[Thoughts] The Hacker Mindset
In a world full of cyber security professionals entering the domain purely out of wanting employment, the true hackers are becoming a rare breed.
Creativity
Hackers are not bound by convention. They don't see systems for what they were meant to do, they see them for what they can be made to do.
Creativity is what allows someone to chain together three unrelated misconfigurations and turn them into a remote code execution.
It's the ability to look at the same code, the same tools, the same systems as everyone else and find something new, something missed, something dangerous.
At its core, hacking is an art form.
Curiosity
What lies behind this login page?
What’s running on that obscure port?
Why is this response 37 bytes longer than the last one?
Most breakthroughs happen not because someone followed the rules, but because someone got curious enough to ask, what if…?
To the untrained eye, everything looks normal. But to the observant hacker, the normal is where the anomalies hide.
Rebellion
At the heart of hacking is a quiet defiance. A refusal to accept that this is how it’s supposed to work.
The tendency to question, challenge, & subvert is what sets a hacker apart.
It is also an aversion to bow down, be spied upon, or controlled by the overlords.
Perseverance
Great hackers don't come from brilliance, they come from persistence.
Trying the 78th payload variant.
Re-reading the same documentation, this time slower.
Reversing a binary one opcode at a time.
Perseverance is what separates script kiddies from professionals. It’s the refusal to quit when the tool fails, when the recon turns up dry, or when the target seems “impenetrable.”
Paranoia
Ideally, the most secure machine is one disconnected from the world, locked into a box, and placed in the Challenger Deep. And even then, many security professional wouldn't sign a piece of paper stating that it is 100% secure from cyber threats.
The seasoned hacker doesn’t ask, “Is this secure?”
They ask, “What am I missing?”
Rationality
Contrary to the previous point, I always preface my client calls with the following motto:
Achieving security requires optimum balance between paranoia & feasibility.
Meta has a security budget larger than some countries' GDP, still they face cyber attacks.
It's not always about having a bigger spend. Sometimes it's about how you make the most out of what you have.
This is why, I always place an emphasis on a rational approach to risk. Instead of threat profiling every single APT group out there, just focus on getting your basics right first.
The Hacker understands that while an attack can come from anywhere, trying to focus on everything at once just doesn't work. You need to pick a few attack vectors at a time & strengthen your infrastructure.