Understanding the “attacker mindset” in security

Justin Hall is Director – Security Services for CBTS. In Part 2 of this 3-part series, Justin discusses how to better understand the “attacker mindset.”  In Part 1, Justin discussed the process of developing a background in enterprise IT.

Practitioners in the security industry are charged with protecting organizations and their assets – their computing environment, data, employees, and customers. Understanding the threats against which you are defending is critical to this protection effort. What are they after? How do they achieve their goals? What can you expect when you face them? What countermeasures and strategies are effective to employ?

The best defenders of a network are used to thinking like an attacker. So how does one develop this mindset?

Plenty of folks in our industry started as so-called “black hats” – those who attack, disrupt, or compromise computer systems for financial gain, to back a political or social cause, or to cause havoc. While this is certainly an effective approach, it’s usually not legal.

I’ve found that listening to industry veterans and seasoned practitioners, as well as former black hats, is a much better option. In that vein, try attending security conferences and events where you can listen to these folks speak and provide formal training. There’s also a good opportunity to learn about the ever-changing threat landscape, new attack techniques, and new tools.

Hundreds of security conferences take place all across the United States and other countries – look at a list and find one in your area. A way to meet local practitioners, especially ones that might be interested in providing you guidance and mentoring, is to find a Security BSides conference, which are assembled and executed by volunteers. And if you can’t make it to a security conference, most nowadays are recorded and posted online.

We can also learn to stop attackers by looking at the best practices agreed upon by experts from the security community, regulatory bodies, and technology vendors. Dozens of these standards have been used by practitioners for years and make excellent reading material if you’re looking to get ready for the industry:

• The NIST Cyber Security Framework. As mentioned in a previous post, the CSF is a guide to developing a formal security program. Their publication 800-53r4 is also the “gold standard,” as it were, for security controls – the fundamental people, processes, and technologies you need to have in place to protect your organization.
• The Center for Internet Security’s Top 20 Critical Security Controls. If NIST 800-53r4 is too wordy, the Top 20 is a consolidated and far more approachable standard. It’s also much more frequently updated and is shaped by feedback from the security community at large (and not just NIST).
• The MITRE ATT&CK Framework. MITRE’s goal with this resource is to document common attacker actions and tactics, along with methods of detection on a variety of popular computing platforms.
• The Open Web Application Security Project. A group that oversees many community-based application security standards-development projects. One of their most popular is the Top 10 Common Web Application Security Risks, an often-referenced list of the issues in web applications that developers need to consider when writing secure code.

Lots to read and watch! Come on back soon for part 3.

Read more about Security offerings from CBTS.  And read this case study to learn how CBTS helped an enterprise client form  a security strategy to advance their maturity, increase their risk management capabilities, reduce the attack surface for each business line, and improve their overall corporate security posture.