Excerpts from @JeremyHarbinger's Cognitive Biases and #PenetrationTesting: offensive-security.com/offsec/cogniti… 🧵
Due to the Sunk Cost Fallacy, it’s often emotionally easier to continue down a rabbit hole rather than just move on to a different attack vector, even if it causes us more pain and sufferance than the alternative.
What can we do about it? The following method works for me on many levels; we can apply it to machines on a network, to services on a machine, or to directories on a web application.
1️⃣ Determine how many paths we can investigate on our target. By "target" here, I mean anything we are attacking... By "path", I mean the ways in which we might organize ourselves around the target. For example, open ports on a machine could each represent a different path.
2️⃣ Set a timer for an amount of time that we can work uninterrupted for. The preferred time duration varies by individual. I like to set a timer of around 75 minutes.
3️⃣ During the length of the timer, choose one of the paths to work on and ignore the others.
4️⃣ When the timer goes off, finish up whatever task we're doing. Take a 5-minute break and get up from the computer. Walk around, grab a snack, or get a drink. It's important to let our minds reset here.
5️⃣ Move on to another path. Keep in mind any information we've previously learned, but make sure that our attention is on the new path.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
