The Art of InfoSec- Chapter 4

Of old the expert in battle would first make himself invincible and then wait for the enemy to expose his vulnerability. Invincibility depends on oneself; vulnerability lies with the enemy. Therefore the expert in battle can make himself invincible, but cannot guarantee for certain the vulnerability of the enemy. Hence it is said:
Victory can be anticipated,
But cannot be forced.[1]

The crucial point for Sun Tzu is that one must maintain focus on those factors that are squarely within their control. The first of those factors is always knowledge and understanding of one’s own situation, resources, capacities, and vulnerabilities. It is no way hyperbolic to say that all security is dependent first and foremost on knowing yourself. Hacks and hackers are not within our control, and become a secondary concern. What is within our control is the understanding of our systems, strengths and weaknesses, and perfecting these elements – as well as improving our personnel, procedures, etc. – making it the logical focus of our efforts.

Although this sounds like a common sense position, outsourcing security, “saving” on InfoSec personnel, under-staffing, and other similar behaviors, are commonplace – from the corporate world to the government. The recent Equifax debacle[2] is proof enough of the kinds of inept and ignorant ideas that govern much of the InfoSec space. These attitudes undermine precisely the first rule of Sun Tzu’s readiness of war – a war which is absolutely inevitable in the information security space – of making yourself invincible.

A point can be raised, regarding the idea of invincibility, that the information security space in general does not admit of anything like actual invincibility, especially not with the concept of Zero-day exploits – which defy preparedness by their very nature. To a certain extent, this is true: total security is impossible. However, the kind of invincibility Sun Tzu is talking about is not about perfection, but about severely limiting the possibility and scope of damage. In this sense, we can draw an analogy to counter-terrorism security; there is no way to prevent all the possible terrorism scenarios, but there is a way to limit the possibility of severe attacks, and the scale of attacks. A thorough understanding of one’s own defenses allows for a far quicker response time and damage containment when Zero-day exploits strike. The difference in damage done to different corporations struck by the WannaCry ransomware is proof enough of this difference.

Interestingly, the exact same ideology of personal invincibility while awaiting opponent vulnerability is used by hackers – though their invincibility has a far lower threshold. This yin-yang of security and attack is reflected throughout this chapter.

Being invincible lies with defense; the vulnerability of the enemy comes with the attack. If one assumes a defensive posture, it is because the enemy’s strength is overwhelming; if one launches the attack, it is because the enemy’s strength is deficient. The expert at defense conceals himself in the deepest recesses of the earth; the expert on the attack strikes from out of the highest reaches of the heavens. Thus, he is able to both protect himself and to take complete victory.[3]

Although much of this quote seems directed at the hacking community, it is not solely reserved for them. InfoSec, by its very design, is a primarily defensive field. While it does not make for great marketing, the understanding that hackers are always at an overwhelming advantage, is a crucial part of a functional InfoSec mindset. So long as one perceives the space in this way, there is no room for lax security policies, for half-assed security measures, and for sub-par personnel. The goal of invincibility remains forever at the forefront of all plans and activities – at least within the relevant departments.

It is the lack of this invincibility that most often invites hacks, because the strength of the defender is perceived as deficient. Case in point, the Equifax breach used a relatively old exploit; meaning that the hackers were not forced to be inventive and resourceful, they merely found an idiot who left their front door wide open. Where the security of an organization is lax, the defenses will be deficient, and response time slow.

The idea of striking “out of the highest reaches of the heavens” is a bird of prey analogy – one that Sun Tzu will use frequently – based on the idea that the predator circles high above, looking for vulnerable prey to reveal themselves. Once they do, the predator dives, striking the surprised target with speed and precision. The laxity of security marks out the easy prey for the inevitably circling predatory hackers. The pursuit of invincibility is about awareness and limiting of one’s exposure to predators.

As later chapters reveal, the use of CTI is another element that InfoSec can use for both defensive and offensive maneuvering. The defensive use is in discovering attack strategies before they materialize and discovering the goals/use of the attack (thus understanding the target of the attack), before the attacks comes. At the very least, this knowledge can allow for proper positioning of one’s defenses – i.e. beefing up security and vigilance on the systems that are likely to be targeted. The offensive measures – after the attack – may allow for a counter-attack against the particular hackers, by using CTI to discover them – though the process is arduous and indirect.

