Adversarial Mindset

Adapt to Overcome

Knowing Your Adversary

Being able to understand your adversary in all facets is imperative to achieving your mission.  For the purpose of this post, adversary can be interchangeable with ‘target’.

The most important thing you can do when you are assessing your situation is to just stop and observe the atmospherics around you. By atmospherics, I mean the literal environment, the people, the actions and reactions of how they interplay together and the observable reactions of those. You can apply this concept to digital environments as well as physical; the concept is full spectrum.

The more you slip into observation mode, the less you are interacting with the environment around you. Think of the environment as a pond, the more you move, the more ripples you create. By creating ripples you are causing reactions and subsequent actions and thus again reactions. You don’t want to be creating this movement as you will be self-identifying yourself to the adversary based on your actions, reactions, and those of entities and the environment around you. When you are assessing your adversary, know that this could influence the field of play negatively.

Being able to understand how your adversary interacts with the environment and how it and other entities react to that interaction is vital. Try to approach the problem set with a systems-style framework like I’ve mentioned previously. Everything is a system of systems. There must be a reason why something is the way it is; behind a system there is a human or humans that have created the processes for which it operates. Processes are created to do an action; whether its to solve a problem(s) or create new one(s) - they have a set high-level goal.

Additionally, when attempting to understand your adversary, you may want to understand their reactionary timing and strategies they employ to when reacting to a potential threat action from an outside force. By testing these boundaries, you can start to enumerate the layers of their own awareness and defensive posture.

Two examples:

  1. From a physical standpoint, if you observe an entity approaching a a secure door when they shouldn’t be and notice a physical guard presence thwart entry to the secure space and time how long it took, the numbers of the responding force and how they responded - before, during, and after target interdiction - this will be beneficial to know. Do they radio the all clear, do they remain in the area in case there are additional threats, or do they depart after the event is over?

  2. From a digital perspective, if you are performing active reconnaissance on the perimeter of your target, are they banning IP addresses (I hope you’re using burner IP’s for this type of activity); does the firewall seem overly permissive (it could be a trap), are ports filtered? What type of server banners are returned if you do a simple curl / GET request?

Remember the ABC’s - Always Be Collecting.

Once you’ve obtained enough information to start profiling your adversary you should start organizing the data you collected into structured statements and assumptions about the entity.

A few example questions to ask yourself:

  • What does the data say about your adversary?

    • What does it say about the environment, and how your adversary interacts with it? With yourself?

  • What does it not say? (What’s missing?)

    • Do you need to collect more information?

  • What assumptions can you make based on the data?

    • What assumptions are safe?

    • What assumptions are not safe; and how can you collect or what can you collect to increase the probabilities of the assumption being correct?

If you can attribute your adversary; knowing historical tools, tactics, and procedures used by them you can start to enter the analytical process of understanding the motivation that drives them to operate against you and the mindset they carry with them to further their purposes.  Similar to studying counterterrorism; terrorists operate under the concept of acting based on a grievance. If you can understand what that grievance is, why it was formed and why they are operating in the way they are, this will help yo understand the possibilities around either ending that grievance for the group or how to counteract the messaging around it.

Another Example:

Understanding why the farmer puts his vegetables for sale in the late morning, you’ll know that he harvests in the early morning. Knowing this, you can make a safe assumption that if the farmer works their own land, that they most likely go to sleep earlier than naught. This identifies loose hours of operation. If the farmer is your adversary and your goal is to steal farm equipment out of his barn, you may want to target the barn opposite of the field they are working or targeting rest hours to perform this acquisition; or even, target the farmers equipment while they are selling their goods at their vegetable stand in the late morning and not at their farm. A simplistic example, but it’s generally an easy one to relate to the concepts above.

ᛞ ᚾ

Getting Personal: The Meaning Behind the Adversarial Mindset

From my university days studying intelligence, counterterrorism and criminal law, to my nascent career in the defense/security industry, through the decades long journey of becoming a veteran in the industry and watching it ‘grow up’ from being a specialized niche to being the hottest field to be in - I’ve watched the trends come and go. With pop culture elevating the industry around the concept of hacking, tradecraft and spy-craft, to professional services and consulting firms jumping on the bandwagon to sell the latest buzz words; one of the biggest failures has been our industry falling into the trap of promoting ‘the cloud’, ‘ethical hacking’, and the limiting and mis-labeling of ‘red teaming.’

