After completing the CCSP certification, I decided to switch gears and pick-up a book focusing on red teaming or adversary emulation. I chose How to Hack Like a LEGEND by Sparc Flow. This book is part of the series, Hack The Planet. The first edition of this book was independently published by the author in 2018. However, a newer edition of this book is expected to be released in October 2022 by No Starch Press. The Early Access version of the new edition is available here.
“This is not your typical tech book.” as the author describes it. I agree, it reads like a novel. This book narrates the story of a hacker who wants to unearth the shady dealings of an offshore accounting firm, G&S Trust (this is the same approach that I have taken in my course Red Team Adversary Emulation where we set out to breach into a Fin Tech firm, Tax First Labz). In the book, the hacker sets out to identify an exploitable vulnerability in the G&S Trust network but to no avail. This forces him to look at the supply chain angle. So he sets out to breach a company in the supply chain of G&S Trust and soon finds an attractive target. What happens next? You will need to read the book to find out.
The book is divided into four parts:
- Starting Blocks – This section encompasses first four chapters. In these chapters, the hacker sets up his hacking infra, performs recon, identifies a weak link in the supply chain and sets up a phishing campaign to collect credentials from the target supply chain company.
- First Dive In – This section encompasses chapters five to seven. In these chapters, the hacker uses the collected credentials to break-in and realizes that his actions are being watched. He then goes on to identify the security tools in action and possible ways to defeat them.
- Back to the Arena – This section encompasses chapters eight to twelve. In these chapters, the hacker delves into a few OPSEC techniques to defeat security monitoring tools, creates custom payloads and demonstrates installing a backdoor in the source code of the software used by G&S Trust.
- Salvation – This section encompasses chapters thirteen to fourteen. In these chapters, the hacker finally gains access to G&S Trust, breaks into various machines to collect data and finally gets his hands on the evidence he was looking for.
- This book demonstrates a real-life supply chain attack. This helped me in understanding the true mechanics of a supply chain attack.
- The author has given due importance to OPSEC techniques (which is not found in many of the “hacking” books out there).
- Though it doesn’t explicitly cover topics such as red reaming or adversary emulation, it demonstrates them practically.
- It is a good resource for OSCP, OSEP, CRTP, CRTE and CRTO aspirants.
- It is good for beginners, penetration testers, red teams and blue teams.
- If you are curious about how real-world breaches happen, go for this book.
Not so salient Features
- A mapping of the hacker’s TTPs to the MITRE ATT&CK Framework would have been nice (this is more of a suggestion to the author for the next edition of this book).
- I would have loved a self-hosted hands-on lab to practice the techniques demonstrated in the book.
My rating 4.5 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Other book reviews
- CCSP for dummies by Arthur J. Deane
- Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham
- Practical Threat Intelligence and Data-driven threat hunting by Valentina Costa-Gazcón
- Hacking APIs by Corey Ball
- Pentesting Azure Applications by Matt Burrough
- Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen
- Red Team Development and Operations by Joe Vest and James Tubberville
- Container Security by Liz Rice
- Web Application Security by Andrew Hoffman
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.