Probably one of the most interesting concepts in cyber security is the attacker mindset. Somehow this magical way of thinking allows security researchers to look at a system and “see” vulnerabilities.

The attacker mindset is the frame of mind from which a hacker, security researcher, adversary approaches a system.

This sounds pretty general, and it is. The mindset mathematicians use to tackle a problem, which chess players use to build their strategy, that lawyers use to find loopholes and which hackers use to find vulnerabilities. Is pretty much the same.

In this page we’ll focus on the attacker mindset in security research.

Models

Its difficult to capture the essence of the attacker mindset. So instead I’ll formulate a couple of mental models and ways of thinking that lend themselves to the attacker mindset.

Challenge Assumptions - Identify the assumptions that you make when reviewing a system. Furthermore, analyse the assumptions that you believe the developers have made. Challenge those assumptions, ask “what if …“. Lots of vulnerabilities are caused by wrong assumptions.

Assumptions can be made for various reasons:

  • Ignorance of the crowd
    • Opposing wisdom of the crowd, it’s not always the case that commonly held beliefs are true. The effects when one trusts something because “everybody uses it so it must be secure” are devastating.
    • Even when the crowd is right, specific circumstances can often still lead to unforeseen consequences.

Murphy’s Law - Assume that everything that can go wrong will go wrong. What failures would have the most disastrous consequences? This identifies, as an attacker, the most interesting elements of a system.

A system often has components that have more pervasive effects than others. It’s worth looking at the downstream and emergent effects that failure of one component has on the rest of the system. A flaw that seems minor when viewed in the context of a single component might just cripple the system overall!

Practices

So how does one attain the attacker mindset?

I’m not sure that this is the right way to go about things. I believe the attacker mindset is like a muscle, you use it or lose it. Because of that I don’t think there is a simple set of steps that will get you there.

Instead, I would like to focus on two things.

  1. Kickstarters - Things that help you get on the road.
  2. Practices - What you do to maintain and build the attacker mindset muscle.

Kickstarters

Recognition - Understand how other security researchers apply the attacker mindset and recognise when your own brain takes you down adversarial pathways. Double down when this happens!

Adaption of core tenets - Read this page and what others have written about adversarial mindsets and follow the tenets you’ve found in their writing.

Example:

  1. review your own biases

Deliberate Practice - Intentionally engage in activities which require attacker mindset, and review afterwards.

Practices

Hands down the most important practice is actually applying the attacker mindset.

For me, this usually means Bounty Hunting, for you it likely involves anything from bounty hunting, audit contests to regular audits.

Regardless of the activity it’s critical to maintain active reflection and deliberate practice.

Attacker Mindset in Other Disciplines

Some hackers might think that the attacker mindset is something unique to security. I don’t believe this is the case.

Lawyers

I’ve always believed that lawyers aren’t that different from hackers.

Aside from various differences, the core goal of a lawyer is to understand a set of rules to such an extent that they can justify someth9ing that isn’t immediately obvious.

Obvious cases do happen, but those arguably don’t require an attacker mindset.

Similarly, a hacker understands a system to such an extent that they can achieve something that wasn’t necessarily meant to be achieved.

One big difference is that everybody agrees that law is law, and code is law is a more contentious topic.

Debaters

Debaters are another interesting example of people that have adopted an attacker mindset.

  • How to Solve It - G. Polya