One can hit your information by accident he won’t make much damage.
Whatever the attacker’s profile (and you can imagine other profiles combining two or three of the basic ones) be sure no one act rashly and without preparation. No one start using his tolls and techniques haphazardly.
Each calls a well-designed strategy and a method. Let’s look at that.
A strategy is the art of fixing objectives and organizing one’s resources and actions to reach them.
Don’t panic! I bring here nothing new. I simply write down what we all do every day… without even thinking about it.
Study of the situation
Who am I and in which context do I live?
We analyse our past and our skills along with the requirements and the constraints of the society around us. We identify what we want, who we want to become.
Definition of the needs
What am I lacking and where can I find it?
Comparing the present and the objective we identify the gap and what it will cost to fill it.
It’s from here that the attacker takes his position: he doesn’t care with the constraints of the society; respecting the law isn’t part of his thinking.
Expression of the wish
Where can I get what I want, without building or acquiring it?
We look for the least cost, the least risk, and the most immediate result.
We can identify several targets with various aims: destruction, robbery or conquest.
What are the tools, weapons and resources I need to go and take, destroy or conquer?
When should I act to have the best success rate?
How should I move towards my target? How shall I attack? How will I withdraw (if wanted) without leaving tracks so that no one can follow me?
Once we are ready and the conditions are met, we move, attack and withdraw according to the defined methods.
We are sometimes forced to a ‘Plan B’.
Once back to our safe position, we analyse what we have lost in action and what we have gained.
If the result is positive, we know we can do it again and improve what didn’t work well.
If the results are negative, we look for other ways and we hope doing better next time.
You see that it’s not complicated.
A method – you can call it a ‘tactic’ – is the art to implement the strategy to transform it in a success.
Without going to tiny details, the method – that is deployed across the Planning and Execution phases – can be split in seven steps:
We look for information, we visit, and we do what’s called “intelligence”; e.g. by studying social networks.
We build and acquire the tools needed to attack: all malware and human actions to monitor, spy and act.
We install the monitoring tools by the target.
We analyse the gathered information and look for the weaknesses we can use.
We install ‘bombs’ and tools that will bring the final result.
We attack and take control of the target.
We take (steal), destroy or conquer, as per our objective.
If you want to go further, ask Google using the key words ‘Kill Chain’
According to his profile, resources and skills, the attacker will simplify and merge the five last steps into two.
If the attacker takes the time to consciously plan and act why should we defend and respond with surprise (ad-hoc)? We also need to be organized to resist the attack and be resilient (recover from our wounds). We’ll address that next time.
See you soon, safer with your information