Securing network assets is a complex and never-ending battle. As such, concepts and principles of warfare can be applied directly to matters of network security. In particular, Sun Tzu's Art of War is particularly useful in providing key points that must be taken into account if one expects to gain the upper hand. This is used in conjunction with profiling the potential adversary in an attempt to understand their motivation, targets, methods, and goals. Putting these pieces together, we are able to devise a thorough and robust plan for handling the adversary wherever he or she appears.
I am a martial artist and for all practical purposes, I've been one all of my life. I'm also a network security consultant. Keeping our networks and our data secure is a widely varying and, at times, extraordinarily difficult task. The fundamental objectives remain the same (keep our stuff safe and keep the bad guys out), but the methods for attaining these objectives can change from one moment to the next. Threats are constantly changing and evolving, and our adversaries are constantly evolving, too. At times, the threats posed by our adversaries can be clumsy and ham-handed, but other times, the threats can be cunning and sophisticated. All of these threats, ranging from the crude to the sublime, can be devastating. In my years of teaching martial arts, I've always been intrigued by how much martial strategy and the principles of combat can be applied directly to matters of network security. All too often businesses think of information security as a destination, or a project that can be easily defined and quantified. While hard skills such as networking, scripting, log analysis, and event correlation are obviously part of the network security equation, often overlooked are the softer skills which, by their very nature, are less specific and less clearly defined. In order to present a robust defense, we must incorporate into our security model the soft skills involved in truly understanding the adversary.
Security should be treated as a cumulative process. Each step builds on top of previous steps, and eventually we have a multi-tiered security infrastructure providing defense in depth. To get to this point, we rely mostly on the aforementioned hard skills. We put in our firewall, network intrusion detection, host intrusion detection, anti-virus gateway, and anti-spam gateway. We implement ACLs severely restricting who has access to what. We do thorough log monitoring and event correlation across the enterprise, to the point that we have a highly accurate view of everything that happens, where it is happening, and who is doing it. We've successfully tuned our security tools to minimize false positives and false negatives, and as a result, we now have a highly tuned security infrastructure, of which we should be justifiably proud. In martial arts terms, we have now attained Black Belt rank. Many people (especially those not actively involved in the martial arts) have the mistaken idea that receiving a black belt means that you are a master of the art. What it actually signifies is that you have a very firm grasp on the fundamentals, and it is at this point that one's real education begins. It is at this point that one truly begins to take what has been learned and turn it into art. In the broadest of terms, we create art by taking a wide assortment of fundamental techniques, and through ingenuity and sweat, find innovative, pleasing, and effective ways of linking them together. Ultimately, this is our goal.
Having established our baseline security posture, the adversary profiling begins. We establish the baseline security posture first because it can be implemented relatively quickly, and there are numerous security features that apply, regardless of the nature of the enterprise or the adversary. Profiling our adversary provides us with the information to customize the security infrastructure to fit our enterprise like a hand fitting into a glove.
There are many works written on the subject of combat strategy and technique, including Sun Tzu's The Art of War, Yamamoto Tsunetomo's Hagakure, Miyamoto Musashi's The Book of Five Rings, Nicolo Machiavelli's The Prince, and Bruce Lee's Tao of Jeet Kune Do, just to name a few. Some of these deal with combat on the macro scale, some on the micro. These works cover many different concepts, some of which are not germane to our topic, such as Machiavelli's discussion on hereditary principalities. If, however, we take these works and break them down, there are a few key concepts that are of interest to us:
- What is the enemy attempting to accomplish?
- Why does the enemy want to accomplish this?
- What does the enemy expect to gain by accomplishing this?
- How does the enemy intend to go about accomplishing this?
Once we've answered these questions, we are in a much better position to devise an appropriate defense strategy. In order to answer these questions, though, we must delve into areas that may be unfamiliar territory. We must learn a little bit about psychology as we gather information on cognitive biases (both our own and those of our adversary). In addition, we must become acquainted with combat strategy so we can better identify vectors of attack, potential targets, and the ideal methods for thwarting the actions of the adversary. Finally, taking relevant cognitive biases into account, we create a list of basic assumptions. At that point, we'll be ready to start profiling our potential adversary.
Our brains are highly sophisticated information processing machines. In an attempt to categorize and disambiguate the information that we process, we develop rules of thumb and other related strategies to decrease the overall burden (Heuer, 1999). We use these rules and techniques to assist in making judgments and decisions. Heuer goes on to state that while these techniques are useful when it comes to dealing with ambiguity or complexity, they can lead to "predictably faulty judgments known as cognitive biases" (1999). There are a great many such biases, all of which play a role in our decision making, to a greater or lesser degree. In a recent article, Why Hawks Win, Daniel Kahneman and Jonathan Renshon do a fine job of providing an accurate description of these biases.
