The Art of InfoSec – Chapter 6

Chapter 6 – Weak Points and Strong Points – focuses on the methodological approach to war. The key takeaway is the necessity for security as a dynamic, adaptive process – not a product or an endpoint.

To march a thousand li (300 miles – used as an idiom) without becoming weary is because one marches through territory where there is no enemy presence. To attack with the confidence of taking one’s objective is because one attacks what the enemy does not defend. To defend with confidence of keeping one’s charge secure is because one defends where the enemy will not attack. Thus, against the expert in attack, the enemy does not know where to defend, and against the expert in defense, the enemy does not know where to strike.

This segment focuses on the idea of leveraged intelligence as a means of both attack and defense. The opening lines reinforce our need for intelligence, by linking the idea of security with intelligence. How does one know that there is no enemy presence? Because the intelligence gathered beforehand was leveraged to find a path where no threat existed. It is not enough to simply not face an enemy, we must know where he is – or rather, where he is not. One does not weary not because no threat is present, but because they know that no threat is present. This is a combination of intelligence, leverage, and situational awareness. As for the actual fighting, understanding the risk is everything; and the risk to be known is your own and your opponent’s. Knowing your vulnerabilities directs the defense. Knowing the enemy, and his aims, directs your strategy.

On the hacking side, the attack on the undefended spaces is a given. In fact, that is a functional definition of zero-day exploits. It is by understanding this surprise attack style that we seek to protect from it – by finding the exploits ourselves and patching them before anyone has a chance to use them.

On the security side, defense of un-attacked places is a bit more complex. It would seem that we cannot guarantee that the space will not come under attack, and so the second part of the strategy is less than useful. However, we can ensure that the protection and protocol regarding the valuable spaces is layered, complex, has plenty of early detection systems in place – as well as maintaining top regulation procedures. We can also disregard the “protection” of places whose security is generally irrelevant to our purposes. Generally speaking, the Department of Defense cares about protecting military secrets, not janitor emails – at least insofar as the access to the latter does not allow for an escalation into the former. Granted, the current laws governing penetration reporting make little or no distinction on the question of functional value of the information accessed. However, despite the archaic laws governing this process, even a child can tell the difference in the order of values on what is hacked. Thus, the intelligent companies may dislike reporting a breach into irrelevant sections of their structure, but they make damn sure that the crucial parts are far more secured than the irrelevant ones.

On both fronts, the key to success is keeping the opposition confused as to the reality of one’s structure. Hackers attack by stealth (generally), while the security defends by obfuscation of the key locations. This has been noted as Zhi (functional understanding of enemy, while remaining indeterminate to them), which allows one to properly gain Shih (strategic advantage) by leveraging that knowledge through Hsing (strategic positioning). Sunzi notes the importance of this principle:

The place we have chosen to give the enemy battle must be kept from him. If he cannot anticipate us, the positions the enemy must prepare to defend will be many. And if the positions he must prepare to defend are many, then any unit we engage in battle will be few in number… to be prepared everywhere is to be weak everywhere.

This reads a lot like the Roman maxim of “divide and conquer,” because the idea works, and works well.

One is weak because he makes preparations against others; he has strength because he makes others prepare against him.

While it does not sound particularly sexy, the nature of information security is acting from a position of permanent weakness. The enemies are endless, attacks unceasing, threats seem to multiply daily, and a moment of weakness invites catastrophe. However, that is the reality of the InfoSec field. There is no silver bullet, no defenses permanently impenetrable, no security in the true sense. While this may seem dismal, accepting reality for what it is can allow us to see the nature of the InfoSec mission in much clearer terms. It seems to me that the failure to recognize, understand, and accept the realities of the nature of information security is far more likely to result in severe problems down the line – e.g. failure to invest in proper training, personnel, treatment of InfoSec as a product – precisely because it sets us the task of solving the wrong problems and answering the wrong questions.

Therefore, analyze the enemy’s battle plan to understand its merits and its weaknesses; provoke him to find out the pattern of his movements; make him show himself (hsing) to discover the viability of his battle positions; skirmish with him too find out where he is strong and where he is vulnerable.

