Earlier this year I finished a diploma in Criminal Psychology and I thought I would share my high level thoughts on why I think its important to develop some form of appreciation for the criminal mind if your in the job of conducting adversarial simulations.
When you speak to someone about Red Teaming, Threat Simulations, Adversarial Testing or what ever you want to call it, people are often confused or consider it a high risk form of testing. While this can be true, it really depends on what form of criminal adversary you are simulating. This defines their motives, methods of operations and their ultimate objectives.
I think something that people outside of this type work don’t appreciate is that the types of criminals usually worth simulating are not looking to break all the things, they are looking to achieve their goals in the most cost effective, timely and undetectable way. Granted this doesn’t mean they may cause some chaos and destruction once the objective is achieved to cover their tracks, but in general a criminal who is out for financial gain doesn’t much disruption and infact may look to leave doors open to them to come back for repeat winnings. So when you step into mindset of this criminal group, I would say its actually pretty low risk in terms of destruction and disruption.
Of course their are groups of criminals where there intent is purely of destruction and disruption, but this can still be simulated in a safe and controlled manner, and should be tested to find out how effective does BCP work and perhaps attack that also. Regardless of if your looking at nation state attackers, organised crime, activists, corporate adversaries, insider threat, hacktivists or others, they will each have a different perception and mindset they are operating from that should be considered. Why is the objective important, what lengths would they go to, how will they handle frustration, whats seems ethically or morally acceptable to them, what would they do if they felt under pressure, or their activities where detected? All of these things she be thought about and play a part in the framework you operate from and will help your rationale for actions taken during a threat simulation.
Now clearly as a non criminal you cant / shouldn’t mimic everything, so common sense needs to come into play. However I think people to readily discount the value of understanding attacker thinking, and even though its not always easy to fully understand as there is often alot of FUD in the media, but there are good intelligence sources that can be utilised (internal and external), plus accounts from people in law enforcement (this includes psychologists), as well as the odd novel from convicted criminals who expand on what they did, why then did it, and why they perhaps considered it rational.
So I encourage those of you who conduct threat simulations, and in fact even those who are defenders of a corporation to invest some time to better understanding how the criminal thinks, for one it will be different to how you think, and you should challenge each other to think differently, and I hope ultimately it will make the work you do even more valuable.