permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.
Library of Congress Control Number: 2021941139
ISBN: 978-1-119-80546-5
ISBN: 978-1-119-80628-8 (ebk)
ISBN: 978-1-119-80547-2 (ebk)
Trademarks: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
Cover image: © Getty Images/Gearstd
Cover design: Wiley/Michael E. Trent
About the Author
Maxie Reynolds is widely considered one of this generation's most successful social engineers. She started her career in oil and gas as an underwater robotics pilot working in Norway, Venezuela, Australia, Italy, Russia, Nigeria, and the United States. She then transited into cybersecurity at PricewaterhouseCoopers in Australia, working in ethical hacking and social engineering. She later studied digital forensics with SANS and has performed digital forensics for law enforcement and corporate America, and as an expert witness.
Maxie was born and grew up in Scotland, dabbled as a stuntwoman, and achieved some success as a model in both the UK and the United States. She has a degree in computer science, a degree in underwater robotics, and is educated in quantum computing. She is also a published author, and in her spare time she works with the Innocent Lives Foundation and National Child Protection Taskforce.
Maxie has published articles on complex human behavior and its effect on a social engineer's ability to influence and has given speeches on the mindset and science behind the art of social engineering. She teaches various courses on social engineering and the attacker mindset. This book, The Art of Attack: Attacker Mindset for Security Professionals, is the first book of its kind to be published. It looks at the cognitive skills and requirements of the mindset, how to engage it, and why.
Acknowledgments
Attackers don't acknowledge people.
They target them.
Introduction
There is nothing either good or bad but thinking makes it so.
—William Shakespeare
I was recently told by someone I consider to be a subject matter expert that introductions in books, although seldom read by typical readers, are meant to respect the reader. Introductions are not intended to insinuate to readers that they will only understand the book's subject matter once they've read it cover to cover. Instead, the introduction should tell its audience how the core message of the book will be broken down. I think this is true, so this introduction acts only as a way to summarize what's to come, not to aggrandize it.
The core subject of this book is the attacker mindset, the gathering, processing, and applying of information for an objective. That's the key takeaway of this book. If you stop reading now, you will have received its central message. However, what I'm hoping will keep you reading, rather than repurposing the book as a doorstop, is that the whole book is about how to do this as an attacker—how to process and apply information for the benefit of the mission.
The Art of Attack looks at all aspects of the attacker mindset (AMs), focusing on the cornerstone pieces. In breaking these pieces down to their fundamental components, the book empowers you to build them back up into something recognizable as your own brand of attacker mindset. I will describe the principles of this mindset and how to interweave them with the process most attacks follow, namely: reconnaissance, initial approach, privilege escalation, redundant access, and escape. Through this attacker lens, this book explores tools you can implement as attackers and the psychological principles, too. I will also call out all the times you should take snacks with you on a job, which doesn't seem important now, but wait until you've been trapped in a bathroom stall for six hours.
To help you remember the material packed into this book, I'll provide stories (both successes and fails), which should make transferring AMs from theory into practice much easier. As a practitioner of social engineering, I will mainly concentrate on examples of the attacker mindset in my stories from the field. However, as a trained pen tester there will also be crossover.
The tagline I've used to put attacker mindset into shorthand over the years is: there really is nothing good or bad, but your attacker mindset makes it so—this line is effectively how this book came into being: Countless hours of trying to teach people the art of the attacker mindset allowed a reduction of it to that statement. The attacker mindset allows us to hack information, which may on the surface be neutral to the untrained pedestrian, but to you or I as attackers, could prove lethal when leveraged correctly. There's no information that you will come across that's simply good or bad; information is processed through the lens of the attack and its objective.
I wrote this book solely to teach this mentality, but each of you will build your own version of it that reflects your strengths and weaknesses. This book should teach you how to think, not what to think. It contains chapters on open source intelligence (OSINT) and social engineering, too. However, other books and courses exist that break down how to perform OSINT and how to become a social engineer (SE). My aim is to show you how those fit into the AMs's executive functions.
Who Is This Book For?
The attacker mindset should be taught to those who need it most—those who we, as a society, want to protect from malicious attackers. Companies should use physical testing as