He whom the ancients called an expert in battle gained victory where victory was easily gained. Thus the battle of the expert in never an exceptional victory, nor does it win him reputation for wisdom or credit for courage. His victories in battle are unerring. Unerring means that he acts where victory is certain, and conquers an enemy that has already lost.[4]

Applicable equally for hackers and the InfoSec community, this notion goes back to the inverse proportionality of knowledge to force necessary to succeed. Whether hacking in, or keeping hackers out, the right kind of knowledge makes dealing with the opposition a simple task; e.g. knowing where the ambush lies allows us to simply bypass it. As a result, the apparent simplicity does not elicit awe or wonder; instead, it seems like a necessary outcome, no more surprising than gravity,

Sun Tzu draws attention to this fact to both recognize the genius of commanders who manage these victories, as well as note that “exceptional” victories are a sign of sub-par operations, and sub-par commanders. While this may seem odd, the oddity is resolved if we consider the nature of the expert commander and the nature of engaging in battle. An exceptional victory is one where the underdog manages to win; where the expected result is a loss, but brilliant maneuvering saves the day. In classical Chinese thought, snatching victory from the jaws of defeat means screwing up, because one should never be in a situation where they participate (or are forced to participate) in engagements whose outcome is unknown. That is itself a failure to understand the context of the engagement, and thus to endanger the state as a whole. The “brilliant” act of saving the day is itself a demonstration of earlier ineptitude, as one should never be put in a situation where the day needs saving.

For InfoSec, the victory consists of nothing happening – at least in an outward sense. Continued success of security is marked by the failure of hacking attempts to exploit weaknesses, for the obvious reason that the weaknesses are not there to be exploited. The continued “lack of events” is certainly without flash, without the kind of activity that is marked by external “exceptional” performance. However, Sun Tzu notes that it is precisely this “obvious” success and the lack of events that should demonstrate (especially to non-experts) the exceptional nature of the commander. When security is perfect, it appears invisible.

Sun Tzu summarizes this point:

Therefore, the expert in battle takes his stand on ground that is unassailable, and does not miss his chance to defeat the enemy. For this reason, the victorious army only enters battle after having first won the victory, while the defeated army only seeks victory after having first entered the fray. The expert in using the military builds upon the way (tao) and holds fast to military regulations, and thus is able to be the arbiter of victory and defeat.[5]

To return briefly to the idea of being invincible in an information security space, we can note that both “making” oneself invincible and “taking” a stand on unassailable ground is proactive, knowledge-based behavior, that is not a given, but instead requires that such a state of affairs is created by leveraging knowledge into actionable positioning. This fits into the idea of following the way (tao), in that such an act of following is premised on knowledge, and a balance between knowing and doing that encompasses all activities. The importance of proper action (which can only ever come from proper knowledge) is doubly stressed, with Sun Tzu’s reiteration about holding fast to military regulations. As he noted in Chapter I, “All commanders are familiar with these…criteria, yet it is he who masters them who takes the victory…[6]

Factors in the art of warfare are: First, calculations; second, quantities; third, logistics; fourth, the balance of power; and fifth, the possibility of victory. Calculations are based on the terrain, estimates of available quantities of goods are based on these calculations, logistical strength is based on estimates of available quantities of goods, the balance of power is based on logistical strength, and the possibility of victory is based on the balance of power.[7]

This description can be represented by an inverted pyramid, with each move upward requiring not only the completion of the step below, but also an increase in knowledge and understanding. Knowing the terrain is a relatively simple task – one surveys the space, and takes note of any features found within it. The possibility of victory is a far more complex and knowledge-intensive issue.

An interesting note is that these steps are both internal and internal to the organization. That is, each step can be considered in terms of one’s own forces and goals, but ultimately requires the additional knowledge of the opposition to be fully functional. For example, knowing only one’s own quantities of goods is only half the task when considering the balance of power – because it only gives us one side of that balance. Yet, these steps are a requirement for the act that a commander can reliably do: make himself invincible. Sun Tzu sneaks in the continuing theme of intelligence services as a core and necessary part of any competitive system, specifically CTI in our case.

Thus a victorious army is like weighing in a full hundredweight against a few ounces, and a defeated army is like pitting a few ounces against a hundredweight. It is a matter of strategic positioning (hsing) that the army that has this weight of victory on its side, in launching its men into battle, can be likened to the cascading of pent-up waters thundering through a steep gorge.[8]

As noted, the idea of strategic positioning is a matter of proactive, knowledge-based action, of leveraging that knowledge into actionable policy. The outcome proper positioning is a natural one; without flash, without “exceptional” qualities, it is the natural outcome of a foregone conclusion, given the preparations.


[1] Sun Tzu. Pg. 83.

[2] Equifax Hack, October 2017

[3] Sun Tzu. Pg. 83

[4] Sun Tzu. Pp. 83-4.

[5] Sun Tzu. Pg.  84.

[6] Sun Tzu. Pg.  73.

[7] Sun Tzu. Pg. 84.

[8] Sun Tzu. Pg. 84.

1 thought on “The Art of InfoSec- Chapter 4”

Comments are closed.