The Art of Cyber War – Sun Tzu's Wisdom Still Applies 2,500 Years Later

Just recently I was fortunate enough to be able to contribute a post on TechCrunch called "From the streets to the street," which discussed the changing landscape of terrorism and how criminal organizations and groups like ISIS are using cyber attacks, and how the future may evolve. 

Continuing with that theme, I would like to bring an ancient text to the forefront. The Art of War by Sun Tzu was written over 2,500 years ago. If you haven't read a translated version, I would highly recommend that you order it on Amazon.com, Inc. AMZN and put a few hours aside over the weekend. Its 13 chapters capture a wisdom that has stood the test of time. If followed, some experts believe that both world wars and many other military conflicts may have been avoided entirely. Sun Tzu’s strategies foretell many military outcomes such the Vietnam War and the final invasion of Normandy by the allied forces. 

Vital Importance to State

“The art of war is of vital importance to the State. It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected.” - Sun Tzu

Cyber-War and Cyber Security are of vital important to the state. By leveraging technology effectively, it may be possible to confuse, out-maneuver and even disarm enemy combatants without a physical shot being fired.

The great war strategist wisely advises to avoid costly battles whenever possible. In chapter III he starts out:

“… Supreme excellence consists in breaking the enemy's resistance without fighting.” - Sun Tzu

Probably the best example of this strategy as it applied to cyber-warfare is the Stuxnet worm. It is suspected to be a joint development between the US and Israel during the earlier part of the Obama administration. Stuxnet was designed to target PLC’s (Programmable Logic Controllers) which are devices used to control industrial equipment. Its specific target was the Iranian nuclear program and it was designed for complete sabotage. Stuxnet was able to compromise Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to spin out of control. The worm was so sophisticated that it continued to morph and elude Iranian officials with over 30,000 IP’s being infected in that country.

The entire Stuxnet worm and subsequent attack was likely designed to slow down Iran’s ability to produce weapons-grade Uranium. The cyber-attack was likely compounded with several precision assassinations against top Iranian nuclear scientists and program officials. This coincidence of the cyber-attack and the assassination attempts is still speculation, but it paints a compelling picture.

The goal was to prevent a much larger military standoff at nuclear scale, and I believe that the technology component of the strategy was critical.

Know your Cyber – Enemy, Know Yourself

One of Sun Tzu’s critical teachings involves the knowledge and insight into one’s own capabilities as well as the enemy’s strengths and weaknesses. He states:

“Knowing the enemy enables you to take the offensive, knowing yourself enables you to stand on the defensive.” - Sun Tzu

So what is the best way of “knowing yourself”? I believe that we need to start by having a clear and open view of weaknesses in our infrastructure. Everyone is hack-able and when we put ego aside and put ourselves to the test, a lot can be uncovered.

A popular and growing trend in self-discovery is the concept of a “bug bounty” or hack-a-thon. Two companies that are offering great managed and self-serve programs in this space are: HackerOne and BugCrowd. These services act like marketplaces connecting top hackers / security researchers with organizations that want to test their mettle. Hackers are rewarded monetarily for security vulnerabilities found, and companies benefit significantly from the experience. Top online firms such as Facebook, Google, Yahoo, Uber and others run continuous security bounty programs. Even the US Federal Government announced a security bounty called “Hack the Pentagon” earlier this year.

While public bounties may not always be an option, proactive ethical hacking (private) and vulnerability assessments are great ways to start…. knowing yourself enables you to stand on the defensive.

All Cyber Warfare is based on Deception

Nowhere is deception more critical than in cyber-defense and offense. Think about it, most of what we do defensively and offensively is designed to “fool” our enemies into making mistakes. Sun Tzu has a lot to say about deception and its critical importance in warfare:

“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” - Sun Tzu

Social Engineering is the art of deception at a grand scale. Social Engineering is the “art” of manipulating people into performing specific actions or divulging information that allows an attacker to proceed further with their plan. If you’ve never witnessed an artful social engineering attack, watch this video.

What Happens When You Dare Expert Hackers To Hack You

At about 2 minutes in the video, Jessica, a professional social engineering expert uses emotion and sympathy to get an unsuspecting customer service agent to get full access to the reporter’s cell phone account. Amazing! This type of attack is used to set up future steps of the attack “kill chain”. In this case, by seizing control of a mobile account, and then the corresponding mobile number, the attacker now has access to precious mobile Two Factor Authentication (2FA), which may be used to control online banking portal access, as an example.

Deception as an Aid in Defense

Deception manifests itself in many different ways. It’s not just a tool to be used offensively, by attackers. Honeypots are great examples of defensive deception. Honeypots are essentially “fake” systems that entice an attacker, lurking them in, with the assumption that valuable record data may be available.

Let’s assume for a moment that an attacker was able to successfully penetrate an organizations network through a web application weakness, malware, brute force authentication or other means. What’s next? Most likely to obtain any information of value, the attacker will need to move laterally through a network in order to position themselves at a server that is capable of accessing the desired records.

Lateral movement requires movement through an initially unknown network topology. Attackers have to probe and prod to figure out how VLAN’s are set up, how servers are connected to those VLAN’s and where DMZ’s start / stop. That’s where Honeypots come into play (and where defensive deception begins).

The diagram above depicts a simple honeypot implementation. Essentially there exists a system on the internal LAN of an organization that looks and behaves like a normal server. It may even be connected to a special database with “fake” PII. These could be usernames, email addresses, credit cards, social security numbers, fake patient records and so forth.

Once the attacker has access to the honeypot, several things can happen at that point. First, we get visibility into the attackers command and control structure. We know which IP’s are controlling on malware, and where data is going out to. That doesn’t mean we should shut down the attackers operations right away. As with all good deception the key is to wait patiently for what information is revealed. By sending out fake PII, it is possible to then track the sale of the information on the “dark web”.

There are some great honeypot packages out there such as Kippo, Glastopf and Honeyd that can be deployed easily. However, most skilled attackers will pick these up quickly, and ultimately will not fall for the deception. The best lies are mostly true however. For honeypots to be affective, they must be purpose-built to mimic real-world use cases for a specific network. It’s not an easy task….

Of course, finding out “who” the actual attacker is becomes a much harder problem, but we have a great start leveraging honeypots and deception!

One Million Cyber Security Positions Short! Is It hopeless?

Some estimates call for a shortage of over 1,000,000 cyber security analysts globally. The economics of cyber-war are squarely in the black hats favor. Cyber-attack activity is well organized, well funded and staffed with talented (if not morally corrupt) engineers. So where do we go from here? Is the scale so tipped in the attackers’ favor?

Once again, we only need to look at a simple hint that the Art of War provides:
“Great results, can be achieved with small forces.” - Sun Tzu

I believe that is the ultimate lesson here. We need to do more, with far less. There is very little hope that we can close the gap of one million security analysts in the short term. The need to rise up to an almost impossible challenge and, the creativity that flourishes in that type of situation, will ultimately lead us to the answer.

I personally believe that we must empower our security teams to think and analyze at a much higher level by extracting them away from low level details. “Eyes on Glass” where humans are charged with spotting anomalous behavior is destined for failure. At the same time, Machine Learning or AI on it’s own will not work. We are far too early in the technology curve to simply “delegate” the problem to AI. Only when humans work in concert with smart machines that adapt and learn based on our evolving input will we lead ourselves to the solution.

When we achieve that balance between Artificial Intelligence and Human guidance, we will achieve great results… with small forces.