Subliminal Hacking
The Art and Science of Social Engineering



Categories

June 12, 2016

Inside the criminal mind … Criminal Psychology

Earlier this year I finished a diploma in Criminal Psychology and I thought I would share my high level thoughts on why I think its important to develop some form of appreciation for the criminal mind if your in the job of conducting adversarial simulations.

When you speak to someone about Red Teaming, Threat Simulations, Adversarial Testing or what ever you want to call it, people are often confused or consider it a high risk form of testing. While this can be true, it really depends on what form of criminal adversary you are simulating. This defines their motives, methods of operations and their ultimate objectives.

I think something that people outside of this type work don’t appreciate is that the types of criminals usually worth simulating are not looking to break all the things, they are looking to achieve their goals in the most cost effective, timely and undetectable way. Granted this doesn’t mean they may cause some chaos and destruction once the objective is achieved to cover their tracks, but in general a criminal who is out for financial gain doesn’t much disruption and infact may look to leave doors open to them to come back for repeat winnings. So when you step into mindset of this criminal group, I would say its actually pretty low risk in terms of destruction and disruption.

Of course their are groups of criminals where there intent is purely of destruction and disruption, but this can still be simulated in a safe and controlled manner, and should be tested to find out how effective does BCP work and perhaps attack that also. Regardless of if your looking at nation state attackers, organised crime, activists, corporate adversaries, insider threat, hacktivists or others, they will each have a different perception and mindset they are operating from that should be considered. Why is the objective important, what lengths would they go to, how will they handle frustration, whats seems ethically or morally acceptable to them, what would they do if they felt under pressure, or their activities where detected? All of these things she be thought about and play a part in the framework you operate from and will help your rationale for actions taken during a threat simulation.

Now clearly as a non criminal you cant / shouldn’t mimic everything, so common sense needs to come into play. However I think people to readily discount the value of understanding attacker thinking, and even though its not always easy to fully understand as there is often alot of FUD in the media, but there are good intelligence sources that can be utilised (internal and external), plus accounts from people in law enforcement (this includes psychologists), as well as the odd novel from convicted criminals who expand on what they did, why then did it, and why they perhaps considered it rational.

So I encourage those of you who conduct threat simulations, and in fact even those who are defenders of a corporation to invest some time to better understanding how the criminal thinks, for one it will be different to how you think, and you should challenge each other to think differently, and I hope ultimately it will make the work you do even more valuable.

Be Sociable, Share!



    About the Author

    Dale Pearson
    has worked in IT since 1998, Infosec since 2004, and studied and performed hypnosis, mentalism etc since 2009. Dale is a full time Red Teamer with a love of social engineering and qualified hypnotherapist. He spends a great deal of time researching the various skills and techniques that make up the art and science of Social Engineering.




    0 Comments


    Be the first to comment!


    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.