InfoSec, Sun Tzu and the Art of Whore

Fri Jul 2 14:42:30 CDT 2010

swtornio & jericho

Lately, you can't swing a dead cat without hitting someone in InfoSec who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In "The Art of War," Sun Tzu's writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren't terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu's work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - The Art of War

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don't need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don't see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy. Even penetration testers conduct their 'battles' within a limited scope, under supervision and governed by laws. A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker. It is an exercise in better knowing your own strengths and weaknesses. It's also not "thinking like your enemy." If you can't identify who your enemy is, you can't think like him. All you can do is apply your own offensive techniques against your own position. The only application of Sun Tzu's work today might be relevant for the bad guy attacking a specific target.

Sun Tzu makes many statements about victory in war, none of which apply to InfoSec, since the war cannot be won . We don't have one enemy, we have an inexhaustible supply of a wide variety of enemies, and most don't even care who we are. Do you know your enemy? If you answer 'yes' to that question, you already lost the battle and the war. If you know some of your enemies, you are well on your way to understanding why Tzu's teachings haven't been relevant to InfoSec for over two decades. Do you want to know your enemy? Fine, here you go. your enemy may be any or all of the following:

12 y/o student in Ohio learning computers in middle school

13 y/o home-schooled girl getting bored with social networks

15 y/o kid in Brazil that joined a defacement group

16 y/o student in Tokyo, learning programming in high school

18 y/o high school drop out in the Ukraine

19 y/o college student putting class work into practice

20 y/o Taco Bell employee bored with the daily grind

21 y/o man in Mali working for an international carding ring

23 y/o mother in Poland, trying to supplement income

24 y/o black hat intent on compromising any company encountered

25 y/o soldier in the North Korean army

26 y/o military contractor in Iraq

28 y/o Chinese government employee, soon to be mother

29 y/o vegan in Oregon who firmly believes in political hacktivism

30 y/o white hat pen tester who has not let go of her black hat origins

31 y/o security researcher who finds vulnerabilities on live sites

32 y/o alchoholic in New Zealand, with nothing to lose

34 y/o employee who sees a target of opportunity

35 y/o officer in MI6

36 y/o "consulate attache" that may be FSB

40 y/o disgruntled admin, passed over for raise 5 years in a row

42 y/o private investigator looking for dirt on your CEO

43 y/o malware author, paid per compromised host

45 y/o member of a terrorist group

55 y/o corporate intelligence consultant

What's more, these enemies have our networks under siege, which Sun Tzu says is no way to win a war.

The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets, movable shelters, and various implements of war, will take up three whole months; and the piling up of mounds over against the walls will take three months more.

Um, yeah. Sun Tzu's not helping us here. How about that popular one about knowing your enemy?

Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.

But of course, there is no winning. You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don't "win" if our homes and windows survive the storm. It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global "cyberwar", we should probably focus on the mundane, boring details of maintaining and monitoring our networks.

"Sun Tzu was an ancient Chinese military general and strategist who is traditionally believed to have authored The Art of War, an influential ancient Chinese book on military strategy considered to be a prime example of Taoist thinking." Tzu's treatise on strategy, "The Art of War" is available in all shapes and sizes, translated by dozens of scholars. Further, it has been translated or adapted to be made relevant to all walks of life including managerial strategy, achieving life goals, spirituality, writing and more. Given the writing deals more with the mindset, logistics and strategy of war, it is trivial to apply many of its concepts to almost any facet of life. The book is a fascinating read and highly recommended for people of all ages, profession or culture.



Unfortunately, the application of The Art of War is often too aggressive, short-sighted or otherwise lacking in relevance. In some cases, this broad philosophy and mindset is applied to a very minute aspect of society or life. In other cases, some aspect of our society may change and people fail to consider that Tzu's writings may not be entirely appropriate any longer, or simply not valid most of the time.

The Art of War has become increasingly popular in Western culture over the last decades. Some attribute this to popular movie references, others suggest it is "more accessable .. and has a less specialised vocabulary". The computer security industry has firmly embraced it, as references to the work permeate "cyber security" literature.

