Cognition-Understanding the Attacker


A prime reason for so many cybersecurity defenses and intrusion responses fail are because there is a lack of understanding of the psychological makeup of the attacker.

This post is about better understanding the psychological profile of the attacker.

Sun Tzu, in the Art of War:

“”Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy, but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and yourself, you are certain in every battle to be in peril”

Fail to understand your adversary, and you lose.

Intrusion Response and Intelligence

There is the assumption to always assume you are compromised. Good assumption. A follow on is to have an intrusion response (IR)plan in place. Unless active intelligence is part of the intrusion response effort in near real time, the IR, is primarily responsive, and compromises often go undetected for months. In today’s world, seconds are a lifetime and a step away from disaster.

Before I leave IR, here is a book on intelligence driven incident response.

Intelligence – near real time intelligence leveraging OSINT, understanding and implementing intelligence products are required steps in IR.

Failure to Prioritize

I understand the value of implementing security controls. But my experience has taught me that even the base level implementation of security controls is a business decision. When there is a choice between a release of functionality or a secure system, functionality is the choice. Security, at best is an add on. After all, what are the chances of a compromise happening to me?

I can remember when Japan launched the sale of products in the US. Japan came in with a long-term plan – years out, and US businesses responded boosting the next quarter stock price. Japan won, Detroit is history, and US businesses put the short-term value of the dollar above survival. Fifty years later, the change is China, planning, Business 101, and cognitive warfare.

Overlap of Human Brain and Computer

Time to pivot to another type of warfare. But first, some foundation, the ever-increasing overlap of computers and the human brain.

Take a quick look at the link to a YouTube video. Depending upon your sense of humor, could be considered funny – never going to happen to me. Or it could provide insight to the ever-increasing over-lap of the computer and the human brain.

There is a book titled CYBERPSYCHOLOGY on Amazon.

Tad bit on the long side. 500+ pages, but if you work in cybersecurity, it is very important to understand the over-lap between the human brain and the computer. If you work the offense or defense side, understanding the overlap between brain and computer and the link to cognitive warfare, though in place for years, is extremely important.

Inside the book is a figure.

When I think about success of attackers such as China, Russia, Iran, North Korea, the image of this graph pops up in my mind. There is the ever-increasing over-lap of computer and brain. If there is any doubt about the overlap, take another look at the YouTube video, or the next time you go out to dinner, look around at the other folks and count how many are socializing with family and friends against how many are texting on their smart phone.

Psychological Profiles

Next up is the classifying of psychological profiles — what your adversary thinks of you, you believe to be true about your adversary, and the differences in cultures. There are multiple views – ways of assessing, but failure to successfully properly assess and adapt and the war is lost.

Humans, each and every one, are unique. DNA tests make a good argument for uniqueness.

The image above is of President Putin. President Putin grew up in Russia, was educated in Russia, worked for the KGB overseas for a while, servant of the people, KGB officer, and extremely wealthy. All attributes that help define President Putin’s uniqueness.

The image above is of President Biden. He grew up in the USA with freedom and privilege. He became a servant of the people, served in the US Senate and became President of the USA. He leveraged donations from around the globe becoming very wealthy, and dramatically increased the wealth of his family. All attributes that help define President Biden’s uniqueness.

Differences Between of How Russian and American Hackers View Each Other

Back in the day, there was a fellow named Sun Tzu – wrote about the art of war.

“Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy, but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and yourself, you are certain in every battle to be in peril.”

I can’t count the number of books, papers, security certifications that I have read/taken, that go into great depth about what security control to add where. But as deeply as the information went into describing what went where and why, I cannot remember any reference to the importance of knowing yourself and knowing your enemy. Lack of knowledge of your enemy or you are a big reason, why even though so many controls are in place, if there is no understanding of your adversary – you lose.

There is an excellent post on LinkedIn that describes the underpinnings of the Russian hacker.

The post is titled “Decrypting the Russian Cyber Enigma: A Deep Dive into Skill, Motivation, and Geopolitical Underpinnings” and is written by Neils G.

“Understanding the intricate landscape of Russian cyber activity is akin to navigating a labyrinthine edifice with multiple, interconnected chambers—each one intricately designed, revealing a deeper level of complexity as you progress. It’s a dynamic ecosystem that is far more than just a compendium of different types of malware, hacking techniques, or a list of infamous hacking groups. Rather, it’s an intricate confluence of history, culture, technological innovation, and even geopolitical ambition. This complexity produces an arena of cyber threats that are as sophisticated as they are varied.

For professionals whose task it is to profile Russian hackers, the challenge is substantial and multidimensional. It’s not sufficient to simply be technologically adept; one must possess a nuanced understanding of a range of factors. A technical approach alone would be akin to studying an iceberg solely from what’s visible above the waterline. To truly understand the full scope and depth of the issue, it’s critical to examine the undercurrents—be they technological, sociopolitical, psychological, or cultural—that contribute to these cyber activities.”

