1

The Art of Cyber War – Sun Tzu's Wisdom Still Applies 2,500 Years Later

Leon Kuperman
Benzinga July 13, 2016
https://finance.yahoo.com/news/art-cyber-war-sun-tzus-163254303.html

View photos
Just recently I was fortunate enough to be able to contribute a post on TechCrunch
called "From the streets to the street," which discussed the changing landscape of
terrorism and how criminal organizations and groups like ISIS are using cyber attacks,
and how the future may evolve.

Continuing with that theme, I would like to bring an ancient text to the forefront. The Art
of War by Sun Tzu was written over 2,500 years ago. If you haven't read a translated
version, I would highly recommend that you order it on Amazon.com,
Inc. (NASDAQ: AMZN) and put a few hours aside over the weekend. Its 13 chapters
capture a wisdom that has stood the test of time. If followed, some experts believe that
both world wars and many other military conflicts may have been avoided entirely. Sun
Tzu’s strategies foretell many military outcomes such the Vietnam War and the final
invasion of Normandy by the allied forces.

Vital Importance to State

“The art of war is of vital importance to the State. It is a matter of life and death, a road
either to safety or to ruin. Hence it is a subject of inquiry which can on no account be
neglected.” - Sun Tzu

Cyber-War and Cyber Security are of vital important to the state. By leveraging
technology effectively, it may be possible to confuse, out-maneuver and even disarm
enemy combatants without a physical shot being fired.

The great war strategist wisely advises to avoid costly battles whenever possible. In
chapter III he starts out:

“... Supreme excellence consists in breaking the enemy's resistance without fighting.” -
Sun Tzu

Probably the best example of this strategy as it applied to cyber-warfare is the Stuxnet
worm. It is suspected to be a joint development between the US and Israel during the
earlier part of the Obama administration. Stuxnet was designed to target PLC’s
(Programmable Logic Controllers) which are devices used to control industrial
equipment. Its specific target was the Iranian nuclear program and it was designed for
complete sabotage. Stuxnet was able to compromise Iranian PLCs, collecting
information on industrial systems and causing the fast-spinning centrifuges to spin out
of control. The worm was so sophisticated that it continued to morph and elude Iranian
officials with over 30,000 IP’s being infected in that country.
 2

The entire Stuxnet worm and subsequent attack was likely designed to slow down Iran’s
ability to produce weapons-grade Uranium. The cyber-attack was likely compounded
with several precision assassinations against top Iranian nuclear scientists and program
officials. This coincidence of the cyber-attack and the assassination attempts is still
speculation, but it paints a compelling picture.

The goal was to prevent a much larger military standoff at nuclear scale, and I believe
that the technology component of the strategy was critical.

Know your Cyber – Enemy, Know Yourself

One of Sun Tzu’s critical teachings involves the knowledge and insight into one’s own
capabilities as well as the enemy’s strengths and weaknesses. He states:

“Knowing the enemy enables you to take the offensive, knowing yourself enables you to
stand on the defensive.” - Sun Tzu

So what is the best way of “knowing yourself”? I believe that we need to start by having
a clear and open view of weaknesses in our infrastructure. Everyone is hack-able and
when we put ego aside and put ourselves to the test, a lot can be uncovered.

A popular and growing trend in self-discovery is the concept of a “bug bounty” or hack-
a-thon. Two companies that are offering great managed and self-serve programs in this
space are: HackerOne and BugCrowd. These services act like marketplaces connecting
top hackers / security researchers with organizations that want to test their mettle.
Hackers are rewarded monetarily for security vulnerabilities found, and companies
benefit significantly from the experience. Top online firms such as Facebook, Google,
Yahoo, Uber and others run continuous security bounty programs. Even the US Federal
Government announced a security bounty called “Hack the Pentagon” earlier this year.

While public bounties may not always be an option, proactive ethical hacking (private)
and vulnerability assessments are great ways to start.... knowing yourself enables you
to stand on the defensive.

