The Art of InfoSec – Chapter 1 (cont’d)

Reflecting on the earlier points of assessment, Sunzi notes:

If you heed my assessments, dispatching troops into battle would mean certain victory, and I will stay. If you do not heed them, dispatching troops would mean having certain defeat, and I will leave. [1]

The phrase can also be read as “if a commander does not… dismiss him” Indicating that the crucial attitude may extend to either the master strategist, or to the ruler’s assessment of commanders.

This position demands of the ruler/employer that they employ only those strategies that are sound, and that they demand that their employees follow those assessments. However, for the prospective InfoSec employee, or head of InfoSec, it requires that they place their professional integrity above profit. If the organizational structure of a company is such that clear warnings of the experts will not be heeded – i.e. if the emotions of the higher-ups will take precedence over expertise – the “right” thing to do is refuse the job, as an organization that undervalues the critical staff is one where the talents of the experts will be wasted.

Having heard what can be gained from my assessments, shape a strategic advantage (shih) from them to strengthen our position. By “strategic advantage” I mean making the most of favorable conditions (yin) and tilting the scales in our favor.[2]

The idea of strategic advantage (shih) begins at this point, and continues throughout the book. What’s crucial to notice is that shih is not something one simply has, or something that happens, but is to be gained by “shaping” – i.e. extracted from the existing situation by directed effort, with a clear goal in mind. Notice also that this shaping occurs separately for each instance of military action; it is not a thing, but a context-dependent process, which necessarily takes into account the specific circumstances of each action.

Finally, notice also that, in order to make the most of one’s favorable conditions, we must be fully aware of the full variety of circumstances, our situation, enemy situation, their goals and ours, their strengths and weaknesses and ours, etc. Since the notion of shih relies on the idea of leveraging information in order to win, it necessarily depends on having access to the variety of information – including the previously noted structure for CTI logistical support.

Warfare is the art (tao) of deceit. Therefore, when able, seem to be unable; when ready, seem unready; when nearby, seem far away; and when far away, seem near. If the enemy seeks some advantage, entice him with it. If he is in disorder, attack him and take him. If he is formidable, prepare against him. If he is strong, evade him. If he is incensed, provoke him. If he is humble, encourage his arrogance. If he is rested, wear him down. If he is internally harmonious, sow divisiveness in his ranks. Attack where is not prepared; go by way of places where it would never occur to him you would go. These are the military strategist’s calculations for victory – they cannot be settled in advance.[3]

These core strategies read like a “how-to” list for hackers. While the focus here is primarily on a kind of “offense” limited to the hacking (non-InfoSec) side of the equation, getting a thorough grasp on the best offensive strategies is the key to developing a functional idea of defense. This is especially true in cases like ours, where the focus of security is on getting ahead of the hacking curve – instead of reactive, post-facto patching.

The idea of enticing the enemy with an “advantage” is wonderfully demonstrated in the kinds of hacks that target services and products that people and corporations use to gain a competitive advantage, or simplify aspects of their work. For example, the recent ransom of major Hollywood films was accomplished by hacking a third-party service provider used by the studio. The OneLogin hack targeted a third-party security provider aimed at simplifying user experience. While the hackers did not create the service-providers that were hacked (which would have been the full meaning of enticement), they understood the enticement of such services, and targeted them instead.

The question of wearing-down the enemy is about overloading the effort, funds, and focus available, seeking to create and exploit a flaw. Constantly changing passwords, security modifications, resistance to even the most benign DDoS attacks; all these activities place stress on the organization members, and persistence in attacks increases the likelihood of security making a mistake, thus allowing for the actual breach. These kinds of harassing tactics also serve well to distract the target from the actual attack, which may go after an entirely different target, and in an entirely different way.

Attacking by way of places that would never occur to security, is a point of deceit, but more importantly, it is also an issue of guaranteeing success. While the gains may not be spectacular, attacks against undefended targets do have the distinct advantage of success before engagement. This will become a key issue in the next two chapters. For now, we can note that it may be possible to escalate privilege through the most innocuous point of access. Therefore, a guaranteed victory that may not seem particularly big, carries the potential for additional victories down the line – if it can be exploited in the right way. For the security end of this equation, this Sunzi principle emphasizes a holistic approach to security (not focusing only on the top tier), and compartmentalization, so that a single uncontested loss does not snowball into a full-blown crisis.

