Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

The [Good] Hacker Mindset

The mindset of good hackers can be categorized as a relentless curiosity.

Curiosity. Some people will tell you that hacking is something that only happens with computer technology. They’re wrong. The reality is that the idea of hacking comes from other places, long before computers existed. Hacking computers to do things they weren’t meant to, is the same mindset that a custom car enthusiast employs when they bolt on a different engine from an entirely different car.

They look for requirements, interfaces, interaction points, adapters. They hunt for errors and issues. They diagnose why their approach doesn’t work. They ask themselves ‘how could this work?’ instead of ‘why would I try?’. They try again, and again, until they get the result they want. They’re hackers, in my humble opinion. I’m sure there are other analogous pursuits, but I use this one as I have some familiarity: before I got into IT and cybersecurity, I was a qualified light automotive mechanic.

The modern use of the word ‘hack’, ‘hacked’ or ‘hacking’ came about in the mid 1970’s to describe illegally accessing a computer system. However, earlier verb usage as far back as 1735 the term ‘hack’ implied ‘to make something commonplace’. Later in the 1800s a ‘hack’ could also describe a hired mercenary. But the original term probably came from Old English c.1200 tohaccian meaning ‘to hack to pieces’.

Problem solving is at the heart of hacking too, and in this sense, possibly the best advice anyone ever gave on this subject was to break big problems down into smaller ones, i.e hack them to pieces.

If we consider that gaining entry into any system, be it electronic or physical, requires us to not only exercise good problem solving skills, but also risk management. Being detected is part of the problem space, and we often need to account for that.

Relentless. Some people like to solve crosswords, or rubicks cubes. This is problem solving, but they know there is a solution. They just have to find it. Knowing there is a ‘win’ state, motivates them.

Imagine the crossword in the daily newspaper, or that rubicks cube, had a pretty high chance that it had no solution at all. Most of those people would not even start trying to solve it. Any reasonable person would consider the risk of wasting their time too great.

Hackers approach the problem of gaining access to a computer system as though its inevitable that they will gain access, but they don’t always know if there is a way. Their curiosity to find out either way is what drives them into this frustrating place.

To be OK with this, I personally think of the act of penetration testing or red teaming as a series of scientific experiments. I create a hypothesis, test it and whether or not I succeed or fail, I have learned more about the system. If you carry this attitude, then you never feel like you’ve wasted your time. It’s easy to forget that what we do as offensive security professionals is really a small part of the wider Development Life-Cyle of a given technology product, and that generally involves some kind of testing.

This is the motivation that keeps me coming back to the profession: helping to make better products and services that enrich peoples lives, put food on peoples plates, or generally keep them safe.

Other motivations of hackers

Not all hackers do so with the best of intentions. While they may still relentlessly pursue curiosity, their motivations come from other places. In summary these might be things like:

  • Money & Greed
  • Power
  • Activism
  • Warfare / Espionage

I say this only to help you the reader understand that when we’re emulating attackers we might need to consider these motivations however briefly. If one of the best questions we can ask when designing a system is ‘How could a bad person take advantage of this?’, then surely the follow up question is ‘Define bad?’. Understanding attackers motivations can be key to defending against them.

To demonstrate this point, imagine three different hackers all breaking into the Bank of Foobarzia’s website. This website has a glaring vulnerability allowing remote code execution in the banks environment.

  1. The first hacker work as part of a Randomware as a Service (RaaS) operation and is primarily interested in exorting people for money
  2. The second hacker is a political activist with an axe to grind against a small set of the Banks customers
  3. the third hacker is employed by the military of the warring nation of Barfoobia

In the first example, after gaining initial access to the website the RaaS operator tries to fan out and infect as many systems as possible in as short amount of time as they can.

In the second example the activist doesn’t bother with the website vulnerabiilty. Instead, they ‘spearphish’ a particular individual they know to be dealing with the bank customers they’re after. They compromise this persons desktop machine instead, break into their email inbox and exfiltrate as much ‘dirt’ as possible on their actual targets, that they then use to damage the customers reputation.

In the final example the hackers motivation is to simply bring any or all of the bank systems to a screaming halt and to hopefully prevent their enemies finance systems from operating for as long as possible. They use the website vulnerability, but slowly take their time to enumerate the entirety of the banks systems and networks. Over time they slowly exfiltrate the banks entire customer list. 6 months later, they cause a week long IT outage in the middle of the holiday season.

In each case, the attackers motivations caused them to do different things. When we’re testing for a customer, we need to model our attacks on credible behaviours and test for as many of them as time permits. This may include threat modelling with our customers to understand what personas are the priority for the engagement.