Adversarial mindset, thinking like an attacker is no longer optional

Format: Panel Discussion (~37 minutes) Location: Adversary Village @ DEF CON 33, Las Vegas

Panelists

Abhijith “Abx” B R (Moderator) — Founder, Adversary Village
Bryson Bort — Founder of Scythe (adversary emulation platform), co-founder of ICS Village, former government offensive operator
Anant Shrivastava — Founder of Cyfinoid Research, focused on cloud security and software supply chain security
Lt. Col. Gordon “Fizzle” Boom — United States Air Force, 567th Operations Group, offensive cyber operations background

Overview

As threat actors evolve in speed, sophistication, and stealth, traditional defense strategies alone are no longer sufficient. This panel delves into the strategic importance of adopting an adversarial mindset, where defenders must think like attackers to stay ahead. Industry experts discuss how adversary emulation and offensive cyber security techniques are being used not just to test systems, but to actively inform and strengthen defensive strategies.

AI Generated Summary

AI Generated Content Disclaimer

Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.

Key Topics Discussed

Hacker Mindset vs. Adversarial Mindset:

The hacker mindset focuses on making systems do things they weren’t designed to do — breaking into boxes, escalating privileges, and exploring what’s technically possible
The adversarial mindset is goal-oriented: it aligns people, process, and technology toward a specific target, using whatever means necessary — technical or otherwise
Real-world adversaries don’t get points for being fancy; they use whatever works, from simple CLI commands to social engineering and close-access operations

Why Organizations Keep Getting Breached:

“Offense is always technical in nature; defense is always political in nature” — organizations buy security tools based on budget constraints and approved vendor lists, not based on what’s most effective
Compliance is static and checkbox-driven; attackers have the checklist before they ever show up, and they use LinkedIn to map out an organization’s people, relationships, and entire defensive stack
CISOs often operate on a two-year tenure mindset, aiming to hit the minimum compliance threshold rather than building robust defenses
In the vast majority of real-world assessments (80-85 out of 100), advanced techniques were never needed — basic attacks were sufficient to gain access

The Defender’s Actual Advantage:

The common saying “an attacker only needs to be right once” is challenged — once an attacker is inside your network, they’re operating on your infrastructure, using your protocols, and you control the choke points
Defenders have the home-field advantage in the post-compromise phase (actions on objective), if they know where to look
The key insight: focus defensive resources on detecting and responding to attacker actions after initial access, not just on preventing the initial break-in

Can You Teach Adversarial Thinking?:

It can be taught, but it comes easier to those who naturally ask “why not?” instead of “why?” — people who explore what else a system can do rather than just understanding how it works
Following documented playbooks (e.g., the Conti Leaks) can make even non-expert operators effective, showing that the ecosystem supports multiple skill levels
Critical thinking is harder to teach, but operational usefulness within the adversarial space is achievable for many

Breach & Attack Simulation — When and How:

Breach and attack simulation (BAS) tools are valuable but organizations often jump to them prematurely without having done basic vulnerability assessments or penetration testing
For critical entities handling financial data, PII, or health data, BAS may be an appropriate starting point
The recommended progression: start with purple teaming (collaborative scoping, planning, execution, and remediation), then gradually increase sophistication toward full red team engagements
Tools alone don’t solve problems — “there is no tool that can think for you”

Key Takeaways

Adopt the adversarial mindset across your organization — it’s not just about technical hacking, but about aligning people, process, and technology to think like an attacker with a specific objective
Compliance is the floor, not the ceiling — passing audits doesn’t mean you’re secure; adversaries already know your compliance checklist
Focus on post-compromise detection — instead of only trying to keep attackers out, invest in detecting and responding to their actions once they’re inside your network
Start with purple teaming — it builds collaboration between offense and defense, creates a learning culture, and is more accessible than full red team engagements
Use free resources to get started — tools like Atomic Red Team provide a zero-cost entry point for beginning adversary emulation and improving defensive posture
Simplicity wins — real adversaries use whatever works, and defenders should prioritize covering the basics before chasing advanced threats