Social and cognitive psychologists have identified a number of predictable errors (psychologists call them biases) in the ways that humans judge situations and evaluate risks. Biases have been documented both in the laboratory and in the real world[...] For example, people are prone to exaggerating their strengths: About 80 percent of us believe that our driving skills are better than average. In situations of potential conflict, the same optimistic bias makes politicians and generals receptive to advisors who offer highly favorable estimates of the outcomes of war. Such a predisposition, often shared by leaders on both sides of a conflict, is likely to produce a disaster. And this is not an isolated example.
Not only do these biases have an impact on our decisions, our adversaries bring with them their own cognitive biases which factor into their decision making. In making the assessment of our adversary, we must, to the best of our ability, recognize our own biases and do what we can to factor them out. In some cases, once we've made a decision based on a cognitive bias, this can be extraordinarily difficult to reverse, even when directly confronted with evidence contrary to our decision. It is also worth noting that under some circumstances, we may be able to use our adversary's cognitive biases to our advantage.
There are a handful of specific biases that are of interest to us:
- Anchoring - when making decisions, the tendency to place too much value on one particular piece of information.
- Bias blind spot - the tendency not to account for one's own cognitive biases.
- Confirmation bias - the tendency to interpret information so that it conforms to one's own preconceived notions.
- Gambler's fallacy - the tendency to assume that subsequent random events were influenced by preceding random events. (The classic is example is if I flip a coin 5 times and every time it lands on heads, thinking that the next flip is more likely to be tails because of the previous string of heads. In this case, each flip of the coin is a separate, discrete event that has no impact on subsequent events.)
- Illusory correlation - sometimes seen in Latin as cum hoc ergo propter hoc ("with this, therefore because of this"). This is the incorrect assumption that correlation implies causation.
- Mere exposure bias - the tendency to exhibit undue favor for things with which one is familiar.
- Overconfidence effect - the tendency to overestimate one's own abilities. (See above example from Kahneman and Renshon.)
- Von Restorff effect - the tendency for unusual or stand-out events to be remembered more than common events.
- Zero-risk bias - the tendency to prefer to reduce a small risk to zero over a greater reduction in a larger risk.
So why do we care about these things? As stated before, these are part of our decision making process. In order for us to make an accurate assessment of our adversary, we must take steps to eliminate the effects of these from our profile. At the same time, though, we should also take note of the fact that these same biases affect our adversary and the decisions that he or she makes. In some cases, we may be able to use our adversary's cognitive biases to our advantage. For example, taking advantage of both the Von Restorff effect and the overconfidence effect, by placing a small amount of interesting (though false) information on our network by way of honeypots and the like, it may be possible to frustrate our adversary. Hopefully, we will be able to keep our adversary busy running down false leads while we implement our security breach procedures and contact the proper authorities.
Taking into account the above biases, we must create a list of assumptions in order to begin our actual assessment. Every decision from this point on must take these assumptions into account.
- We must assume that the adversary knows at least as much as we do. That isn't to say that the adversary knows our particular environment as well as we do (except in the case of the adversary being an insider). Rather, we must assume that at a minimum, the adversary knows the same tricks and has the same set of skills that we do. This is in direct opposition to at least several cognitive biases. As a result, this assumption can be difficult to work with. Being complacent or underestimating the attacker is a recipe for disaster (Parker, Devost, Sachs, Shaw, & Stroz, 2004). As Parker et al. stated in Cyber Adversary Characterization: Auditing the Hacker Mind, "The second that we become narrow-minded about the security of our organizations and the resolve of our enemy is the second that we become vulnerable."
- We must assume that the adversary is at least as tenacious as we are. Think of it in terms of yourself; confronted with a difficult though interesting problem, are you likely to give up after a few tries or after encountering a few roadblocks? Neither will the adversary.
- We are reasonably safe in assuming that the adversary is at least somewhat of a risk taker. This is an assumption that we may or may not be able to use to our advantage. If nothing else, it may be useful in forming the overall gestalt of our adversary.
- We are reasonably safe in assuming that the adversary is fairly confident in their skills. Like the previous point, this assumption may or may not work to our advantage. It may be possible, however, to leverage the adversary's intellectual vanity for our benefit.