All Cyber Warfare is based on Deception

Nowhere is deception more critical than in cyber-defense and offense. Think about it,
most of what we do defensively and offensively is designed to “fool” our enemies into
making mistakes. Sun Tzu has a lot to say about deception and its critical importance in
warfare:

“All warfare is based on deception. Hence, when we are able to attack, we must seem
unable; when using our forces, we must appear inactive; when we are near, we must
make the enemy believe we are far away; when far away, we must make him believe
we are near.” - Sun Tzu

Social Engineering is the art of deception at a grand scale. Social Engineering is the
“art” of manipulating people into performing specific actions or divulging information that
allows an attacker to proceed further with their plan. If you’ve never witnessed an artful
social engineering attack, watch this video.
 3

What Happens When You Dare Expert Hackers To Hack You

At about 2 minutes in the video, Jessica, a professional social engineering expert uses
emotion and sympathy to get an unsuspecting customer service agent to get full access
to the reporter’s cell phone account. Amazing! This type of attack is used to set up
future steps of the attack “kill chain”. In this case, by seizing control of a mobile account,
and then the corresponding mobile number, the attacker now has access to precious
mobile Two Factor Authentication (2FA), which may be used to control online banking
portal access, as an example.

Deception as an Aid in Defense

Deception manifests itself in many different ways. It’s not just a tool to be used
offensively, by attackers. Honeypots are great examples of defensive deception.
Honeypots are essentially “fake” systems that entice an attacker, lurking them in, with
the assumption that valuable record data may be available.

Let’s assume for a moment that an attacker was able to successfully penetrate an
organizations network through a web application weakness, malware, brute force
authentication or other means. What’s next? Most likely to obtain any information of
value, the attacker will need to move laterally through a network in order to position
themselves at a server that is capable of accessing the desired records.

Lateral movement requires movement through an initially unknown network topology.

Attackers have to probe and prod to figure out how VLAN’s are set up, how servers are
connected to those VLAN’s and where DMZ’s start / stop. That’s where Honeypots
come into play (and where defensive deception begins).

View photos
 4

The diagram above depicts a simple honeypot implementation. Essentially there exists
a system on the internal LAN of an organization that looks and behaves like a normal
server. It may even be connected to a special database with “fake” PII. These could be
usernames, email addresses, credit cards, social security numbers, fake patient records
and so forth.

Once the attacker has access to the honeypot, several things can happen at that point.
First, we get visibility into the attackers command and control structure. We know which
IP’s are controlling on malware, and where data is going out to. That doesn’t mean we
should shut down the attackers operations right away. As with all good deception the
key is to wait patiently for what information is revealed. By sending out fake PII, it is
possible to then track the sale of the information on the “dark web”.

There are some great honeypot packages out there such as Kippo, Glastopf and
Honeyd that can be deployed easily. However, most skilled attackers will pick these up
quickly, and ultimately will not fall for the deception. The best lies are mostly true
however. For honeypots to be affective, they must be purpose-built to mimic real-world
use cases for a specific network. It’s not an easy task....

Of course, finding out “who” the actual attacker is becomes a much harder problem, but
we have a great start leveraging honeypots and deception!

One Million Cyber Security Positions Short! Is It hopeless?

Some estimates call for a shortage of over 1,000,000 cyber security analysts globally.
The economics of cyber-war are squarely in the black hats favor. Cyber-attack activity is
well organized, well funded and staffed with talented (if not morally corrupt) engineers.
So where do we go from here? Is the scale so tipped in the attackers’ favor?

Once again, we only need to look at a simple hint that the Art of War provides:
“Great results, can be achieved with small forces.” - Sun Tzu

I believe that is the ultimate lesson here. We need to do more, with far less. There is
very little hope that we can close the gap of one million security analysts in the short
term. The need to rise up to an almost impossible challenge and, the creativity that
flourishes in that type of situation, will ultimately lead us to the answer.

I personally believe that we must empower our security teams to think and analyze at a
much higher level by extracting them away from low level details. “Eyes on Glass”
where humans are charged with spotting anomalous behavior is destined for failure. At
the same time, Machine Learning or AI on it’s own will not work. We are far too early in
the technology curve to simply “delegate” the problem to AI. Only when humans work in
concert with smart machines that adapt and learn based on our evolving input will we
lead ourselves to the solution.

When we achieve that balance between Artificial Intelligence and Human guidance, we
will achieve great results... with small forces.