Anyone who has read their fair share of security books, briefings, or blogs or sat through several infosec presentations by now has come across Sun Tzu, the ancient Chinese military General, strategist and philosopher. More specifically, I'm sure you've heard of his 5th century BC treatise known in the Western world as The Art of War. Outside of its wide military acclaim, elements of the text have been adopted and applied to areas as diverse as business, law, economics, politics, sports and inevitably, information and cyber-security. Certain quotations from the treatise have, therefore, become "overused to death" (so to speak) and clumsily thrown around in a "Confucius says" type manner, sometimes with only the most tenuous link back to the actual subject matter in question. It is also worth recognizing that although "Bing Fa" ("The Art of War") has also been referenced within many areas of mainstream popular culture (from Oliver Stone's Wall Street to the Wu-Tang Clan), much of the text holds multiple meanings open to different interpretations. This is evident in the translation of subtle concepts that don’t necessarily translate well into English. (After all, even the title "The Art of War" is a somewhat poetically licensed revision of "Sun Tzu Bing Fa" or the more literal "Master Sun's Rules of Warfare.") All of this is just much-debated detail, however, and none of it should detract from the fact that the English texts still contain some very useful strategical insights. In the first of this two-part series, we will explore a couple of very high-level examples as to how Sun Tzu's thinking can help security professionals consider the 2016 "threatscape" from a slightly different context.
All warfare is based on deception.
Taken out of context, this succinct statement from the first chapter (also referred to as "Laying Plans" in Lionel Giles' 1910 English translation) may seem somewhat obvious, but it still helps to explain nearly every successful cyber-attack and most forms of effective defense. It is certainly the way that all ransomware, the proliferating scourge of 2016, finds its way onto a victim’s device or network be that via increasingly well-constructed and convincing email messages or a watering hole approach. Adopting a mindset of continuous vigilance toward deception is often difficult to embrace for many non-security people. After all, most ordinary users likely do not take the view they are in a "warfare" situation. As they would reason, we live in a society broadly based upon trust and shared values, and all they're doing is reading their email and browsing the web. Why should they suspect that a message they just received is not actually genuine and instead seeks to do them harm? Describing the threat in literal Sun Tzu terms of "warfare" is unlikely to elicit much more than derision or amusement. By contrast, an effective awareness campaign makes use real-world phish messages, informs people what the consequences could have been if they had opened a malicious link or attachment, (This could include the use of some breach case studies that are close to home for the audience in question.) and tries to educate them as to what to try and look for in future. All of this should start to raise awareness about the reality of the digital threat landscape.
Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.
Wherever and whenever possible, defense methods should also make use of obfuscation if not deception techniques to make an attacker's initial "job" (when footprinting, scanning, or gathering other attack intelligence, for example) a little bit harder in the hope that they will move on to easier targets unless your organization has something of particular interest. The use of more outright deception methods, such as honeypots, should be approached with caution and implemented only by those who possess the necessary expertise. Anything construed as entrapment could very well be considered unethical or even illegal in some jurisdictions.
Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.
One English translation describes the above statement to be an aphorism that summarizes the whole of The Art of War. Knowing your own environment and understanding the value of the various assets that need to be protected has to be the cornerstone of any effective security program. In the next part of this post, we will start to dig a bit deeper into the words of Master Tzu, using them as our guide for considering targeted malware and incident response.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
