• Think like a hacker
    You need to think like a hacker

    This was the sage advice being given out by an industry veteran in response to a question about working up the infosec ladder. I started nodding in agreement but then stopped  myself mid-nod.

    Thinking like a hacker is a great statement to make. It can  fit comfortably  into a 140 character tweet, and you can have it printed on a t-shirt. But if you ask a dozen security professionals to define what this means, you’re likely to get several different answers. People have their own  understanding of what it means to be  hacker and how to think like one. To top it off, a large number of security professionals (or those looking to break into the field) have never been a hacker in the traditional sense.

    Think like a doctor

    Andy Agnês is a friend of mine.  He’s perennially jovial and approachable, and  has a smile that is an almost permanent fixture . He’s my go-to guy when I want to bounce a random idea off someone.

    “‘Think like a hacker’ was a cool thing to say when people first started realising IT Security was a discipline in itself but it’s a stupid thing to say now.”

    He pauses to take another bite out of his shawarma whilst I digest his words with  a double-apple flavoured shisha.

    Whilst exhaling and watching the smoke drift away Agnês continues,

    “Unless you are a hacker, you will never be able to ‘think’ like one.  It’s like arriving at the scene of a serious road accident, seeing some guys shin bone sticking through his chest while he’s hanging half and someone saying ‘think like a doctor’ and having faith in the fact that you have it covered.”

    Agnês can sometimes come across as opinionated to the  degree that he only sees things in black and white terms. But  I’ve always seen him as a pragmatist, someone willing to get the job done without getting too deep into the philosophical or spiritual aspect of things. For that reason I’ve always respected his opinion – but felt he wasn’t seeing the full picture here.

    The beautiful creative mind

    If one applies a very specific and definition as to what a hacker is, then Andy’s  argument holds water. But I tend to agree with paunchy awkward hugger Jayson Street’s definition of a hacker, as he elaborated in his Defcon 22 talk.

    Whilst the media has appropriated the term ‘hacker’ to be synonymous with fraudster or criminal; I prefer to think of it  more in terms of possessing a creative mind. This is a viewpoint  shared by Dr Jessica Barker, a security consultant who specialises in the human and psychological side of information security. 

    “There is disagreement of course as to whether there is a certain mindset but it seems safe to say there are traits in common – a desire and ability to solve puzzles or problems, being inquisitive, enjoying a challenge, seeing where rules can be broken or are illogical (and not wanting to be constrained by rules), and probably the tendency to have a systemic view of society.”

    Dr. Barker went on to add,

    “If that’s how we define ‘thinking like a hacker’ then I’d definitely agree that to be good in security it helps to ‘think like a hacker’.”

    One of my favourite definitions of what it means to be a hacker was provided by Robert Hansen. He broke it down into two distinct components: 

    1. Try to figure out how anything can be used in a way it wasn’t intended to be used.
    1. Assume any one thing can be compromised. Based on that assumption, work out what would happen. What would be the recovery plan, isolation, who to call etc.

    Quentyn Taylor prefers to use the term attacker instead of hacker. In an email, he said,

    “Yes you do need to think like an attacker, if you don’t you can’t hope to defend. I think that forgetting how attackers think is one of the largest mistakes that people make” 

    Taylor elaborated further by stating,

    “By thinking like an attacker I mean, understanding their motivations – why are they attacking ? what do they hope to gain ? how will they attack, when will they attack ? what will an attack look like ? understand this and you can tune your response accordingly.”

    This perspective aligns with the viewpoints put forward by David Etue and Josh Corman at RSA 2012 regarding how security can be evaluated from the threat actor’s perspective to work out the adversary ROI. 

    The business end

    These viewpoints raise an interesting question as to what impact thinking like a hacker has to do with the wider IT department or indeed the revenue generating business. After all, a security professional is employed by a business to help them make and save money, rather than satisfy their urges to build hyper-secure systems .

    According to the ridiculously tall Wim Remes, who can easily be mistaken for a younger Jeff Goldblum, thinking like a hacker has its role in helping the business cut costs and generate revenue, 

    “to me, means being able to think outside the box. Not in the meaningless sense that it is used in nowadays but in the sense of having the ability to understand, analyse and solve difficult problems from angles that people without that mindset would not think of. Not only technical problems but also business problems. In what we do, much like in engineering, we are limited by constraints. Some hard, some a bit more flexible, but constraints nonetheless. People, budget, time, politics, decisions made before our time, etc. etc. Only someone with the hacker mindset, and the necessary business acumen, will be able to combine both and be successful.”

