The Art of Attack: Attacker Mindset for Security Professionals

The Art of Attack

Book written by Maxie Reynolds

Book review by Ben Smith


I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.

If you've ever been curious what the life of a penetration tester is like, and how this skill set requires a healthy respect for tools well beyond technology, Maxie Reynolds' The Art of Attack: Attacker Mindset for Security Professionals is a fine place to start. This is useful and colorful reading for anyone who aspires to be a penetration tester, or perhaps even more importantly, anyone who is charged with defending your organization from one. Especially if you think pen testing is limited strictly to the cyber / virtual world, it's interesting to note that the concept of a "red team" appears on just eight of the ~270 pages of the body of the text. The book is designed to tell stories and provide advice broadly useful to anyone in the pen testing world, including those working outside cybersecurity.

The offensive-focused attacker mindset here is captured in how the author views information: "Your job as an attacker isn't to collect information - your job is to process it, weaponize it, and leverage it." And in supporting this concept throughout the book, we learn about how best to uncover and deploy that information by exploiting heuristics or shortcuts we humans rely on, as well as applying misdirection and cognitive attacks against your target. Also essential: the importance of a well-documented letter of approval from your client, a tactical breathing technique to calm and center yourself when stressed, and...snacks! Threaded through the concepts introduced within the book is a real-world story about an in-person pen testing engagement at a financial institution where overconfidence almost led to discovery and failure to achieve the goals.

While there are plenty of mentions of organizations and their security postures, the posture I was more interested in seeing arrived in a short description of the importance of "preloading," or influencing your target before the event starts. "The attack starts before you've walked in the door" is the same advice I live by in the world of public speaking. 

Speakers are (ahem) sometimes a little nervous or tight before the talk gets going, but many of us power through it to "turn on and lock in" for the start of the talk. But it's easy to overlook that the minutes ahead of your talk, those final moments where you are confirming that everything is in order, is time where your audience is already watching you, sometimes intently. Even if you haven't started the talk, you are absolutely on stage; it doesn't matter if you don't think that the clock has started yet - it has. If you look agitated or nervous in the minutes leading to your start time, it doesn't matter how calm and authoritative you sound when you start. And similarly, a successful pen tester knows that how you carry yourself (body language) when walking into a building, how your facial expression looks (nervous? confident?), and how you ensure that what you are wearing matches whatever persona you seek to project, all add up to a higher chance of success.

Like any other book, there are a few stumbles. In reviewing types of information that are particularly advantageous to an attacker, the author asserts that our current era of personal genomics (think DNA tests for both health and genealogy reasons) means "a person’s mental strengths and weaknesses can be predicted from birth." This is far too broad a brush, sidestepping the entire "nature vs. nurture" or "nature plus nurture" debate. Genetics are not necessarily destiny. We're not living in a GATTACA world (see the 1997 film) quite yet.

Another example where there's room for improvement: there are photos included to demonstrate real-world examples (good!) but some of those photos are poor quality and don't seem to match the description in the text (frustrating!). Next to one image, a pandemic mask is referenced but cannot be seen in the photo; in another, a specific date and time is mentioned, but both data points are invisible in the accompanying photo. The perils of printing black and white photos in a physical book, perhaps.

But these minor objections are far outweighed by the benefits of this book. The author very helpfully breaks out a clean and concise summary and key message at the conclusion of each chapter. And it's very easy to tie many of the foundational concepts introduced in the book back to their original sources. Primary sources are not buried in small-type endnotes at the end of the book, they are instead identified directly within the main body of the text. For example, Ross Anderson's Security Engineering gets a well-deserved plug - a book which is in the Cybersecurity Canon Hall of Fame. 

And I recognized and appreciated pointers to several other books leveraged by the author which I can also recommend for deeper dives into OSINT resources (Michael Bazzell's Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information), analytical thinking vs. sensemaking (Stephen Few's Signal: Understanding What Matters in a World of Noise), decoding a target's body language (Joe Navarro is mentioned, check out his What Every Body Is Saying: An Ex-FBI Agent's Guide to Speed-Reading People), why we humans are unpredictable and much less rational than we'd like to think (Richard Thaler's Misbehaving) and the importance of keeping your target in Daniel Kahneman's "System 1" automatic and unconscious mode (from his book Thinking Fast and Slow, based in part on research with his late colleague Amos Tversky).

These last two book mentions above really underline what is the essential takeaway from this book: in the context of real-world penetration testing, understanding human psychology can be much more important, and much more valuable, than mastering technology.