References to Tzu's work are diverse in the computer security world, but mostly demonstrate an adolescent obsession rather than a basic comprehension of the material and accurate analogy to similar circumstances in a digital world. Because Tzu's work is considered "sexy" to many, they tend to shoehorn his thoughts on engaging in war to disparate disciplines that did not exist 2,500 years ago.

Now, it is common to see arbitrary quotes with very loose tie-ins to a presentation, training courses based on or centered around Tzu ("What do Sun Tzu's teachings have to say about C compilers.." really?) and security companies named after him (also suntzudata.com / saecur).

The following are examples of the numerous misunderstandings we see in Information Security, when Sun Tzu fanboy mentality overides the logical interpretation and understanding of his work.

Before you decide to convince your boss not to build a wireless network for your intranet, think through how you can solve the problems we have outlined. The problems may be scary, but that's why you are reading this book. Once you know the methods a hacker can use to attack the wireless network, you can protect yourself by closing those holes. If you have read The Art of War by Sun Tzu, then you should know this saying: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Perhaps the most often quoted line from the Art of War, and the most obviously bad analogy in today's world of information security. At some point in time, sooner rather than later, your company will be compromised, will be 'hacked', will lose information or will fall victim to some form of security incident. You can pretend to know your enemy, you can reflect on your company all day long and 'know yourself' better than anyone, and it simply will not make a difference sometimes.

In other words, PCI provides a set of tactics to protect the confidentiality and integrity of data. Great place to start - but it's only part of the picture.

Applying them appropriately requires situational awareness and knowledge of the company's core values and strategy.

Sun Tzu's approach at assessing an army's readiness for battle can be applied to the attaining this knowledge in a business environment. Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. Quoting Tzu on tactics versus strategy, and then trying to claim that PCI is a set of "tactics" is absurd. "Military tactics, the art of organizing an army, are the techniques for using weapons or military units in combination for engaging and defeating an enemy in battle." Somehow trying to apply this term and definition (offensive action) to a set of industry standards for securing data (defensive action) is a lost cause.

Sun Tzu would win battles with smaller forces. For example, he would use terrain and mental attacks to amplify the power of his army. He controlled his enemy's movements with false retreats. He drove them to choke points and applied force at the precise point of weakness (sounds a lot like a buffer overflow attack today). In a position of this sort, even though the enemy should offer us an attractive bait, it will be advisable not to stir forth, but rather to retreat, thus enticing the enemy in his turn; then, when part of his army has come out, we may deliver our attack with advantage.



With regard to narrow passes, if you can occupy them first, let them be strongly garrisoned and await the advent of the enemy. This sounds nothing like a buffer overflow. Forcing people (data?) into a confined space (stack?) with no place for it to go and no ability to escape (where is the overflow part?) is a failed analogy.

The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websiSun Tzu quotes from The Art of War. [sic] Knowledge of the enemy's disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone. Ignoring the truncated ending and confusion after "websi", quoting Tzu about knowledge of the enemy's disposition as compared to Trojans or rootkits is ludicrous. Continuing the analogy and applying simple logic, a spy gathered information on the enemy remotely (fingerprinting?); a spy was not a double agent embedded in the opposing army. A spy could observe and report back to the general to help guide strategy. A Trojan or rootkit would be the equivilent of an embedded double-agent, but one that could only see a small part of the army, was not free to move about the enemy camp and would allow an attacker to gain access to one tent in the enemy encampment. Wow, what bad analogies all around.

[Dmitri Alperovitch] said that Russia defines cyberwar as a force multiplier while China views cyber war as a way to get control of an enemy without the need for engaging on a physical field of battle. "It's straight out of Sun Tzu," he said. I speak of controlling the following things white man: military expenditure, general's irritation, success through cultivation of moral law, large forces (your own), soldiers (your own), the forces of victory and council-chamber situations. I do not talk about controlling an enemy, on or off a battle field. This convoluted news sound-byte really makes no sense at all. Worse, the paragraph before Alperovitch says the U.S. is "in the midst of a cyber Cold War". Uh, the "Cold War" was not an actual war, did not have a battlefield (physical or virtual) and really isn't a topic Tzu covered.