Uri and I have spoken about this tirelessly on the Red Team Podcast so I won’t dive into that here. We also talk about the mindset, why it’s important and how one utilizes it. Over the past year of recording, it’s clear that we are getting the message out; however, there are many out there that still constrain how they define red teaming or don’t really understand the mindset. I say this while fully acknowledging there’s no right way to interpret red teaming as it takes many forms; however, our goal has been to expand on the concept as we feel by the current labels and definitions provided for it, we as an industry have been constraining, diluting and misrepresenting it.

This led me to researching how to promulgate these concepts in different ways that are extremely meaningful to me, both in my personal and professional life. Where I come from is important to me for many reasons: cultural identity, pride, and history being the primary drivers. While researching my genealogy and familial history, I came across the Norse and Celtic heritage that is now represented in my personal take/branding of the Adversarial Mindset.

Working with an amazing illustrator, Sosh (@soshillustrations), I was able to find a partner that shares my passion for bringing concepts and theory to life through art. I came up with the idea of having a viking skull with ᛞ Dagaz and ᚾ Naudiz runes but had never been able to bring it to life until now.

Dagaz represents one's breakthrough or awakening through awareness. It symbolizes clarity, the power of change directed by your own will, growth and release, the balance point, and the place where opposites meet. Two ᚲ Kenaz runes (observation, clarity and improvement) join with two ᛁ Isa (focus, self-control) runes to form hyper-consciousness, Dagaz.

By recognizing and understanding self-limitations and having awareness of your surroundings...the atmospherics; embracing the concept of Dagaz, one is able to adapt and overcome the opposite of what is intended or the assumed; the conceptual adversary.

Naudiz represents innovation, self-reliance, and the power to overcome distress, confusion and conflict. The opposite of Naudiz, Merkstave, signifies the constraint of freedom, distress, deprivation, and need. Aim for NAudiz and don't be limited by the application of Merkstave by others, yourself, or the environment.

Through Naudiz and Dagaz, one is able to adapt the Adversarial Mindset to approach existence with an open mind that promotes questioning, and challenging assumptions, even your own.

The Skull and Runes design represents these concepts and serves as a reminder to seek and understand with an open mind, approaching everything through questioning while considering the worst outcomes so you cannot just plan but be ready for the worst-case scenario.

ᛞ ᚾ

Systems Thinking

When attempting to think like the adversary, employing a systems thinking framework to the effort is advantageous.  A framework is designed to guide the brain in a systematic manner, whilst still providing the creative freedom to leverage quantitative and qualitative thinking. 

I will stress that while there are more common knowledge frameworks out there (like the Starburst method I mentioned in ‘Episode 038 Intel Analysis’ of the Red Team Podcast), especially those that come from the intelligence analysis space; the key to an effective framework is adopting one that facilitates thinking instead of hindering it. Don’t adopt a framework just because you heard someone mention it or because you’ve read it somewhere. The most important deciding factor on what framework you’re going to apply stems from yourself.

Questions to ask yourself when structuring your thoughts:

  • How do you naturally think?

    • Do you focus on the details first or the larger thematic elements of a problem?

    • Do you usually see how elements are connected to each other or do you usually require digging in first?

    • Are you better in your head? Writing things down? Using a whiteboard or post-it notes?

  • How much effort are you willing to put in?

    • With any thought exercise, you are spending cycles. These cycles can mean precious days, hours or minutes being spent; either beneficially or wastefully. You need to know when good is good enough or when you’re just wasting time with your current line of thinking.

  • What outcome do you want?

    • What should the end result of the exercise be? Are there specific outputs?

    • What does success mean?

These are just some of the things you need to ask yourself and think about as you start to approach problem solving using a more systematic approach. Bottom-line: use what works for YOU.

Thinking Critically

I have been espousing the need for taking a proactive stance with applying critical thinking over the years.  Throughout the last decade and a half I have been promoting the fundamental concept of seeking knowledge and understanding through questioning the status quo.  As time went on, and due to the career field I was in, this naturally turned into adopting the practices around applying analytical thinking through the lens of the adversary, especially as it applied to offensive security operations and other related activities.

The fundamental process of thinking like an adversary boils down to simple to understand but difficult to apply constructs.  An adversary seeks to compromise their target through any means necessary; therefore, one must adapt to overcome these threats by approaching problem sets as an adversary and the capabilities they wield.  One must not be myopic about the thought exercise either, for adversarial actions can occur through various methods, including those that are not readily apparent to the practitioner.

I’ve had several false starts over the years trying to get a medium of choice setup as an outlet for my thoughts on this and related concepts.  This site will serve as that outlet; one which I can write about these topics and other areas I find interesting, and hopefully spark friendly collaboration and intellectual sparring with other like-minded individuals.

Dan