The Art of Attack

Take on the perspective of an attacker with this insightful new resource for ethical hackers, pentesters, and social engineers

In The Art of Attack: Attacker Mindset for Security Professionals, experienced physical pentester and social engineer Maxie Reynolds untangles the threads of a useful, sometimes dangerous, mentality. The book shows ethical hackers, social engineers, and pentesters what an attacker mindset is and how to use it to their advantage. Adopting this mindset will result in the improvement of security, offensively and defensively, by allowing you to see your environment objectively through the eyes of an attacker.

The book shows you the laws of the mindset and the techniques attackers use, from persistence to "start with the end" strategies and non-linear thinking, that make them so dangerous. You'll discover:

• A variety of attacker strategies, including approaches, processes, reconnaissance, privilege escalation, redundant access, and escape techniques
• The unique tells and signs of an attack and how to avoid becoming a victim of one
• What the science of psychology tells us about amygdala hijacking and other tendencies that you need to protect against

Perfect for red teams, social engineers, pentesters, and ethical hackers seeking to fortify and harden their systems and the systems of their clients, The Art of Attack is an invaluable resource for anyone in the technology security space seeking a one-stop resource that puts them in the mind of an attacker.

About the Author v

Acknowledgments vii

Introduction xv

Part I: the Attacker Mindset 1

Chapter 1: What Is the Attacker Mindset? 3

Using the Mindset 6

The Attacker and the Mindset 9

AMs Is a Needed Set of Skills 11

A Quick Note on Scope 13

Summary 16

Key Message 16

Chapter 2: Offensive vs. Defensive Attacker Mindset 17

The Offensive Attacker Mindset 20

Comfort and Risk 22

Planning Pressure and Mental Agility 23

Emergency Conditioning 26

Defensive Attacker Mindset 31

Consistency and Regulation 31

Anxiety Control 32

Recovery, Distraction, and Maintenance 34

OAMs and DAMs Come Together 35

Summary 35

Key Message 36

Chapter 3: The Attacker Mindset Framework 37

Development 39

Phase 1 43

Phase 2 47

Application 48

Preloading 51

“Right Time, Right Place” Preload 51

Ethics 52

Intellectual Ethics 53

Reactionary Ethics 53

Social Engineering and Security 57

Social Engineering vs. AMs 59

Summary 60

Key Message 60

Part II: the Laws and Skills 63

Chapter 4: The Laws 65

Law 1: Start with the End in Mind 65

End to Start Questions 66

Robbing a Bank 68

Bringing It All together 70

The Start of the End 71

Clarity 71

Efficiency 72

The Objective 72

How to Begin with the End in Mind 73

Law 2: Gather, Weaponize, and Leverage Information 75

Law 3: Never Break Pretext 77

Law 4: Every Move Made Benefits the Objective 80

Summary 81

Key Message 82

Chapter 5: Curiosity, Persistence, and Agility 83

Curiosity 86

The Exercise: Part 1 87

The Exercise: Part 2 89

Persistence 92

Skills and Common Sense 95

Professional Common Sense 95

Summary 98

Key Message 98

Chapter 6: Information Processing: Observation and Thinking Techniques 99

Your Brain vs. Your Observation 102

Observation vs. Heuristics 107

Heuristics 107

Behold Linda 108

Observation vs. Intuition 109

Using Reasoning and Logic 112

Observing People 114

Observation Exercise 116

AMs and Observation 122

Tying It All Together 123

Critical and Nonlinear Thinking 124

Vector vs. Arc 127

Education and Critical Thinking 128

Workplace Critical Thinking 128

Critical Thinking and Other Psychological Constructs 129

Critical Thinking Skills 130

Nonlinear Thinking 131

Tying Them Together 132

Summary 133

Key Message 134

Chapter 7: Information Processing in Practice 135

Reconnaissance 136

Recon: Passive 145

Recon: Active 149

Osint 150

OSINT Over the Years 150

Intel Types 153

Alternative Data in OSINT 154

Signal vs. Noise 155

Weaponizing of Information 158

Tying Back to the Objective 160

Summary 170

Key Message 170

Part III: Tools and Anatomy 171

Chapter 8: Attack Strategy 173

Attacks in Action 175

Strategic Environment 177

The Necessity of Engagement and Winning 179

The Attack Surface 183

Vulnerabilities 183

AMs Applied to the Attack Vectors 184

Phishing 184

Mass Phish 185

Spearphish 186

Whaling 187

Vishing 190

Smishing/Smshing 195

Impersonation 196

Physical 199

Back to the Manhattan Bank 200

Summary 203

Key Message 203

Chapter 9: Psychology in Attacks 205

Setting The Scene: Why Psychology Matters 205

Ego Suspension, Humility & Asking for Help 210

Humility 215

Asking for Help 216

Introducing the Target- Attacker Window Model 217

Four TAWM Regions 218

Target Psychology 221

Optimism Bias 225

Confirmation Bias and Motivated Reasoning 228

Framing Effect 231

Thin- Slice Assessments 233

Default to Truth 236

Summary 239

Key Message 239

Part IV: AFTER AMs 241

Chapter 10: Staying Protected— The Individual 243

Attacker Mindset for Ordinary People 243

Behavioral Security 246

Amygdala Hijacking 250

Analyze Your Attack Surface 252

Summary 256

Key Message 256

Chapter 11: Staying Protected— The Business 257

Indicators of Attack 258

Nontechnical Measures 258

Testing and Red Teams 261

Survivorship Bias 261

The Complex Policy 263

Protection 264

Antifragile 264

The Full Spectrum of Crises 266

AMs on the Spectrum 268

Final Thoughts 269

Summary 270

Key Message 271

Index 273

MAXIE REYNOLDS is Technical Team Lead for Social-Engineer, LLC leading their efforts as a physical pentester and social engineer. She is a certified Ethical Hacker, Digital Forensic Investigator, and Social Engineer. She holds degrees in Computer Science, Underwater Robotics, and is qualified in Quantum Computing. She has worked as a physical pentester for banks, transport agencies, and other industries.

Elevate your ethical social engineering and hacking skills with a proven set of techniques

Unethical social engineers use deception to manipulate people into doing things contrary to their best interests. Whether this means attempting to discover passwords or gaining access to data, assets or physical locations, they use dishonest techniques to their benefit. Ethical social engineers and hackers, on the other hand, are paid by companies to use social engineering and attacker mindset (AMs) to legitimately probe systems, processes, and people for weaknesses so those vulnerabilities can be addressed, and future damages prevented.

In The Art of Attack, accomplished social engineer and physical pentester Maxie Reynolds delivers an inside look at the attacker mindset, how best to use it and how to defend against it. The book explores the principles of the attacker mindset, including where to start an attack, persistence, non-linear thinking, observation techniques as well as the skills and laws of the mindset. It delves into processes, how to engage in reconnaissance and privilege escalation, and how to obtain redundant access, all without being detected.

The Art of Attack is an invaluable resource for social engineers, pentesters, red teams and anyone in cybersecurity. You’ll discover how to:

• Discover strategic tools you need to build your attacker mindset, including attack formation, process, recon, and more.
• Utilize the skills and laws of attacker mindset.
• Detect the unique tells of an attack and how to avoid becoming a victim of one.