In the first installment of this two-part article series, we took a brief look at the influence of Sun Tzu’s The Art of War and began our exploration of the theme of deception in warfare as it relates to cyber and information security. Let’s move on to another high-level theme running through the text: the importance of agility and variation in tactics. We begin with a quote from Chapter VI:
Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.
Attackers know this only too well. It explains why the odds are becoming stacked against the effectiveness of signature-based defenses in their ability to keep up and deal with the sheer volume and variation of new threats. A recent Proofpoint post demonstrates the sheer increase in ransomware variants over the last month alone. It even goes on to describe ransomware as becoming the "Hello, World" of malware in that it appears that almost everyone of nefarious intent is now having a go, albeit with greatly varying skills sets and results. More astutely targeted malware, however, is often adapted and customized according to what an attacker has already found out about a target system. It will also be repeatedly run through every AV engine or other signature-based defense, so that it can be modified to pass through all of them undetected. Of course, such obscurity lasts only so long. Someone will become infected and upload the malicious file to Virus Total, where it will be thoroughly analyzed. These malicious signatures will set the malware evasion development lifecycle in motion once again. As a result, echoing some points in Chapter V of The Art of War,
Indirect tactics, efficiently applied, are inexhaustible.
And to use but one of the vivid analogies from the "Energy" chapter:
There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.
This thinking can also be positively applied in a protective sense. Whilst establishing baselines to compare and identify notable or suspicious changes to any particular point of interest is an essential part of any effective security monitoring framework, complacently monitoring only the same values without variation can easily lead to a false sense of security. Likewise, penetration tests, network health checks, and/or vulnerability assessments will also benefit from periodic changes in approach and tools. In short, simply doing what you have always done because it hasn’t failed you yet (that is, as far as you are aware) is no longer enough. Chapter VIII – "Variation of tactics’ (Giles translation) or ‘The Nine Variations’ (Wing translation) – explores the theme of flexibility further and offers the following statement:
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
Whilst there are few (if any) environments that can seriously be described as "unassailable," the general stance that "We’re not a target. It hasn’t happened to us yet, so chances are it won’t" will not appease your board, customers, insurers, or anyone else for very much longer, that is, if it still does even now. (Think Anonymous' catch line: "expect us.") With that in mind, a position of readiness for a major breach has become imperative. This preparedness should ideally take into account each response stage following the breach, from forensic experts investigating the incident to handling media inquiries. With traditional network perimeter thinking becoming increasingly last century, some more forward-thinking organizations have begun to adopt an "assumed breach model" as the basis for their security strategy. A sometimes ambiguous and misused term, it is not necessarily a fatalistic "baby/bathwater" approach that has given up on preventative methods altogether. As adopted by certain operations, it is simply about placing less reliance on preventative controls and adding focus to improving and fine tuning one's monitoring, detection, response, containment, and recovery capabilities. Given that recent reports suggest it takes many organizations anywhere from nine to eighteen months to identify a breach, it is not hard see the reasoning behind such an approach. ‘Assumed breach’ operations are continually testing themselves and engaging in war game-type activities to better understand their preparedness. What they most certainly are not doing is complacently relying upon "the likelihood of the enemies not coming." And finally, from Chapter X:
Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Penetration testers are already used to considering the world from the perspective of those seeking to circumvent our network controls, deceive our staff, and steal or damage the assets we seek to protect. It is important that they continue to maintain this viewpoint going forward.
Like reading Kevin Mitnick’s Ghost in the Wires or Kevin Poulsen’s equally essential Kingpin, dipping into some Sun Tzu from time to time can provide a beneficial way for security people to of step outside of their day-to-day experiences and view their environments through new – or rather ancient – eyes. As a closing thought, with certain nation states ramping up "cyber-warfare" units within their military and intelligence communities, The Art of War as it relates to cyber and information security may soon take on more literal relevance.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.