We thought we would provide a guide to anyone looking to be a bad actor/malicious adversary/evil hacker based on much of what we have been hearing from the security industry at large.

  1. Discuss all your evil plans on any site that is probably visited by “threat intelligence analysts”. A good place is the dark web, go there, talk about your plans, but make sure people can find you.
  2. Talk about your evil actions at a con.
  3. Always choose the most difficult, ultra complicated vulnerability to exploit (even when you don’t have to)
  4. Don’t try to buy any of the security tools your targets may use, because you can’t.
  5. Skip over testimonials on any security companies website, what possible use is it in knowing who provides security assistance to your target?
  6. Also, don’t waste time trying to find out more about the aforementioned security companies, its just going to slow down you succeeding in your attack.
  7. Be sure to use the word 1337 a lot.
  8. Disclose all your discovered vulnerabilities, its only fair.
  9. Participate in bug bounty programs and post on twitter about it. Remember fame is the key to being a successful bad actor.
  10. Participate in corporate CTF’s. You can win prizes and show off your attack methods.
  11. Ignore all the ATP and malware reports. This stuff is no use to you, just because everyone else collects intelligence doesn’t mean you should.
  12. Get some certs, you need certs to show you are good at this stuff to other like minded people.
  13. Worry about anti-virus, its good, really.
  14. Avoid all companies who have to meet published compliance standards. They know you know their controls, and are ready for you.
  15. LinkedIn is useless for recon, its just full of motivational quotes.
  16. Stick to one communication method, why complicate matters for yourself?
  17. When you send a phish, be sure it looks like an iTunes, amazon, or other receipt.
  18. By default, security monitoring/detection tools like well known attack patterns, so be sure to use them.
  19. Only perform your malicious activities between the hours of 9-5 in whatever time zone the target is in.
  20. Pick out a flattering and intimidating costume and choose a cool handle.
  21. Fear security awareness training, it has the magical power of overcoming some of the traits developed during a life – fear, obedience, greed, helpfulness – all succumb to the power of posters, power-points, and  catchy slogans.
  22. Brag about everything you do, again, fame is the key. Ever seen a Bond movie? the bad guy always tells James Bond his plans in detail, this is a sign of confidence. Do the same.

***The authors of this article take no responsibility for its accuracy, the information contained within should not be considered as advice***