Finally, the military strategist’s calculations for victory explicitly note what has already been mentioned here, and in several earlier articles: there is no single, static, product-like way to achieve success in either hacking or security. The entire notion of warfare and security is a fluid one, requiring detailed understanding of each situation and its context, to address it functionally. This is why the traditional Western model of warfare, so often represented by chess, is ultimately defunct.

Besides treating the entire situation as a field of war where the only means of success is the unconditional surrender of the opponent, regardless of cost, chess also gives us a symmetrical situation, where the possibilities are brute-force calculable, where the possible moves are constrained by a host of rules – so that the only way to surprise the enemy is by their own failure to calculate. We’re now also seeing the failure of the traditional military approach on the physical battlefield, because the enemy is specifically avoiding traditional war engagement, the fight is deeply asymmetric, and the enemy does not play by the rules. To then adopt the traditional war strategy in a medium that is perfectly suited for a heterodox approach, is the height of folly. A much more effective game-model of warfare, especially for cyber-war, is the game of Go (also known as Baduk and Weiqi), which is perfectly in-line with the Sunzi ideology of war.[4]

It is by scoring many points that one wins the war beforehand in the temple rehearsal of the battle; it is by scoring few points that one loses the war beforehand in the temple rehearsal of the battle. The side that scores many points will win; the side that scores few points will not win, let alone the side that scores no points at all.[5]

The temple rehearsal is, essentially, war games focused on a specific conflict one may enter into, in order to determine strategy, etc. The key aspect of this passage lies first in the act of rehearsal preparations, whereby the varieties of offensive and defensive measures are tested – something akin to pen-testing. Without a thorough rehearsal, we remain in the dark regarding our own defensive (and technically, offensive) capabilities. But this also tells us something else; in rehearsal, the quality of attack and defense reveals the height of our own quality, ingenuity, and understanding. Pen-testing that reveals no weaknesses indicates either perfect security (unlikely), or the failure of the red team to find and exploit weaknesses (you should bet on this option).

The question of scoring points is particularly crucial for the last category – scoring no points. This option is only achievable by utter failure of skill, or more realistically by failure to participate. Without preparation and rehearsals, we stand no chance against an attack, and have no sense of our own resources, strengths, and weaknesses. Without rehearsals against exceedingly strong opposition, we create a false sense of security, which opens us up to further vulnerabilities in the long-run. Without being part of the rehearsals, we leave ourselves in the dark as to the realities of our situation. The last option is the result of outsourcing security, and relying on their for-profit reports of their capability and success. At a risk of holding an overly cynical position, misreporting and misrepresentation of results is essentially standard across the entire spectrum of industries – and believing the InfoSec industry to be somehow immune seems too big a leap of faith to bet your security upon.

Thus far, Sunzi has only provided a brief introduction, focusing on issues that are generally well-known, but with the additional emphasis on the mastery of those issues. He has also already laid the groundwork for the kinds of necessary functions that will require knowledge of both internal systems, as well as information-gathering factors – which creates the start of the intersection between InfoSec and CTI. Finally, he has introduced the kind of relational thinking that is required for successful assessment, by considerations of both sides engaged in a conflict, and a need for understanding the nature of offense to develop a functional defense, and vice-versa.

In the coming chapters, Sunzi will turn to key qualities of an ideal commander and war ideology, and then proceed to flesh out the ideas noted briefly in this introduction, and those noted in the next two chapters.


[1] Sun Tzu. “The Art of War.” Pg. 74

[2] Ibid.

[3] Ibid.

[4] Rahmanovic, Faruk. “Go and Sun Tzu.”

[5] Sun Tzu. “The Art of War.” Pg. 74

1 thought on “The Art of InfoSec – Chapter 1 (cont’d)”

Comments are closed.