Having enumerated our cognitive biases (and, by definition, those of the adversary), and generated our list of assumptions, we can now start using elements of combat strategy to generate our adversary profile. As a general rule, adversary profiling is either of the theoretical type or post-incident type (Parker, et al., 2004). For our purposes, we're concerned with the theoretical type.
What is the
enemy attempting to accomplish?
This is the first question we must answer in order to start understanding our adversary. Simply put, this is the adversary's objective. The answer to this and the following questions will vary widely depending upon the nature of the enterprise. It is important to avoid over-generalization in answering this question. "The adversary is trying to steal our data" is a fine start, but we really need to try to be more specific. What type of data is in question? Is the adversary attempting to deprive us of the data, or is the adversary stealing a copy of the data? Something more along the lines of "the adversary is trying to acquire a copy of our development code" will give is a much better picture of what we're trying to protect. Other possibilities might be "the adversary is trying to disrupt our business," or "the adversary is trying to copy our client data." Answering this question allows us to start painting a picture of our adversary. Is the adversary simply a vandal? Is she or he an informed insider who is looking for technical data that could be of value to our competition? Is the adversary trying to steal our financial data? Depending upon how we decide to answer this question, we can start to adjust our strategy and tactics accordingly. We should, however, not be afraid to change our assessment as we progress. As Sun Tzu states, "According as circumstances are favorable, one should modify one's plans" (1963).
Why does the
enemy want to accomplish this?
This question and the next are very similar, and one could make an argument for combining them into a single question. It is my opinion, however, that there is a subtle but important distinction. In this case, we are concerned with the matter of motivation. One of the most important elements in determining motive is to remember that every action is done for a reason, or to fulfill a specific need. Our job is to attempt to make some educated guesses at motivation based on how we answered the previous question. We must remember, though, that the adversary's motivation need not make sense to us; it only needs to make sense to the adversary. What motivates the adversary may seem utterly alien to us, but it doesn't make their actions (or potential actions) any less dangerous or any less real.
What does the
enemy expect to gain?
This is where we attempt to ascertain the expected payoff. The adversary clearly expects to gain something, otherwise he or she wouldn't be advancing on the objective in the first place. Is their payoff something tangible (money, data, etc.), or are they concerned with a less tangible payoff (notoriety, bragging rights)? Or is their intent to damage our reputation?
How does the
enemy intend to accomplish this?
Having thoroughly addressed the previous question, we must now turn our attention to the potential attack vectors. What methods does the adversary plan to use to accomplish the objective? This question ties in very nicely with basic martial theory. A friend of mine (a very gifted martial artist in his own right) once said to me that in combat, "you have to be prepared for anything." This statement, while it appears to be true at first glance, is not entirely accurate. Good martial strategy says that I should assess the current situation, and attempt to account for the options available to the opponent. To illustrate the point, here is a simple example using martial strategy. For the sake of discussion, let's say that someone grabs you from behind, pinning your arms at your sides. In the current situation, what are the opponent's available options? You don't have to worry too much about the opponent kicking you; they're too close for that. Nor do you have to worry about getting punched because both of the opponent’s arms are wrapped around you and are thus otherwise occupied. You don't have to worry about the person pulling a weapon for the same reason. So what do you have to worry about? They could head butt or bite you. They could stomp on your foot. Or they could try to move you, throwing you into something (like a wall) or throwing you to the ground. In terms of effort vs. risk vs. payoff, the last option (attempting to throw you to the ground) is the most likely. Does that mean that the person won't try any of the other options? Of course not; those options are still on the table. It just means that in the current situation, the last option has the highest degree of probability. As the situation changes, you'll have to re-evaluate the available options and prepare accordingly. So do you have to be prepared for anything? Not really. You only have to be prepared for the opponent's available options in a given situation for the given environment, which significantly reduces the complexity. Our goal is to eliminate as many of the options as possible and have an adequate plan for addressing the options that remain.
Having answered the above questions, we now start devising our plans or strategies based on our assessment. Ideally, you will need to make numerous different assessments for different types of adversaries, and create strategies for each. This is an on-going process; on a regular basis, revisit existing assessments and create new ones as necessary. The key is to treat each individual assessment as a vital tool in defending our network.
Devising the plan
It is at this stage that we turn to Sun Tzu to a great degree. The Art of War
is replete with useful bits of wisdom that we can employ to build our strategy and to strengthen our security posture. What follows is a list of important points from Sun Tzu with additional commentary from me as necessary.
