition. After all, critical thinking is using analysis and evaluation to make judgments, which is the purpose of your intuition. The key difference is that critical thinking is the objective analysis and evaluation to form a judgment, whereas intuition bypasses that, at least on a conscious level.
Intuition is not based on linear, logical thinking. It is a momentary gut feeling instead of a logical choice. Logic is encompassed within critical thinking, which we have talked about at length now. Problem solving is also a part of critical thinking. In the field, you will come up against a great many problems, and you cannot force your way through or out of everything. There is another, and at times functionally overlapping, type of thinking that can greatly aid problem solving: nonlinear thinking. A nonlinear thinker tends to have a multitude of separate thoughts that somehow interrelate—a sort of ability to free associate. They can find connections between seemingly unrelated thoughts and things, then present them as if they are completely logical. This type of thinking can be extremely useful and can greatly engender creativity.
In a strategy meeting or planning meeting with your team, brainstorming sessions that result in everyone pouring out their ideas, fueling yet more ideas and solving the problem, is an example of nonlinear thinking. Asking open-ended questions in an attempt to solve a problem is another example. In the field, asking targets of the environment a question like “I'm new here. How do you request a new badge?” is an example of nonlinear thinking. You might not need one, but you will be able to pivot in any case.
By contrast, the thoughts of a linear thinker tend to form a line, meaning that at any given time, it is obviously that one thought leads to the next, then to the next, and so on. The implicit assumption in referring to somebody as a linear thinker is that the thought process is easy to understand, and that the conclusions seem logically sound. There are pros and cons to both. For instance, linear thinkers are good in subjects that work on cause and effect. But there is a danger in relying too heavily on logic. The danger is related to where you start. Once a starting point is chosen, there are reduced numbers of logical conclusions to any given problem. There is immense beauty in logic; it allows us to reach an answer from a given starting point. Unfortunately, relying on one starting point can prevent you from finding a more beneficial answer in some situations.
For example, imagine trying to get over a nine-foot smooth wall with no ladder or ropes. You might try many ways: running, jumping, and aiming to catch the top of the wall. But what if you were so seized by that logic and starting point that you forgot you could probably dig under it? This example is simplistic, but it features what is often a linear thinker's downfall: the inability to be agile once a direction is set. Logic says that you have been tasked with getting over the wall (the starting point), and it pushes you to do so with all the ways you can think of. Rigid thinking isn't always a bad thing, but it shouldn't be used at the expense of creative thinking for long if the results aren't in your favor.
The pros of nonlinear thinkers are that they are good at grasping abstract subjects and, importantly, creatively solving a problem, something often required on an engagement. As an example, on a job in 2020 for Social-Engineer LLC, my team successfully snuck a petite-sized human down a trash chute and into the kitchens, which were one wall away from the SOC, which was accessible through the roof of the chef's bathrooms. I picked up on the scent of that route by pushing my phone camera through the bin hole and filming the inside. The assumption was that they must go somewhere. Upon reviewing the footage, we could see light at the other side of the bin encasement. We had tried to get in the door for hours before that point. Logically it made sense. It was the only door we could get to at that point; we had tools to get past the lock, but we couldn't. We kept trying, though, because we did not want to give up. Trash chutes are unrelated in our minds as access to a room. Nonlinear thinking banishes those restrictive thoughts.
Critical thinking is an important part of performance. Mentally manipulating information to make effective decisions is possible with access to information and accurate evaluation of it.
As the name suggests, and as we have seen, nonlinear thinking is not thinking along straight lines or in a sequential manner. In nonlinear thinking, we make connections among unrelated concepts or ideas. Nonlinear thinking can expand in multiple directions, rather than in one direction, and count on the probability that there are multiple starting points from which to apply logic to a problem in order to solve it. Nonlinear thinking is less constrictive but not wholly less structured.
All of these types of thinking are important. AMs relies on thinking outside the bounds of what is average. The real power is in knowing when to use each of them or when a combination of types might be used. For an attacker, logic is best used when you have time and information. Reasoning should be used wherever you can employ it—either creatively or logically.
Sufficient observation to arrive at an outcome is key to a successful attack. One of the challenges you'll face as an attacker is to observe in a way that is not conducive to everyday living. To do this, you must learn how to parse visual and auditory information efficiently.
Critical thinking is purposeful and deliberate cognitive processing and serves other higher-level tasks such as decision-making. You must do so without the burden of cultural pressure from your workplace or peers.
Nonlinear thinking does not equal chaos. An attacker's mind is geared toward precision. Understanding it in this way will pay dividends.
All types of thinking eventually intertwine with mental agility, which is a fancy way of saying “adapting” and means that you take the information and successfully apply it to your circumstances or objective.