Security Architecture: Knowing the Adversary

When I present or teach on a security topic, I take the time to cover the mindset of the adversary. There are a lot of maxims out there to “know thine enemy,” but here’s a good recent one that explains why:

“Unless you can think the way that an evil person thinks, then you’re defenseless against them, because they’ll go places you can’t imagine and then they win.” – Dr. Jordan Peterson

Dr. Peterson said this as he was talking on the Jocko Podcast, specifically episode 98.

The context of the quote was Dr. Peterson and Jocko were discussing a particular foreign affairs official. That official, after a horrific incident, stated he couldn’t think like people who committed the evil act. Peterson’s disagreed. His view is someone in that position had to be able to think like an evil person. Otherwise, such a person couldn’t adequately do the job because they would continue to lose.

The same is true in security. We can laboriously implement best practices and benchmarks but unless we can think like someone who seeks to actively do harm to us, we aren’t going to see the gaps. We aren’t going to see where the weaknesses are. Those gaps and weaknesses will be exploited. We will lose every time we come up against a motivated foe. Therefore, it’s not enough to know what safeguards you should put into place. It’s also critical that you think about how someone might bypass those protections or how they might exploit them.

6 Comments (+add yours?)

  1. way0utwest
    Dec 07, 2017 @ 11:30:27

    A good reason why we need more examples and demos that show how the criminals think


    • K. Brian Kelley
      Dec 07, 2017 @ 12:03:51

      When I took Criminology back in college, my professor spent a lot of time on getting us to think like a criminal. He talked us through profiling a house we could see from the classroom. How would a burglar seek entry? How would they get stuff out? Why that house? I’ve carried that lesson with me into IT.


  2. justin.swenson
    Dec 09, 2017 @ 10:30:33

    I listened to that podcast recently as well. The context of that portion of the talk was a big takeaway for me.

    While some people speak from a position of moral innocence, “I can’t even think that way”, and believe that’s a good thing. Others know they have to be able to think like that in order to stop those individuals (groups) who are willing to act on those thoughts.

    To know your enemy and think like your enemy you have to be willing/able to empathize with your enemy. That means understanding their reality and how it’s affected their paradigm of the world.


  3. Peter E C Dashwood (@PeteDashwood)
    Dec 09, 2017 @ 20:29:37

    Finding ways to get around the security measures you just put in place is a part of the standard debugging that programmers always do. You don’t have to “think like a criminal” you just have to think like a programmer… (Not ALL hackers are criminals; sometimes code has to be hacked for perfectly legitimate reasons..)

    As far as security goes, total security is axiomatically unattainable; as long as there is legitimate access, then the assets can be accessed by unauthorized people. (If there is no legitimate access the vault is pointless…)

    The best you can do is make it very difficult for unauthorized people to get access, and make sure you have audit trails in place that will tell you who took it, what they took, and when they took it. That way you can determine what else is affected by the theft. Never kid yourself that your security is secure; it never can be as long as there is at least one legitimate pathway. The best you can do is make it extremely difficult for unauthorized access.


    • K. Brian Kelley
      Dec 09, 2017 @ 20:37:32

      Total security is unattainable, agreed. However, a programmer typically plays by a particular set of rules. The most capable adversaries don’t. And that gets to the point that’s made over and over again about threat modeling: you have to think like your enemy.

      I guarantee you that if you only think like a programmer, you’re going to miss things that could be caught. For instance, your comment mentions code. Perhaps it’s not your code the adversary will go after. Perhaps there’s a particular fingerprint that allows me to identify the service and in doing so that may tell me there’s something to exploit about that service. At this point you could have the most secure code in the world. However, the adversary is in.


  4. Jeff Mlakar
    Dec 13, 2017 @ 10:08:54

    I listed to that podcast episode – very worthwhile. +1 for that. I liked the message about knowing your internal evil and considering other people may act on those impulses.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: