Where there is a lock there is always a key and if you can’t get find a key use a hammer. If that does not work, blow the door off.
This type of mindset is the foundation of how malicious attackers look at your network. There are no rules or regulations governing an attacker. There are no best practices or compliance regulations. Just pure anarchy. Their techniques are not always advertised on your exploit database web pages or the latest vulnerability research analysis, and why would they be? If you had a competitive edge on your opponent would you tell them how to block your punches? I hardly think so.
You have put together the most sophisticated perimeter defense system known to man, have training and security awareness programs, comply to various legislative regulations and still you are a victim of an attack. How does this happen? We all know there is no such thing as 100 percent security although it is something that we want to move towards but we can never get there. Why is that? In a perfect world there would be no software flaws, no code errors, no vulnerabilities and no entry into a system. In this perfect world there would be limited job opportunities because every system and software would work flawlessly – no system crashes, no reboots required, no updates, no patch management. That is the “Skynet” future of science fiction, but we are here in the 21st century after all. We are all human and we are flawed.
Malicious attackers prey on these weaknesses and because they have no boundaries or ethics that is the reason why they can use a hammer to break your lock. This is not to say that this is what they always do, in fact the best attacks are never seen. What I am saying is that there are no limitations on the processes or methods that are used to attack your system. It can be extremely subtle as in a client side attack or it can be overtly disruptive such as a DDOS attack to your hosted business application.
What we have to remember as security professionals is to not put limitations on our methodology when performing a penetration test or a vulnerability assessment. The point is you need to be prepared to “blow the bloody doors off”.