Though the specific instructions here are related to physical determination of a physical threat, the goal remains, as always, intelligence. Intelligence is at the heart of strength and dominance. Since InfoSec teams can’t simply provoke hacker groups like Anonymous, the next best thing is activities like pen-tests, which simulate attacks. This shadow-boxing approach also reveals the viability of our own positions, as well as our strengths and vulnerabilities in a non-theoretical way. The value of such activities cannot be overstated.

The ultimate skill in taking up a strategic position (hsing) is to have no form (hsing). If your position is formless, the most carefully concealed spies will not be able to get a look at it, and the wisest counselors will not be able to lay plans against it… Thus one’s victories in battle cannot be repeated – they take their form (hsing) in response to inexhaustibly changing circumstances.

This idea is intimately connected to the earlier notion that there is no single winning plan that works across context and circumstance. However, despite the inability of any given strategy to simply work, the rules of the game do not change. The hackers seek to unlawfully access information and cause harm; security seeks to prevent this access; and the two sides are engaged in navigating each other’s methods in order to win today. Tomorrow, the game will begin anew, and so on, indefinitely.

Lest the reader gets the wrong idea about Sunzi’s formless strategy, he has already spoken at length about mastery of basic components of warfare. Thus, he is not advocating for an ad hoc approach to security. Instead, he counsels, wisely, against a fully predetermined and objectified notion of security. Any plan set into stone, once analyzed, can be thwarted. Thus, the idea of being formless is about remaining dynamically engaged in a process, and avoiding ossifying strategies, simply because they have worked before. In fact, the fact that they have worked before is what makes them unlikely to work again.

In the InfoSec sense, a successful patch means that a new attack along the same route of attack is unlikely, to say the least. Once the patch is in place, we turn our attention to other avenues of attack. We, specifically, do not make a protocol of applying the same patch in response to future attacks. Past threats must be known, but only so they can give us a glimpse into the future, by analogy. Too often, we assume the repetition of past behaviors that resulted in success will bring about future success as well. At best, we end up with an ossified system of ritual compliance that makes for some great stats in board meetings, but is ineffectual. In fact, this ossification leads us to view security as a product, magic-box thinking, and failure to invest into future personnel.

The positioning (hsing) of troops can be likened to water: Just as the flow of water avoids high ground and rushes to the lowest point, so on the path to victory avoid the enemy’s strong points and strike where he is weak. As water varies its flow according to the fall of the land, an army varies its method of gaining victory according to the enemy. Thus an army does not have a fixed strategic advantages (shih) or an invariable position (hsing). To be able to take the victory by varying one’s position according to the enemy is called being inscrutable.

The final analogy of the chapter ties it together. Security is a process, not a product – or an endpoint. Successful security is a matter of imaginative, creative work; it is not found in ossified protocol and ritual compliance. Therefore, the nature of effective warfare (InfoSec or otherwise) must be understood as a dynamic process. The dynamism is a matter of mastering the core rules, but implementing them in an adaptive manner, such that the circumstances and context of each situation, are the guiding framework of our threat response. This dynamism keeps the enemy from anticipating our responses, and from using them to build their own strategy.

As an example of ossification, we can look to the US military, which has failed to decisively win a single war since WWII. This inability to win, despite ridiculous levels of military spending, stems precisely from its ossified approach to military engagement as dictated by “traditional war” ideology – despite the fact that none of the enemies it has engaged in over 50 years have actually used a traditional war approach to fighting. By trying to force a definition of “proper approach” onto the theater of war, the US military has consistently been playing the wrong game – and thus loosing. While far more Afghanis, Iraqis, and Libyans are dead than US forces, the US forces are incapable of winning.

The information security realm has no “traditional” component to begin with. It eschews the entire deterrence category of security, while allowing for unending non-attributable attacks. Failing to adopt a dynamic approach means that we’re playing the wrong game. It also means that, just like the US military efforts, there is no way of meeting victory conditions that are ipso facto unsuitable to the conflict at hand.