The Art of Attack untangles the threads of a useful, albeit sometimes dangerous, mentality. It shows ethical hackers in Social Engineering and pentesting what an attacker mindset is and how to form one, whilst staying ethical and moral. It includes what the attacker mindset is, a story in which to showcase it, the difference between pen testers and attackers and why this book is needed.
The principles of the attacker mindset are unveiled including persistence, "start with the end," and non-linear thinking. Ethical hackers will learn the strategic tools needed to build their attacker mindset including forming the attack, process, recon, privilege escalation, and possibly most important - redundant access and escape.
The book also speaks to the tells of an attack and how to avoid one for a would-be victim – for individuals and businesses. This section of the book uses the science of psychology to take into account amygdala hijacking and other tendencies readers need to protect against.

Maxie Reynolds is Technical Team Lead for Social-Engineer, LLC leading their efforts as a physical pentester and social engineer. She has worked as a physical pentester for banks, transport agencies, and other industries working with them to heighten their security by keeping employees and company assets safe. Maxie is a certified Ethical Hacker, Digital Forensic Investigator, and Social Engineer with previous experience in Oil and Gas. She holds degrees in Computer Science, Underwater Robotics, and is qualified in Quantum Computing.

About the Author v

Acknowledgments vii

Introduction xv

Part I: The Attacker Mindset 1

Chapter 1: What is the Attacker Mindset? 3

Using the Mindset 6

The Attacker and the Mindset 9

AMs is a Needed Set of Skills 11

A Quick Note on Scope 13

Summary 16

Key Message 16

Chapter 2: Offensive vs. Defensive Attacker Mindset 17

The Offensive Attacker Mindset 20

Comfort and Risk 22

Planning Pressure and Mental Agility 23

Emergency Conditioning 26

Defensive Attacker Mindset 31

Consistency and Regulation 31

Anxiety Control 32

Recovery, Distraction, and Maintenance 34

OAMs and DAMs Come Together 35

Summary 35

Key Message 36

Chapter 3: The Attacker Mindset Framework 37

Development 39

Phase 1 43

Phase 2 47

Application 48

Preloading 51

“Right Time, Right Place” Preload 51

Ethics 52

Intellectual Ethics 53

Reactionary Ethics 53

Social Engineering and Security 57

Social Engineering vs. AMs 59

Summary 60

Key Message 60

Part II: The Laws and Skills 63

Chapter 4: The Laws 65

Law 1: Start with the End in Mind 65

End to Start Questions 66

Robbing a Bank 68

Bringing It All together 70

The Start of the End 71

Clarity 71

Efficiency 72

The Objective 72

How to Begin with the End in Mind 73

Law 2: Gather, Weaponize, and Leverage Information 75

Law 3: Never Break Pretext 77

Law 4: Every Move Made Benefits the Objective 80

Summary 81

Key Message 82

Chapter 5: Curiosity, Persistence, and Agility 83

Curiosity 86

The Exercise: Part 1 87

The Exercise: Part 2 89

Persistence 92

Skills and Common Sense 95

Professional Common Sense 95

Summary 98

Key Message 98

Chapter 6: Information Processing: Observation and Thinking Techniques 99

Your Brain vs. Your Observation 102

Observation vs. Heuristics 107

Heuristics 107

Behold Linda 108

Observation vs. Intuition 109

Using Reasoning and Logic 112

Observing People 114

Observation Exercise 116

AMs and Observation 122

Tying It All Together 123

Critical and Nonlinear Thinking 124

Vector vs. Arc 127

Education and Critical Thinking 128

Workplace Critical Thinking 128

Critical Thinking and Other Psychological Constructs 129

Critical Thinking Skills 130

Nonlinear Thinking 131

Tying Them Together 132

Summary 133

Key Message 134

Chapter 7: Information Processing in Practice 135

Reconnaissance 136

Recon: Passive 145

Recon: Active 149

OSINT 150

OSINT Over the Years 150

Intel Types 153

Alternative Data in OSINT 154

Signal vs. Noise 155

Weaponizing of Information 158

Tying Back to the Objective 160

Summary 170

Key Message 170

Part III: Tools and Anatomy 171

Chapter 8: Attack Strategy 173

Attacks in Action 175

Strategic Environment 177

The Necessity of Engagement and Winning 179

The Attack Surface 183

Vulnerabilities 183

AMs Applied to the Attack Vectors 184

Phishing 184

Mass Phish 185

Spearphish 186

Whaling 187

Vishing 190

Smishing/Smshing 195

Impersonation 196

Physical 199

Back to the Manhattan Bank 200

Summary 203

Key Message 203

Chapter 9: Psychology in Attacks 205

Setting The Scene: Why Psychology Matters 205

Ego Suspension, Humility & Asking for Help 210

Humility 215

Asking for Help 216

Introducing the Target-Attacker Window Model 217

Four TAWM Regions 218

Target Psychology 221

Optimism Bias 225

Confirmation Bias and Motivated Reasoning 228

Framing Effect 231

Thin-Slice

Assessments 233

Default to Truth 236

Summary 239

Key Message 239

Part IV: After AMs 241

Chapter 10: Staying Protected—The Individual 243

Attacker Mindset for Ordinary People 243

Behavioral Security 246

Amygdala Hijacking 250

Analyze Your Attack Surface 252

Summary 256

Key Message 256

Chapter 11: Staying Protected—The Business 257

Indicators of Attack 258

Nontechnical Measures 258

Testing and Red Teams 261

Survivorship Bias 261

The Complex Policy 263

Protection 264

Antifragile 264

The Full Spectrum of Crises 266

AMs on the Spectrum 268

Final Thoughts 269

Summary 270

Key Message 271

Index 273