How To Think Asymmetrically - Role playing As A Threat Actor

When you take up the mantle of an offensive physical security professional your job is to test & improve your clients security through a reality check. One of the best ways to go about accomplishing this is by adopting the "attackers mindset” and putting yourself in the mind of an actual bad guy who’s goal is to do the most harm to the client with the least risk to you, an asymmetric attack.

Having done this job for almost 20 years, I can confidently tell you that every organization from corporate, government and even military are all like a jenga game, a large structure that usually has a few bottlenecks that the structure is precariously balancing on. Your job, is to locate these bottlenecks and discover if they are vulnerable to an asymmetric attack.

The reason why asymmetric attacks are important is because nobody will care or even listen to you if you focus your threats on state level, or over the top risks.

“What if a B2 bomber were to fly over and drop a nuke on your building”

But what they would care about, is if you instead discovered that one of your senior tech engineers, with the highest level of access, often worked on your most sensitive projects, possibly even classified projects, from a public cafe where they were using the free wifi.

In this blog post, I want to put you in the shoes of a black team leader, where I will walk you through discovering these bottlenecks and what is most important to your clients.

Imagine you're an attacker with a unique challenge: a client has asked you to assess the security of a city's electrical grid and determine whether it's possible to remove power for at least one year, not from a building or a neighborhood but the entire city. This is no ordinary task. It's an exercise in thinking asymmetrically, identifying the most vulnerable point in a complex system where a single disruption could lead to catastrophic failure.

Before I continue, here is the obligatory legal speech. This blog post is for educational purposes only, and to help security professionals to improve their skills to better assist with identifying and securing physical vulnerabilities of their clients.