Think. Bad guys do it, so should you.
Every system can be defeated by understanding its weak point, and attacking it with full force. If you think of everything as a "system that has vulnerabilities" while performing a security assessment, it will get your mind in the right place. That's the main approach to thinking like an adversary: think of your target as a system, the sum of its parts, and find the vulnerability that you can attack. The weakest areas, the ones more likely to have vulnerabilities, are usually the joints - where two networks connect, where one area of responsibility ends and another begins, where the guards shifts end and begin, etc. There is no such thing as a "seamless connection", or a "seamless transition". Seek those areas and attack them, stress them to the point of breaking, and see what's exposed.
This works best when the focus is on all the parts of a given target. Focusing only on the tech, or the physical security, but not focusing on the people, and the softer targets is a call for failure. The point is to really stress test all domains, including policies and those things called assumptions. Learn to observe. Find the patterns. Each domain has its patterns, and all patterns usually converge into one area. Patterns will give you the needed information to be successful.
When stressed and pushed to the limits, as they often are, reactive defensive measures - the usual "mitigating controls on the modern organizations - just crumble under the weight of a real attack. Go that extra step, walk the “perimeter”, understand the least visible “entry points”, and focus on the priorities. Find the patterns. Learn to observe. Find the best way to do this. Find the best observation point. This is the key to learning your target. Adversarial thinking goes beyond the traditional security checklist of things to “protect against”. A focused adversary will learn about its target first and foremost. If you want to properly defend something, you need to know how to attack it first. Often, if you take your time, a solid picture of your target appears. And more often than not, the answer to that "seamless connection" that is not so seamless. Just like an adversary with intent on doing harm, learn, observe, learn so more and connect the dots.
It's about the vantage point. The inner circle is important, but good adversaries take the outer circle to observe and find the patterns. Remember: never underestimate the ability of both move openly and covertly at the same time. In order to really understand this, take a look at your adversaries, create a theoretical profile, and then take it to the field. Look at yourself as a target and how, based on the adversaries you just profiled, things can be exploited and manipulated. Figure out what you would do as a bad guy. Focus first and foremost on the people, their patterns of life, their social landscape. Then go technology and physical location. Then make plan.
Observe the patterns. I can’t stress this enough. People, systems, locations, everything has a pattern. If you understand what a normal is for a thing or a person, you can blend in and perform better. Be like a real adversary and research your target. Often the most obvious issues are the ones that are exploited by real adversaries. Even when you think it would be stupid. That’s why you should look at the whole picture. Industrial and corporate espionage often starts with an insider. Don’t discard the power that adversaries have to coerce an insider, or the fact the insiders might be angry, disgruntle. You have to factor this as well. Always look for things out of place... However little. Think about how you’d do it. What would you attack first.
Play both sides: attacker and defender. That’s the key to a successful adversarial assessment. But, again, don’t forget to go all the way up the ladder of domains. Look at the industry, the people, the location and finally the tech.
When finally switching to the defense side, remember that timing is everything: planning. Even when plans never work, having gone through the motions will allow you visualize solutions and adapt them as you go. No adversary will act without at least having some sense of what’s going to happen. Most adversaries are either risk averse, or they want to tip the chances in their favor. Time it. Often patience doesn’t come easy. Long hours and your head will get in the way. But give patience a change and she will reward you. With patterns, with info, with the way adversaries will get in.
The best defense though, is deception. But don’t get caught in the warm feeling of self assurance...
In order to apply the proper level of defenses, you have to know what makes your organization function, what is at its core, and what are the most valuable assets, things that if you deny or take away will make your organization suffer or fail altogether. It’s about observing. It’s not about tools, or hacking, or social engineering. It’s about connecting the dots, looking at both sides of the coin. Can you see it? You play defense and offense at the same time. You have to.
Now, let's be realistic here: you want your tools. You want the checklists. You want the shiny new hacking framework. You depend on tools. You do. But do not plan everything around the success of these tools. Always plan for people, have a contingency. Plan for people being people. Often is the low tech solutions that provide the most bang for the money. Don’t over rely on technology for everything. Work the contingencies into your planning where all kit fails.
Always have an eye on all the domains, always ask what can I attack, and how would I defend it. And then, when you have the answer, flip sides, and ask how I handle failure of those defenses, and what attacks may come after.
Think. Bad guys do it, so should you.