The idea that a less-capable foe can take on a militarily superior opponent also aligns with the thoughts of the ancient Chinese general, Sun Tzu. In his book "The Art of War," the strategist advocates stealth, deception and indirect attack to overcome a stronger opponent in battle. It is the rule in war, if our forces are ten to the enemy's one, to surround him; if five to one, to attack him; if twice as numerous, to divide our army into two.



If equally matched, we can offer battle; if slightly inferior in numbers, we can avoid the enemy; if quite unequal in every way, we can flee from him.



Hence, though an obstinate fight may be made by a small force, in the end it must be captured by the larger force. Did you even read the damned treatise?

Standards like PCI serve an important role in creating a baseline for data protection and a common language for the discussion of the related issues.

However, they are not designed to contribute to market responsiveness/agility.

The enlightened business creates synergies between the tactics communicated in these standards/regulations and their core competencies/strategies. If Generals do not know how to adapt advantageously, even if they know the lay of the land they cannot take advantage of it. Again, quoting Tzu on Generals (leaders) not knowing how to "adapt advantageously" and relating it to PCI DSS, a glorified checklist that is oft applied to a limited scope that is not adapted by auditors to cover all of the relevant resources in an organization, is a poor analogy.

Sun Tzu would send an assassin to the enemy's camp and kill the opposing general right before the battle (in technology that is called a zero-day attack). The ensuing chaos made victory nearly certain. Whether the object be to crush an army, to storm a city, or to assassinate an individual, it is always necessary to begin by finding out the names of the attendants, the aides-de-camp, and door-keepers and sentries of the general in command. Our spies must be commissioned to ascertain these. First, Tzu never said anything about assassinating the enemy general. While it is possible he employed that technique in battles, we have not found citation to confirm it. Second, the one reference to 'assassination' in the Art of War, quoted above, talks about the practice in general and even says "an individual".



If the opposing general is the leader figure, then the analogy today would be more akin to taking out the CEO, CSO or some leadership role. If the opposing general represents a technological lead, then perhaps an analogy to a denial of service attack against the security infrastructure of a target company would be appropriate. Either way, the idea of slaying the opposing general is nothing akin to a "zero-day attack", an attack based on exploiting a vulnerability "unknown to others or undisclosed to developers". The threat of a dead general, be it to assassin, disease or accident, was a known threat. Further, while a suddenly dead general would cause chaos to the enemy, a zero-day attack likely remains undetected and undiscovered, not bringing about chaos. Failed analogy all around.

Perhaps the most fundamental flaw most people seem to exhibit is their desire to compare Sun Tzu's Art of War to today's issues, when it was really only applicable twenty or more years ago. Back then, administrators found themselves in a situation where they could know their attacker, or come to know them. Perhaps the most well-known case of this is Cliff Stoll and his tale outlined in the Cuckoo's Egg. This was one administrator against one attacker and what turned into a long cat and mouse game. Their virtual struggles are more in line with Tzu's outlines regarding knowing an ememy and knowing one's self.

Today? See the list earlier in this article. There are thousands of people scanning your system every day. The motive for their activity is as diverse as the people on the other side of the keyboard. No matter how well you get to know one, keeping that one out will do nothing to protect you from the other thousands. Today's Internet and system defense isn't a chess game any more. Rather, it is a game of dodgeball where the other team has a thousand players, do not use regulation equipment and are throwing at a deaf and blind opponent. Enjoy the baseball to the groin as you finally figure out who one of the thousand opponents are.

Warfare in the days of Tzu was about a large army led by one general and a handful of officers. Anyone below the rank of a general was a soldier and there generally wasn't a lot of free thinking related to battles. "Knowing the enemy" was about knowing the small command structure (i.e., general, officers) and logistics of the opposing army (e.g., troop count, location, weaponry). Tzu's treatise was written with this type of warfare in mind, and it was brilliant. In this day and age, warfare is different, and no matter how you try to shoehorn his work in, it will be very uncomfortable in some spots.

