A rite of passage for new parents is child-proofing—securing the home from threats to children. Most experts on the subject highly recommend that parents make their way around the house on their hands and knees in order to experience the environment from a child’s perspective. This may be the only way to see the threats that aren’t obvious from an adult’s point of view.
The same is true when building security into an application. Obviously, there are lists of common vulnerabilities and other guidance in the form of best practices to consider. However, to really protect software you need to consider the hacker’s point of view of the application. You need to think like a hacker, but act like a security pro.
How to Think Like a Hacker
Thinking like a hacker is not just about the technical aspects of the hack. There are a few other things to think about:
Think Like a Hacker
• What’s the hacker’s motivation? What do they hope to gain?
• Is the hacker targeting you specifically, or are they opportunistic and you just happen to have vulnerabilities that make you a target?
• How will they attack?
• When will they attack?
For example, if you are a target of convenience, understand that hackers are more than happy to take the path of least resistance. This is why protecting against obvious, well-known attack vectors is critical. While there is a lot of mystery and intrigue around advanced persistent threats (APTs), hackers have no interest investing time and effort into building an APT when using simple, well-traveled attacks such as SQL injection will do the trick.
So what can you do to protect your organization?
How to act like a security pro
1. Outrun the Bear. There’s an old metaphor about outrunning the bear. The joke involves two hikers who encounter a bear. One hiker puts on running shoes because she knows that if she can outrun her hiking partner, she doesn’t need to outrun the bear. For organizations, closing off well-known vulnerabilities will entice hackers to target other organizations that are not as well prepared. In this way, you don’t actually need to outrun the bear, or in this case the hackers who choose targets of convenience.
2. Pull Threads. Many classic breaches started with a hacker simply noticing a seemingly innocuous crack in the defenses and exploring where it took them. One thread connects to another and soon credentials are accessed and things really start to unravel. To prevent this from happening to your organization, ethically pull every thread you find and see where it takes you, making sure you run each to its end.
Think of a security company checking a home for entry points into a building. An entry point may be vulnerable, but if it leads to a dead end you are still safe. If the entry point takes you directly to something valuable or to another entry point that is readily compromised, you have an issue.
3. Take Inventory of Your Valuables. It’s useful to know what points are vulnerable, but the information is more valuable if an assessment is made of what could be stolen if the entry point is used. It’s critical to do some business-oriented thinking to understand what someone would be motivated to steal. Knowing this helps you think about threats from the inside out: working from a probable target out to potential entry points that will get you to that target. Defense is often constrained by a focus on an outside-in perspective.
Use threat modeling to understand the paths of attack, the value of successfully pulling off each attack, and the expected benefits from each path. Start by closing attack paths that are low effort and high return—again leveraging the concept of least resistance. You may not have the time and budget to do them all, so bank on human nature to stack the odds in your favor.
Hackers are creative by nature, so you have to use your imagination to think like one. For example, hackers are always looking to exploit things that can be used in a way they were never intended to be used. The concept is logical—if the developer never considered the path, he or she won’t incorporate the necessary protections. Thinking this way takes training. It is particularly hard for developers, as they already know how it should be used and will find it hard to see anything else.
The Bottom Line
A good security pro understands that effective defense flows from an understanding of the offense. Thinking like a hacker and possessing knowledge of the business combine to provide key insights into why your organization is a target and how it will be attacked. These insights are essential to close the vulnerabilities and attack paths that hackers will likely exploit. Turn this knowledge to your advantage by assuming the attacker’s perspective. Once you can see your organization from a hacker’s point-of-view, you will be equipped to defend your organization like a security pro.
By Jim Ivers