“Delving into the psychological motivations of Russian hackers is akin to navigating a complex labyrinth, a maze constructed of varying socio-political views, historical context, and individual inclinations. While certain motivations may appear straightforward, such as the pursuit of financial gain, there’s often a deeper, more intricate web of factors influencing these choices.

To begin with, the monetary allure cannot be overstated, but it’s essential to view it against the backdrop of Russia’s socio-economic conditions. Given that many Russian hackers possess a high level of technical skill, the potential for financial returns is significant. In a country where the average income may not correspond to the high level of education and expertise that many possess, the underground world of hacking can offer an alternative, albeit illicit, pathway to financial prosperity. There’s an allure to using one’s skills to tap into large reserves of digital wealth, especially when it can dramatically alter one’s quality of life.”

Perhaps a key takeaway is that technical mastery is not enough when designing / implementing a cybersecurity strategy. Understanding the psychological profile of the adversary is required if a cybersecurity strategy is to be successful.

On the flip side, when a Russian hacker assesses a target, what lens is the Russian hacker applying?

Treadstone71 has a group of courses that discuss the profiling of Russian hacker.

These courses do not address “techie solutions”.

What they do address is information that helps describe the mind-set of a Russian hacker.

The course on the “Psychology of the Seven Radicals” addresses how a Russian hacker might address the psychological anomalies of someone in the West. Close to what the DSM describes, but different enough to take the time to understand.


I had to ask ChatGPT about hacker differences. Shallow response, but some food for thought.



what are differences between russian, chinese, and iranian hackers?ChatGPT


Russian, Chinese, and Iranian hackers are distinct in various ways, including their motivations, tactics, and targets. However, it’s essential to remember that within each of these groups, there are multiple hacker organizations and individuals, each with its own unique characteristics and objectives. Here are some general differences:

  1. Motivations:
    • Russian Hackers:
      • Motivations can include financial gain, state-sponsored espionage, political objectives, and cybercrime for profit.
      • Some Russian hacker groups have close ties to the Russian government and are involved in state-sponsored cyber espionage campaigns.
      • They may also engage in cybercriminal activities such as ransomware attacks.
    • Chinese Hackers:
      • Chinese hackers often conduct cyber espionage campaigns, primarily targeting intellectual property theft, trade secrets, and technology advancements.
      • State-sponsored hacking groups in China, such as APT groups, have been linked to cyberattacks against foreign governments, businesses, and research institutions.
      • Economic and industrial espionage is a common motivation.
    • Iranian Hackers:
      • Iranian hackers may have political or ideological motivations, including targeting regional adversaries, retaliation against perceived threats, and promoting Iranian interests.
      • Some Iranian hacker groups have targeted critical infrastructure and conducted cyber espionage in the Middle East.
      • Economic espionage and cybercrime may also be motivations.
  2. Targets:
    • Russian Hackers:
      • Russian hackers often target a wide range of organizations globally, including government agencies, businesses, and critical infrastructure. They have a broad scope of activities.
      • Their targets may include political opponents, foreign governments, and commercial entities.
    • Chinese Hackers:
      • Chinese hackers primarily focus on intellectual property theft, technology companies, research institutions, and government entities in foreign countries.
      • They aim to gain a competitive advantage and access valuable information.
    • Iranian Hackers:
      • Iranian hackers often target regional adversaries, including Middle Eastern governments and businesses.
      • Their objectives may involve espionage, disruption of critical infrastructure, or retaliation against perceived threats.
  3. Tactics:
    • Russian Hackers:
      • Russian hacker groups are known for their advanced technical capabilities and sophisticated malware.
      • They may use a variety of tactics, including spear-phishing, supply chain attacks, and zero-day vulnerabilities.
    • Chinese Hackers:
      • Chinese hackers often engage in long-term, persistent campaigns using spear-phishing, watering hole attacks, and custom malware.
      • They are known for their patience and ability to remain hidden for extended periods.
    • Iranian Hackers:
      • Iranian hackers may use a combination of tactics, including phishing, malware distribution, website defacement, and distributed denial-of-service (DDoS) attacks.
      • Some Iranian groups are less technically advanced than Russian or Chinese counterparts but can still pose threats.

It’s crucial to recognize that cybersecurity threats are dynamic, and hacker groups evolve over time. Additionally, attributing specific cyberattacks to a particular nation or group can be challenging due to the use of false flags and obfuscation techniques. As such, cybersecurity experts and agencies rely on extensive analysis and evidence when making attributions and assessing cyber threats.”


Building a successful cyberwarfare attack or defense requires understanding the psychological makeup of your adversary/target. Cognitive warfare is so successful because attackers have taken the time to understand the enemy. Sun Tzu was correct in his analysis.

Discover more from Threat Detection

Subscribe to get the latest posts to your email.

Leave a Reply

Discover more from Threat Detection

Subscribe now to keep reading and get access to the full archive.

Continue reading