The Art of InfoSec – Chapter 11

Chapter 11, The Nine Kinds of Terrain, is something of a continuation of chapter 10. Thus, the focus will be the core ideas Sunzi extracts from the particulars as the guiding principles.

The commanders of old said to be expert at the use of the military were able to ensure that with the enemy:

His vanguard and rearguard could not relieve each other,
The main body of his army and its special detachments could not support each other,
Officers and men could not come to each other’s aid,
And superiors and subordinates could not maintain their lines of communication.
The enemy forces when scattered could not regroup,
And when their army assembled, it could not form ranks.[1]

The strategies here boil down to three general elements:

  1. Destroying lines of communication (i.e. divide and conquer) – which prevents organization
  2. Destroying organizational cohesion – which prevents functional defenses
  3. Attacking with speed – taking advantage of the chaos before the lines of communication are restored

If we observe these ideas from the perspective of an attacker/hacker, the benefits are clear. Striking fast, while throwing the enemy into general disarray, means that the areas we’re actually targeting are less defended/attended to, which gives us additional time to get what we want. It’s an approach of starting enough fires to make sure the opposition can’t put them all out – at least not in time. From the side of InfoSec, this perspective means that organizational cohesion and communication is crucial. In fact, the Chapter 9 conversation regarding the order and discipline of the army is the only meaningful cure.

While the strategies of the generals of old does not give us much to work with directly, understanding the tactic from the perspective of the attacker gives us a solid sense of what must be done in order to prevent the strategy from working.

The element of speed was noted as inherent in kinds of functional strategies, listed above. However, Sunzi makes an additional aside for it.

War is such that the supreme consideration is speed. This is to take advantage of what is beyond the reach of the enemy, to go by way of routes where he least expects you, and to attack where he has made no preparations.[2]

A different way to think of this idea is that the realization of plans, especially in the competitive framework of war, is supremely time-sensitive. Failing to react in a timely manner is the same as getting the information too late – the damage will be done. In order to act with appropriate speed, we must have access to information, we must be able to parse through that information for the relevant parts, we must develop a coherent strategy, and we must implement that strategy – all on an increasingly tight schedule.

However, that means the information-flow, analysis, strategy, and implementation must be rigorously organized. To do this, we need exceptionally qualified people dedicated to factors like data-gathering and analysis. Bad analysis is worse than no analysis. At least without it, we generally do not move. With bad analysis, we’re persuaded into the wrong direction, and cause more damage than we prevent. This happens because we spend time, resources, man-hours working on an irrelevant issue; get popped; and then have to invest all those efforts again into fixing a problem that should not have materialized. The ability to parse through data and effectively discern the good from the bad – in order that the commander can develop a strategy – is a position we should not downplay or under-fund. Research lies at the very heart of the ability to form coherent security. Thus, Sunzi concludes:

Therefore, the business of waging war lies in carefully studying the designs of the enemy.[3]


[1] Sunzi. Pg. 113.

[2] Sunzi. Pg. 113.

[3] Sunzi. Pg. 118.