All warfare is
based on deception. Truer words were never spoken. Wherever possible, we want to employ misdirection and misinformation against the adversary. Understand, this is not advocating security through obscurity. Rather, we don't want to divulge any more information to the adversary than is necessary. For example, I once had a client that had four servers whose mere names were enough to draw attention: legal_node1, legal_node2, legal_node3, and legal_node4. To the would-be bad guy (and, yes, these names were in local DNS, too), "node" might suggest part of a cluster. Generally we only cluster things that are important and/or valuable, so this is something our adversary would likely want to know more about. Further, "legal" certainly sounds interesting. The hostnames alone suggest to the adversary that these are likely high value targets. In short, we have given our adversary a big flashing neon sign that says "Look Here!"
inferiority and encourage his arrogance. Honeypots immediately come to mind. Deployed judiciously throughout the enterprise, this can be an invaluable tool in helping to detect the adversary, as well as a tool to slow down his or her activity while you put your security incident plans into action.
never a useless move; in strategy, no step taken in vain. Basically, this is a matter of efficiency. With limited time and (likely) a limited budget, make each step in our strategy count. Always deploy in the most advantageous position and make effective use of the resources available.
battle, use the normal force to engage; use the extraordinary to
win. In terms of network security, think of the normal force as standard defenses: firewalls, ACLs, pervasive logging, etc. The extraordinary force is comprised of more specialized tools, like Snort, OSSEC, Bro, and the like.
Thus [a skilled
commander] is able to select his men and they exploit the situation. This one is a bit abstract at first glance. The quote specifically refers to carefully selecting the right soldiers for the given situation. Essentially, this boils down to using the right tool for the right job. Don't get stuck in the dogma of "We only use software from vendor X." Make a thorough, accurate, and dispassionate assessment of your needs, and choose the tool that best addresses those needs. One tool that does the job you need is worth fifty tools that almost do the job.
I have won a victory I do not repeat my tactics but respond to
circumstances in an infinite variety of ways. It always behooves us to have a large repertoire of tactics from which to draw. Our specific tactics will vary widely based upon the circumstances.
Those who do not
use local guides are unable to obtain the advantages of the ground.
This point, like the previous one, has to do with tactics, and the value of which cannot be overstated. If you are working in an area outside of your field of expertise, enlist the aid of those who have more expertise in that area. One of the worst mistakes you can make is either disregarding the input of your engineers and subject matter experts, or not soliciting their input in the first place.
When the trees
are seen to move, the enemy is advancing. This point is one of my favorites. Read the indirect signs of activity. Implement darknet monitoring. Perform extensive event correlation across the enterprise. Look for excessive connections from a particular IP address. Look for attempted connections to closed ports. Sometimes the actions of the adversary are not obvious or easy to detect.
The enemy is not
the Duke of Sung
Griffith, in his introduction to his translation of The Art of War, indirectly provides an interesting anecdote when it comes to profiling our adversary. Prior to about 500 B.C., warfare in China was ritualistic and tended to follow specific rules and methods (Sun Tzu, 1963). A compassionate ruler didn't ambush armies nor put his own army through undue hardship, such as fighting when it was too hot or too cold. Neither did he take unfair advantage of the adversary. Griffith states, "An absurd example of this occurred in 638 B.C. when Duke Hsiang of Sung faced the Ch'u army at the River Hung. When the Ch'u force was half across, his minister urged him to attack. The Duke refused. [...] 'The sage does not crush the feeble, nor give the order for attack until the enemy have [sic] formed their ranks.'" We must remember that our adversary suffers from no such qualms. She or he will attack at your weakest point, bringing any and all tools available to bear against you.
Armed with the above information, we now begin to understand who our enemy is and which of our assets are likely to become targets. Using this data, we can draft a plan for dealing with our adversary. Throughout the process, it is incumbent upon us to put ourselves in the mind of the adversary. See the landscape as the adversary sees it. Given what you know of your environment, if you were the adversary, what tactics would you employ? What targets would you attack? In order to adequately defend your assets, you must know your own strengths and weaknesses, as well as those of the adversary. Sun Tzu puts it best: "Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are certain in every battle to be in peril."
Heuer Jr., R. J.
of Intelligence Analysis.
Retrieved April 20, 2007
Kahneman, D., &
Renshon, J. (2007) Why
Retrieved April 25, 2007 from
Parker, T., Devost,
M. G., Sachs, M. H., Shaw, E., & Stroz, E. (2004) Cyber
Adversary Characterization: Auditing the Hacker Mind. Rockland, MA: Syngress Publishing, Inc.
Sun Tzu. (1963) The
Art of War.
(S. B. Griffith, Trans.). London: Oxford University Press.