You need to think like a hacker! You need to learn how to use the hacker mindset in order to effectively defend against hackers. How else are you as a cybersecurity defender supposed to know what to look out for? Think of yourself as a boxer. You can train all day everyday against a punching bag and get real good at punching the bag. But you have no idea of how to defend yourself when you someday faces an opponent that punches back.
How to think like a hacker
Put on your hacker hat – and instead of analyzing a situation or application like you normally would – try to think like a hacker. Lets start analyzing an application with the following questions:
- What useful or valuable information exists and where?
- How is this information supposed to be accessed and by who?
- Is it possible to circumvent the normal information flow?
Follow up questions can be:
- If only admins can access the information
- Who are the administrators?
- Possibility for phishing
- Can a normal user somehow become an administrator or act like one?
- Possibility for abusing the application
- Who are the administrators?
What is the benefits of learning to think like a hacker
The benefits of learning to think like an attacker are plentiful and it is a vital part of learning cybersecurity. You will be able to spot weak links and mitigate them better than your peers. Let’s continue the example from above. You have valuable information and it is your job to secure it properly.
By doing a quick thought exercise you have concluded that the only ones that *should* have access are the administrators. Now you need to follow up with more questions:
- Who are the current administrators?
- Are all of these expected to have administrative roles or are there a problem with users getting to much privilege? Could an hacker register a normal user and accidentally end up as an administrator?
- What is the process of becoming an administrator?
- If we depend on the role the defend the data we need to have good routines for how someone becomes an administrator. Can a hacker simple request to become an administrator?
Use the hacker mindset
Assume that you have checked all processes and routines regarding administrators and they are now rock solid. Whats next on your checklist? The existing administrators, again.
You, we, humans are often the weakest link in the cybersecurity. We are already on the inside – we have the keys to the castle so to speak. If we click on something without thinking of the consequences then we might very well have accidentally opened the gates wide open for an attacker.
Lets think about this from a hackers perspective. No matter what kind of information or access we as an hacker want access to the easiest way to get the information is by just asking for it. That is right. It is endlessly more complicated to get all the information from someone’s emails by hacking google than by emailing the person and “asking them for their password”.
Just putting some kind of spin on the question to make the recipient more likely to give out their secret information – and voila you got phishing:
- Impersonating something authoritative.
- Registering a new domain which is a legitimate company but misspelled
With this a hacker you can send emails from something that almost looks legitimate and link back to a website that looks like the real deal – only slightly misspelled and potentially harvest your administrator’s credentials.
Defend against yourself
After walking through a thought exercise like this you have a list of possible attack paths that a hacker can take towards your sensitive information. Lets now take off your hacker hat and focus on remediating and builder your defenses stronger against the very points you yourself identified.
Do not miss new posts by subscribing:Do you want to test yourself? Why not follow along and create your own Windows processes anomaly detection tool and see if you can evade it? Or perform your own personal security risk hygiene check with the hacker mindset
