INDUSTRY
How to use the attacker mentality for good According to Val LeTellier, chair of ASIS International’s Insider Threat Working Group, adopting the mentality of the attacker can prevent an insider and in doing so save up-time, reputation, jobs and embarrassment.
Society would be far less enjoyable if we all adopted an attacker mentality. Everyone’s first thought upon meeting someone new would be how to manipulate them for personal gain. Each encounter would be based upon the assumption that there are no rules of engagement, political correctness, manners, morality, or conscience at play.
Val LeTellier has three decades of risk management experience in the US public and private sector. He is chair of Insider Threat Working Group of the ASIS Defense & Intelligence Council and a member of the INSA Insider Threat Subcommittee.
30
Attackers are comfortable doing things that most people aren’t. They look for exploitable motivations and vulnerabilities to create self-serving situations. They are comfortable masquerading as someone else, building false relationships, and hiding the truth. For instance, attackers have no qualms about following your CFO home to collect personal information, booking a room on your CEO’s hotel floor and “getting to know” him or her at the hotel bar to collect details about the company, sending your IT staff cool gifts laced with malware, or even using Facebook to send your kids a malicious link hidden within a game. These guys are different. They take it up a notch or five. But what, exactly, sets them apart? Singular mission focus. Professional attackers are not distracted by what is happening on the side lines; they focus exclusively on mission achievement. They are not constrained by administration, bureaucracy, or budget, and they do not make decisions by committee. They know what they want, and they go for it.
If you ever wanted to know the comprehensive list of valuables you have access to, just ask an attacker. They will know because they are always sizing up people and opportunities for personal gain. You may be surprised by what attackers consider valuable and why. It may sometimes be as obvious as money or intellectual property, or it could also be other items. In today’s world, opportunities for financial gain are much broader than before. Attackers may seek different items, depending on whether they are thieves, conspirators, leakers, discontents, or opportunists. One’s reputation, relations, personnel, speed of business, and mental wellness can be targets for specific attackers with specific agendas. Using data as an example, the cybersecurity “CIA Triad” of confidentiality, integrity, and availability tells you that theft is not the only threat—an attacker could also harm your organisation by clandestinely disrupting your data integrity or denying you or your customers access to your data. Patience Ever found yourself in the right place at the right time? Whether we attribute it to luck or serendipity, most of us also seek to create those situations for ourselves in our daily personal and professional lives, but our results are usually hit or miss. We simply can’t be in all the right places just waiting for the right time to come around. But that is exactly what an attacker does. In the cybersecurity world, digital “honey pot” websites allow attackers
February / March 2020
