When I began working in security I quickly learned that keeping an “adversarial mindset” was a key part of the job. What is an “adversarial mindset”? For me, it means remembering that people who attack a system don’t care how it is supposed to work or what the information was intended to be used for. They have their own objectives. They don’t care about your organizational chart, your policies, or that you can’t fix the bug they are exploiting because it is from a vendor.

John Lambert wrote a blog post, in 2015, which explained a key attribute of adversarial thinking: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”. The concept applies broadly to any security scenario far beyond the Active Directory example he uses to make his point.

I was able to witness a CISO switching to the “adversarial mindset” during a preliminary discussion with a new client. We were going through their application inventory and at first rated an internal training system as a lower priority for assessment. Later I branched the discussion away from compliance concerns and towards a review of the business process risks faced by their company. Fraud was a top concern. This was the point where their CISO switched from the compliance mindset to the adversarial mindset. He realized that this low-priority training system had all the information an adversary needed to exploit the business processes the company implemented.

With this insight we realized that what we considered to be a low-priority target, from a compliance mindset, was actually more important than that. Training systems can help an adversary to achieve their goals, too. The training system could be an important node in the graph between where the adversary starts and what they want to achieve. As security professionals, we all want to work to see this graph and make traversing it as difficult as possible for the adversary.

Are you realizing you don’t have an attack graph for your organization? Time to make one. We call this process threat modeling and the basic process is:

  1. List what you want to protect or prevent from happening
  2. Study the architecture of the system, application, or company that is the subject of the threat model
  3. List threats and rank them
  4. List potential and actual countermeasures and mitigations that prevent realization of these threats

This is a simple process best accomplished with a team of domain experts with a few security practitioners to help spread the adversarial mindset to your team. One of the best investments is to combine threat model training with building a threat model for a key system. The dual benefit of expert analysis and growing a team’s own capabilities can be very valuable.