It is also interesting to note how security professionals love to quote Tzu in a capacity that contradicts some of security's old maxims. For example, the extremely popular and often parroted, "security through obscurity is no security at all!" As a long-time advocate of "security through obscurity" as one of many methods to achieve a secure environment, it is refreshing to see more professionals accept this basic truth. Unfortunately, many found this acceptance by latching on to various passages in the Art of War and realizing that obscurity can be a valuable tool.

If Sun Tzu isn't a good choice for InfoSec analogies, who is? After considering many of the frequent examples above, the obvious answer is "just about anyone else". In the last 2,500 years, if a more suitable and timely treatise has not been written governing ideas behind warfare, perhaps we should just admit that a new treatise should be written governing computer attack and defense. And please, no treatise on "cyberwar", or we'll be forced to write another rant.

Until that new magical treatise is written, let us consider other notable figures that can guide us on computer 'warfare' just as well as Sun Tzu. When considering their lessons, it may be surprising to you to find how they are seemingly more relevant to today's security threats and dealing with thousands of enemies at a time. It is interesting that so many in the industry are such fans of Tzu, while not using Carl von Clausewitz' Vom Kriege or Niccolò Machiavelli's Dell'arte della guerra.

While Tzu was a formidable military strategist, he was not one who put that strategy to use as other generals did. Genghis Khan was the founder and backbone of the Mongol Empire, the largest contiguous empire in history. He revolutionized warfare for his time and put his strategy and military tactics to decisive use. Running campaigns on multiple fronts, he expanded the Mongol Empire in opposite directions at the same time. Comparing Khan's military tactics to today's entrenched companies is more appropriate than Tzu by far. One could easily argue that Khan thought beyond 'chess' in battle; he would also come at you with every possible weapon, tactic and strategy at the same time if it ensured victory. Khan himself did not lead all of the Mongol offensives, as he gave absolute trust to his generals. "Know the enemy" takes on new meaning when you must know the ruler and every one of his generals, who were empowered to lead as they saw fit, and frequently used their own ideas and tactics in battles.

A commander is to personally examine the troops and their armament before going to battle, to supply the troops with everything they need for the campaign and to survey everything even to needle and thread, and if any soldiers lack a necessary thing that commander is to be punished. This quote alone should resonate with any IT or security staff, given the dismal budget and resources typically given in most companies. Without the right tools, you cannot defend your position regardless of how well you (think) you know the enemy. Strategy goes right out the window when the fancy IDS has no one monitoring it due to budget cuts.

Commanders must understand the fatigue and discomfort of their soldiers by experiencing it themselves. Before you worry about knowing that enemy, know your own army. Their morale and ability to respond to attacks is critical. Spend time in their part of the camp, have first-hand knowledge of what they go through in defending your empire.

Don't behave as high as a mountain. Don't let your ego muck up the waters. You will get compromised at some point. You will face foes that are smarter, more dedicated and more resourceful. No matter how well you know your enemy, he will surprise you. Plan on it.

Do not wash clothes until they are completely worn out. If your current clothes (technology) works, let it. Don't fall prey to the upgrade slave routine. Don't embrace new technology for the sake of embracing it or because some think tank analyst firm said "everyone else is". Remember, they didn't experience the discomfort of your soldiers like you did. They are 'advisors', usually with a financial interest.

Samuel Langhorne Clemens, better known to most as Mark Twain, was fascinated with science and scientific inquiry. With a few inventions and patents under his belt, we should actually look toward his humorist side for insight into computer security. Some of the fun quips from this famous author may seem light and frivolous on the outside, but can be just as relevant to the protection of your virtual assets, if considered in the right light. Sure, some of his more profound thinking can be applied to that pointy haired boss rather than the firewall, IDS or wiley hacker that seeks to plunder your network. However, that doesn't make his wisdom any less relevant to your organization.

"The fool saith, 'Put not all thy eggs in one basket' ... but the wise man saith, 'Put all your eggs in one basket, and watch that basket!'" Twain clearly had a vision for managing data storage in the enterprise. The more locations that data resides, the harder it is to secure and monitor that data. Clearly, Twain is suggesting a single data store with appropriate data classification and DLP tools to verify the integrity and confidentiality of that data are key to protecting that data.

