Picture yourself, as the morning sun streams in through the window.
You look out over the city, taking in the sight of a bustling metropolis before starting on your weekday morning routine: making breakfast, setting out your clothes, and preparing for the day ahead. You feel a rush of excitement – you know a breakthrough is around the corner. When you initially pitched the idea – your idea – to the company, it was met with equal parts eagerness and scepticism. Yet, you are certain you are on the cusp of a new technology. Cutting edge technology. Just those last remaining tweaks needed off your last attempt. Any time now.
Today, Friday, you decide on a change of environment. Some place other than your usual workspace to kickstart inspiration… and a chance to get away from the constant distraction of your colleagues. You decide to take advantage of the unusually warm winter weather, and set out for a quick stop at the office to collect your laptop, followed by a short walk to your favourite coffee shop, where you would spend the morning fine tuning your idea. Somehow everything falls into place today, and the words practically write themselves while you wrap up your proposal. You congratulate yourself on your decision to have that flat white which somehow tastes just a little bit nicer today than usual. You stroll back to the office. It was going to be a wonderful weekend.
The following Monday, you wake up to a barrage of missed calls and texts. Your company is the top story in the morning news, the details of your groundbreaking project spread out for the world to see. You are summoned into meeting after meeting, call after call; everyone, not least yourself, desperately trying to make sense of how to respond to this crisis, trying to understand: how could this happen?
We often think that we are secure – our systems and data protected from malicious interference and disruption. Our laptops run the latest anti-virus software. Our networks have state of the art intrusion detection systems. Our buildings are locked down with strict access control. And our staff are well trained to spot phishing attempts and avoid any suspicious email links. Except we’ve only prepared for half the picture.
We’ve assumed the attacker will fail to exploit that vulnerability we patched in our database, not having expected them to instead steal an employee’s password by hacking their personal devices. We’ve assumed the attacker will be stopped at the front door and denied without credentials, not waved through after flashing a fake badge and claiming to be a replacement for the usual cleaner, out sick for the night. And we’ve assumed we can protect our cutting edge ideas and trade secrets via encryption, good access control, and following company policy – not expecting an attacker to copy them from our unattended laptop whilst we’re in the bathroom at a coffee shop…
Now, imagine you’re being observed by the attacker – a motivated adversary looking to perform either corporate or state-backed espionage. How hard would it be to set up an observation post and watch your office building? To see yourself – whom the attacker knows from online reconnaissance to be working in the R&D team – walk out with your laptop.
To follow yourself to a cafe.
Grab a table at that very cafe.
Watch as you leave for the bathroom.
And finally, slide over to your table and compromise your laptop, directly targeting the crown jewels they need without the need to compromise an entire network.
Imagine you’re being observed by the attacker – a motivated adversary looking to perform either corporate or state-backed espionage. How hard would it be to set up an observation post and watch your office building?
This is an easy mistake to make, stemming from a failure in mindset. We tend to ask: “What controls do we need to implement to make ourselves safe?”; yet so rarely do we ask “If I was an attacker, how would I attack this business?”.
That is the adversarial mindset. It challenges the status quo, and challenges you to stop thinking of compliance – and instead think like an attacker. Ask yourself: “Who is threatening my company?”; “What are their goals?”; and most importantly – “If I were in their place, what attack path would I take to achieve my goals?”.
Ask yourself: “Who is threatening my company?”; “What are their goals?”; and most importantly – “If I were in their place, what attack path would I take to achieve my goals?”.
Perhaps we don’t need to target a secure system, but instead can target a weak one. Maybe we don’t need to exfiltrate company data, and simply destroying it to disrupt the business is enough for us.
By slipping into the adversarial mindset, we adopt the mentality of the attacker. We pretend we’re the bad guy, the people looking to steal our data, disrupt our business, or ruin our reputation. And when we start to think like an attacker, new attack pathways stretch open before our eyes, suddenly revealing the real vulnerabilities present within our system.
Adopt the adversarial mindset. Think like an attacker. Protect yourself.
Adopt the adversarial mindset. Think like an attacker. Protect yourself.
Contact us to enquire about how Sekuro can assist you with executing an adversarial mindset via our offensive security services.
Sasha Goldenberg
Managing Consultant - Offensive Security team, Sekuro
Sasha is a Managing Consultant in Sekuro’s Offensive Security team. With a background in red teaming and counter terrorism, Sasha is passionate about leveraging the adversarial mindset and implementing a proactive approach to security. He specialises in physical intrusions, red team engagements, and internal penetrations testing.
More Articles
Selling the Strategic Imperative of Zero Trust to Your Board
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 2)
