We thought we would provide a guide to anyone looking to be a bad actor/malicious adversary/evil hacker based on much of what we have been hearing from the security industry at large.
- Discuss all your evil plans on any site that is probably visited by “threat intelligence analysts”. A good place is the dark web, go there, talk about your plans, but make sure people can find you.
- Talk about your evil actions at a con.
- Always choose the most difficult, ultra complicated vulnerability to exploit (even when you don’t have to)
- Don’t try to buy any of the security tools your targets may use, because you can’t.
- Skip over testimonials on any security companies website, what possible use is it in knowing who provides security assistance to your target?
- Also, don’t waste time trying to find out more about the aforementioned security companies, its just going to slow down you succeeding in your attack.
- Be sure to use the word 1337 a lot.
- Disclose all your discovered vulnerabilities, its only fair.
- Participate in bug bounty programs and post on twitter about it. Remember fame is the key to being a successful bad actor.
- Participate in corporate CTF’s. You can win prizes and show off your attack methods.
- Ignore all the ATP and malware reports. This stuff is no use to you, just because everyone else collects intelligence doesn’t mean you should.
- Get some certs, you need certs to show you are good at this stuff to other like minded people.
- Worry about anti-virus, its good, really.
- Avoid all companies who have to meet published compliance standards. They know you know their controls, and are ready for you.
- LinkedIn is useless for recon, its just full of motivational quotes.
- Stick to one communication method, why complicate matters for yourself?
- When you send a phish, be sure it looks like an iTunes, amazon, or other receipt.
- By default, security monitoring/detection tools like well known attack patterns, so be sure to use them.
- Only perform your malicious activities between the hours of 9-5 in whatever time zone the target is in.
- Pick out a flattering and intimidating costume and choose a cool handle.
- Fear security awareness training, it has the magical power of overcoming some of the traits developed during a life – fear, obedience, greed, helpfulness – all succumb to the power of posters, power-points, and catchy slogans.
- Brag about everything you do, again, fame is the key. Ever seen a Bond movie? the bad guy always tells James Bond his plans in detail, this is a sign of confidence. Do the same.
***The authors of this article take no responsibility for its accuracy, the information contained within should not be considered as advice***
INSIGHTS
We like to help our clients learn how to better protect themselves. Here’s what we’re reading now.
- Nov 19,2024
6 min read
With increasing costs, inconsistently applied assessments, and failure to deliver, we’re seeing organizations drop cyber insurance. Why is this? and what can you do about it?
- Nov 04,2024
4 min read
Tagging, a powerful feature already built into Incenter, offers an advanced way to streamline vulnerability management.
- Nov 01,2024
5 min read
Critical and high risk vulnerabilities receive all the attention, while low and medium-severity vulnerabilities are usually relegated to the back burner, however this may not be the wisest choice.
- Oct 16,2024
5 min read
Cisco breach data has been identified on dark web forums.
- Sep 18,2024
10 min read
Discover the hidden security risks in Python's pip configuration files (pip.conf/pip.ini). Learn how attackers can exploit these files to install malicious tools post-compromise, and what steps developers can take to protect their systems from covert attacks.
- Sep 11,2024
5 min read
Our analysis of Microsoft's patch Tuesday releases for September 2024- what you need to be most concerned about.