All you need is ignorance and confidence and the success is sure. CIOs and IT managers experience a disincentive to properly fund security operations, since even a modestly funded and staffed security operation will reveal weaknesses and even compromises, which then need to be reported to business management, shareholders and other stakeholders. If a breach is detected, it must be reported, so the easy decision is to not look too closely at what's going on in your network. Just buy an IDS/IPS and configure it to email alerts to someone on the help desk.

I have never let my schooling interfere with my education. Formal schooling in information security (e.g., college, certifications, bootcamps) should be given consideration, but not make up the sum of your expertise. The education you receive on the job, in the trenches, will be more useful and practical than a CISSP certification.

If you hold a cat by the tail you learn things you cannot learn any other way. For many organizations, data security is an insubstantial bogeyman and threats only exists in Russia and China. For these organizations, the publicity, cost and public relations hit of a breach is the only way they learn to internalize the need for data security.

The lack of money is the root of all evil. If it wasn't for underfunded data security programs, there wouldn't be any cyber crime, would there, Private Pyle?!?! (Combining Mark Twain and Full Metal Jacket, we've now gone somewhere we never thought we'd be).

With Tzu coming up short, and those who "study" his works coming up shorter, it really can be left up to the imagination for relevant material to be dragged into the computer security discipline to be forged into future bad analogies. Apparently it doesn't matter that security professionals find the need to dumb down computer security for their audience, be it executives, users or the audience of a presentation. Instead of focusing on that being the issue, most are happy to traipse about bad-analogy land instead of truly educating users through more focused material. If that's the case, why go with the old favorite of Tzu? Why not branch out and have fun with your audience? After all, if you have to compare today's technology and the threat of computer criminals to your network, why settle on a 2,500 year old general who only had experience with an abacus? Jump to a more modern set of heroes that can give us wisdom on attack and defense, conquering hearts and minds, knowing the enemy and/or the appeal of a filbert.

Everybody's got plans... until they get hit. -- Mike Tyson All the plans, policy and technical defenses you have are great, but the first time you get popped, they all go out the window. Everything becomes about damage control, both technical and publicity, as your head spins and you figure out what happened. Squirrels have small ears Mike, back off.

Demoralize the enemy from within by surprise, terror, sabotage, assassination. This is the war of the future. - Adolf Hitler This is a really ominous quote that seems very relevant to dealing with an enemy. Although, we are not sure if this suggests you should inflict terror on those attacking you, sabotage your own network to prevent attacks or assassinate 'the enemy from within' which clearly means Bob the janitor or Walt the CISO.

(On knowing the enemy) I know you. You know you. And I know you know that I know you. - "White Goodman" in Dodgeball Know your enemy, for he will know himself and you can know that he knows himself. All this knowing still won't protect you from a 0-day, trusted employee betraying you or help you should the other enemy attack you.

Even a blind squirrel finds an acorn sometimes. - Old squirrel proverb All your knowledge of an enemy can make you warm on the inside, but the 'known' attacker will find a shell sometimes. Not a nut shell, a root shell. Look it up.

If these examples demonstrate that falling back to the same Tzu quotes aren't necessary, we encourage you to pick a random figure from history and see if his or her notable quotes apply to information security. The next presentation that flashes a Tzu quote will prompt us to walk out. The next presentation that equates the ideas of Joan of Arc, Shrek or Charles Manson to information security should be entertaining and engaging. If these aren't interesting or you can't find their relevance to computer security, our last idea of who you should consider quoting, that may seem really outlandish and mind-blowing, are some of the pioneers of information security. Anderson's "Computer Security Technology Planning Study", Ware's "Security Controls for Computer Systems" or Myers' "Subversion: The Neglected Aspect of Computer Security" can all offer insight into the security problems we face today, despite being written thirty years ago (or more).

To borrow a quote from Tzu, and use it to our ends:

"The general (presenter) that hearkens to my (our) counsel and acts upon it, will conquer: let such a one be retained in command! (praised) The general that hearkens not to my (our) counsel nor acts upon it, will suffer defeat:--let such a one be dismissed!" (boo'd off stage)

Copyright 2010 by Steve Tornio and Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Cupcake and Lyger.



Should you feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on our behalf.