Ever since I was a small child, I have had a love for being “sneaky.” This love for sneaking is what eventually helped bring me into the information security industry, through an introduction to hacking from the game series “Splinter Cell” which I played voraciously as a teenager.
I find it hard to believe that although kids seem to love sneaking around, adults are genuinely avoidant of the skill. Even in the information security industry, you’ll find many hackers who are unwilling to attempt ‘physical stealth’ techniques as part of a penetration test.
Sure, these hackers understand that ‘stealth’ is important. But their definition of stealth seems to end when they get up from the keyboard. They’ll sneak as best as they can through a computer network. But during the physical portions of a pentest, the best they can often muster is to disguise themselves as someone wacky and try to talk their way into a building.
I’m guilty of this too. I’ve also participated in ‘ruse’ based physical intrusion attempts. They’re very common in our industry, but they leave a huge blind spot to other techniques that real attackers may be using to break in.
Why is Stealth Ignored?
It’s obvious that being ‘ninja’ and sneaking in the shadows during pentests is often a forgotten skill. I think there may be a few reasons for that. For starters, it’s genuinely hard to do! Not only is there a huge mental component to shadow based stealth (knowing when to move, where to hide, how to approach) there’s also a significant athletic bar that must be met before someone can be genuinely effective.
You’re gonna get mad at me for saying this, but I think the athletic bar, along with the need to train is what keeps members of the industry from ever really trying it out. It’s a shame really. Because we know that real malicious attackers aren’t afraid to try out what works!
Many companies are seriously lacking in the area of defense against legit ‘ninjas’. They may be good at turning someone away when they show up at the front door in a crappy disguise. But were someone to sneak in cat burglar style, they’d never have a chance. And the reason for this? They simply don’t think it’s possible.
To get good at shadow stealth, takes time, patience, discipline, and drive. Furthermore, running around in the shadows is seen as ‘childish’ and ’embarrassing’ or ‘goofy’. I think it’s for all these reasons that shadow stealth is largely ignored.
And I think it’s a huge shame.
I leave you with a link to a youtube channel I’ve become a fan of over the past year or so.