     Dr. Barker added,

    “There seems a common presumption that the business side and the IT side are poles apart but actually I’d say there is quite a crossover between thinking like a hacker and understanding the business. Understanding the business is about looking at the business as a whole (that systemic view again) and identifying problems / areas of improvement and new ways of fixing them. It’s about understanding the governance and operation of the business, what the core values are, the critical assets, where vulnerabilities lie and how these can be exploited and should be protected. An attacker would need to understand all of this too, to be able to exploit it all.”

     However, not everyone I spoke to was convinced by this. The opinionated Andy Agnês believes  a lot depends on the nature of the company one works for.

     “Understanding the business is a contentious definition to different people.  I learned more in my first year at a growing SME than I did in 4 years at a global FTSE 100 company – why?  Exposure. In a big company decisions are made by committee and 6 months down the line something happens that everyone moans about.  In a small company, a new product is launched, isn’t successful and you realise that because you didn’t do your job, the dependent success which was supposed to follow, didn’t, and all those new friends you made have just been made redundant because the department wasn’t paying for itself and we can’t afford to carry passengers.” 

    Whilst the differences between a startup and a multi-national business are undeniable, Quentyn Taylor believes this shouldn’t be an obstacle to understanding the business.

    “I am amazed by security people who don’t even know how their company makes its revenue. If you don’t know how an entity makes its revenue how can you hope to defend it? Additionally when you start to understand the business you will naturally get a lot more connected which helps in all kinds of areas such as awareness for one.”

    The Lone wolf pack? 

    The many conversations I’ve had whilst researching this piece have helped me understand what it means to think like a hacker.  I’ve found that people’s understanding of this is very much influenced by how you choose to define ‘hacker’. Within the small group of security professionals I spoke to, the consensus was that thinking like a hacker is a good trait for security professionals to posess  in both a personal and business capacity.

    However,  there is still a lot of confusion about what this means. On the one hand, the hacker mentality is perceived to be an individualistic pursuit.  One that conjures up images of a lone wolf spending hour upon hour coding, testing and coding some more. Whereas in the real world, a  security professional is expected to be an integral part of a diverse team. At times we can work in harmony with other disciplines, but it also means accepting that sometimes what you want is not what marketing, product development, QA or architects want. 

    When discussing this topic with Robert Hansen, he gave the analogy of birds in nature.  Birds protect themselves in herds. They have so many natural predators, that one wonders how they have survived (other than with their ability to fly). Birds possess a learning mechanism where if they see a threat, like a cat approaching another bird, it will raise an alarm. Similarly, security professionals can be tempted to complain, mock or otherwise be apathetic when a colleague or business division is victim to a breach. But the real value is where one can work in unison with others and raise warning alarms when a threat is detected.

    For me, this defined the  missing piece of what a security professional’s mentality should entail. One that thinks independently, , but with an aim of  benefiting those in the surrounding ecosystem.

    Perhaps it’s better expressed as: Think like a ‘benevolent’ hacker.

  • Is there a traitor in our midst?

    Usually my research ends up behind the 451 paywall, but I noticed the good folk at Guidance Software have made one of my recent reports ‘free’ to download at their site behind a registration wall.

    It’s part of research I’m doing looking at the insider threat market and I’d be interested to hear your views and experiences. Do you see insiders as a threat avenue that needs investigating, or are there other more pressing issues in your environment?

    To scope the area, I’ve defined insider threats as falling into one or more of the following three categories.

    • Malicious insider – a legitimate employee, contractor or third party that knowingly and with ‘intent’ seeks to cause harm to the enterprise.
    • Malicious outsider – a non-authorized outsider that gains control over an identity or masquerades as a legitimate user knowingly and with the intent to cause harm to the enterprise.
    • Non-malicious insider – a legitimate employee, contractor or third party who, through his or her actions, causes harm to the enterprise without the intent to do so.

    Have you used or trialled any of the products listed in the report for insider threat purposes. What was your take on it?