Shostack + Friends Blog

 

Think like Alph-V?

Recently, ransomware operators AlphV were in the news for telling the SEC that AlphV’s victim, MeridianLink, had not filed the relevant SEC form 8K about their breach. While this is something between clever, humorous and outrageous, I’d like to ask a question of those who advocate for adversarial thinking: Did you predict this?

For years, I’ve been talking about how it’s hard to think like an attacker. Now, we have an innovative manuever from an attacker, and we can ask: did advocates of attacker emulation anticipate it?

This is an important question because if thinking like an attacker didn’t lead to predicting what an attacker would do, then we should increase our skepticism of the approach and replace it with effective techniques, like threat modeling with STRIDE or Kill Chains.

We have lots of evidence that we can teach those skills, and most people can learn them with reasonable reproducibility in a short time of a few hours to a few days. Obviously reproducibility rises with more practice, but to the best of my knowledge, no one makes any claim for any consistency from ‘think like an attacker.’

Source: AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC at Databreaches.net, who also note that the SEC rule may not be in effect until December 15.

Relatedly:

Image by Midjourney, "a computer scientist in the foreground and a criminal hacker in the background. The computer scientist and the criminal hacker are both thinking. However, the computer scientist is trying to think like the hacker and is getting frustrated. He's eyeing the hacker suspiciously. FRUSTRATED. THINKING. Cartoon and CORPORATE and PROFESSIONAL style with light green, blue, simplistic, studio background, primitivist style, precisionist lines --ar 8:3 --s 750"