The "Criminal Mind" in Security Testing: Nature or Nurture?

Published: 03 Jan 2025

In the world of security testing and vulnerability research, there’s a specific mindset that sets some individuals apart—a way of thinking I often describe as the "criminal mind".

These are the people who, when presented with a website, a feature, or even a real-world scenario, instinctively identify potential loopholes, vulnerabilities, or unconventional ways to exploit the system. For them, it’s not just about using something as intended; it’s about figuring out what else can be done.

The Hallmarks of a Criminal Way of Thinking

The criminal way of thinking is not about malicious intent but rather about curiosity, creativity, and a willingness to explore the boundaries of what’s possible. It's a mindset characterized by:

  • Lateral Thinking: They approach problems from unconventional angles, questioning assumptions and exploring paths that others might overlook.
  • Curiosity: They’re driven by an insatiable desire to understand how things work—and how they can be broken.
  • Pattern Recognition: They’re adept at spotting weaknesses and patterns that might hint at a deeper issue.
  • Risk Assessment: They intuitively evaluate the risk and reward of different actions, making educated guesses about where the most significant vulnerabilities might lie.
Born or Made?

One of the perennial debates in the security field is whether this mindset is innate or learned. Are some people simply born with this way of thinking, or can it be cultivated over time?

The Case for Being Born With It

Some individuals seem naturally inclined toward this way of thinking. From an early age, they’re the ones disassembling toys, questioning rules, or finding creative ways to bypass restrictions. For them, thinking outside the box is second nature. They might not even realize their approach is unique until they encounter others who don’t see the same opportunities.

The Case for Cultivation

While some might have a natural predisposition, many argue that this mindset can be developed through experience and practice. Exposure to real-world problems, learning from others in the field, and a genuine passion for exploration can transform even the most conventional thinker into someone capable of "criminal" creativity. Formal training, mentorship, and hands-on practice in identifying vulnerabilities are powerful tools for nurturing this way of thinking.

Why This Mindset Matters in Security

The "criminal mind" is invaluable in security testing because it mirrors the thought processes of actual attackers. By thinking like an adversary, testers can uncover vulnerabilities before malicious actors do, providing an essential layer of defense for applications, systems, and organizations. This mindset enables:

  • Proactive Discovery: Identifying flaws before they’re exploited.
  • Creative Testing: Going beyond checklists to uncover hidden issues.
  • Realistic Threat Modeling: Understanding how an attacker might approach a system.

One of the biggest challenges in secure coding is that developers often fail to realize their code is vulnerable. This can be attributed not only to a lack of secure coding knowledge but also to an inherent difficulty in viewing their own work through the lens of a potential attacker.

Helping developers develop the "criminal mind" is often a key element of getting them to discover flaws in their code. It's always a good exercise in secure training and even in peer code review to get developers to ask themselves, "What could the bad guys do?"

A Practical Example: The Airlock Door Dilemma

This is a scenario I came across to access a data center. Imagine a scenario where three people need to enter a building, but they only have two access cards. The entrance features an airlock door system that requires an access card to be tapped at both doors on the way in and out. How do all three individuals gain entry?

Someone with a "criminal mind" might approach this problem by questioning the assumptions of the system. They might consider solutions like propping a door open, using timing to pass cards back through the airlock, or any number of creative approaches. The key is identifying the system’s limitations and leveraging them to achieve the desired outcome.

The solution: The first person taps a card at the first door and carries that card inside the airlock. They tap the card on the internal door and leave the card on the floor. The next person uses the second card to pass the first door, leaves this card for the next person, and uses the card on the floor to pass the second door, then leaves the card on the floor for the next person. The third person uses the first card and keeps it with them, grabs the card on the floor in the airlock, and enters the building with both cards on them.

Cultivating the "Criminal Mind" as a Pentester or Bug Bounty Hunter

For those looking to develop this mindset, one effective method is systematic preparation and study. Here’s how to cultivate it:

  • Build a Knowledge Base: Keep a detailed list of application types, features, and the vulnerabilities commonly associated with them. Regularly read bug bounty write-ups, vulnerability reports, and CVEs to expand this knowledge base. Make sure you keep notes for each type of application and feature.
  • Analyze and Categorize: For each type of application and feature, document what has been tested, what vulnerabilities were found, and how they were exploited. Create a checklist or reference guide that you can consult during future testing.
  • Practice Constantly: Engage in hands-on practice by participating in Capture the Flag (CTF) challenges, bug bounty programs, or creating your own testing environment.
  • Stay Curious: Always ask, "What if?" when exploring systems. Look for the unexpected interactions or overlooked assumptions that could lead to vulnerabilities.
  • Learn from Others: Follow experienced researchers and ethical hackers. Study their approaches and thought processes to understand how they identify and exploit vulnerabilities.
Encouraging the Criminal Mind

For those looking to foster this mindset, here are a few additional tips:

  • Practice Lateral Thinking Exercises: Engage in puzzles, games, or challenges that require unconventional problem-solving.
  • Experiment and Explore: Take the time to play with systems, experiment with inputs, and test the limits of functionality.
  • Adopt a Critical Perspective: Always ask, "What could go wrong here?" or "How could this be abused?"
  • Challenge your assumptions: What assumptions are you making in your everyday life? What if...
  • Think Like the Dodgiest Person You Know: Picture the most cunning or rule-bending person you’ve encountered and ask yourself, "What would this person do in this situation?" This exercise can help you uncover creative or unconventional ways to exploit a system.
Conclusion

Whether born with it or cultivated over time, the criminal way of thinking is a cornerstone of effective security testing. It’s a mindset that challenges the status quo, pushes boundaries, and ultimately makes the digital and physical worlds safer for everyone. By understanding and embracing this approach, we can better equip ourselves to anticipate and defend against the ever-evolving tactics of adversaries.

Photo of Louis Nyffenegger
Written by Louis Nyffenegger
Founder and CEO @PentesterLab
Related Blog Posts
☝️