Let’s be honest: as CISOs, we are engaged in cyber warfare. On a daily basis our networks and systems are under stealthy and nefarious attacks by actors with a variety of motivations. But, while cyber attacks are constantly evolving, the strategies behind them are nothing new. This article is Part 1 of 2 examining several of the ancient Chinese 36 Stratagems and their application centuries later to the present-day theater of cyber warfare.

The 36 stratagems, profound in their simplicity, represent thousands of years of experience in dealing with internal and external enemies and are expressed in a mere 138 Chinese characters.

The stratagems are categorized in six major topical areas: Advantageous, Opportunistic, Offensive, Confusion, Deception, and Desperation. Part 1 of this series will examine the first three topics and Part 2 will address the last three. Not all of the 36 stratagems have application to cyber warfare, and many are redundant in their being various permutations of deceptive strategies. Some apply more to the attacker’s point of view and it behooves us to look at them from a defensive perspective.

Advantageous Stratagems

These stratagems are best employed when there are no significant time and resource constraints. From a cyber warfare perspective, attackers essentially have unlimited time and possibly unlimited resources especially in the case of nation-state sponsored attackers.

Besieging Wei to [“kill”] Zhao” – I employed creative license to change one word (i.e., “save” to “kill”) and make this as an attacker’s stratagem rather than a purely deceptive strategy. In this scenario, the attacker seeks out vulnerabilities and attacks weak spots (i.e., Wei) rather than a direct assault on the primary and presumably strongest defended aspect of the target (i.e., Zhao). This is analogous to an “Achilles Heel” approach. In cyber warfare, one of the first steps is reconnaissance, whereby attackers test the network perimeter looking for weaknesses – open ports, unpatched systems, and arguably the weakest link – system users. In the infamous Target breach, “the attackers backed their way into Target's corporate network by compromising a third-party vendor”.

Killing with a borrowed knife” – Again, I consider this to be an attacker’s stratagem. One of the most challenging aspects of cyber warfare is “attribution” or trying to figure out who and where cyber-attacks originate. “Hackers have a lot of technical tools at their disposal to cover their tracks. And even when analysts figure out which computer a hacker used, going from there to who used it is very difficult. This is known as the attribution problem.” I see “killing with a borrowed knife” as the hacker technique of using compromised servers, routers, networks, etc. (i.e., “borrowed knife”) to compromise (i.e., “kill”) their victims and mask their identities and locations.

Conserving energy while the enemy tires himself out” – I see this as a defensive strategy. Unless your organization is specifically targeted by a motivated attacker, many attacks are opportunistic. That is, there are obvious, exposed weaknesses in network and/or system security and ripe for exploitation. If you employ sound protective measures and not present your network and systems as weak targets, chances are the attackers will bypass your organization. In the physical realm, consider shark attacks. Before initiating an attack, the shark will often brush up against its potential victim in order to “taste” it (i.e., reconnaissance). In some documented cases, if the victim fights back the shark may abandon the attack for easier victims, much like hackers in the cyber realm.

Opportunistic Stratagems

These stratagems are useful when there is an exploitable vulnerability present for attackers to exploit.

Creating something out of nothing” – I see this particular strategy as a defensive measure. My interpretation is that this is analogous to the “honeypot” approach. The honeypot is typically either an Internet-facing system or an internally-networked system that, by design, appears to be exploitable. Honeypots can contain bogus files or documents of a seemingly “secret” nature in an effort to entice attackers to spend time attacking the system under the observation of the security team. The security team can then use their observations to ascertain the attacker’s methods and techniques to bolster their defenses and potentially gather evidence for prosecutorial purposes. Thus, in the honeypot scenario, “something is created from nothing.”

Stealing a goat along the way” – As the ancient Chinese armies trekked across the land, they needed supplies and provisions. Stealing a stray goat or two along the way to feed the army was a necessity. A more cerebral interpretation of this stratagem is that in executing one’s plan, there should be flexibility in order to take advantage of opportunities along the way. In the cyber security realm, I see this as an attacker’s stratagem. In the event a network is compromised, attackers may have a primary target but will infiltrate and compromise other untargeted systems along the way if given the chance to do so. This is the hacker technique of “lateral movement” through a compromised network. The attackers “progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns.”

Offensive Stratagems

Much like the Advantageous Stratagems, these are meant to be used when there are time and resources - but the difference is that with the Offensive Stratagems, victory can be achieved through a direct attack rather than via an indirect attack.

Disband the bandits by arresting their leader” – This is an obvious offensive strategy analogous to killing a snake by cutting off its head. We have many examples where our FBI have taken down cyber criminals either alone or in concert with other law enforcement agencies. One example is the 2016 takedown of the Avalanche network, which was used as a “delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sink-holed or blocked.”

I was CISO at the American Red Cross (ARC) beginning with the devastating 911 attacks through Hurricane Katrina and witnessed the escalation in sophistication of on-line fraud targeting the organization during this timeframe. During Hurricane Katrina, I was embedded with the FBI’s Internet Crime Complaint Unit and saw firsthand the fine work that the agents accomplish in combatting cybercrime.

Releasing the enemy to recapture him later” – This tactic could be conducted in tandem with the “honeypot” strategy or other defensive methods whereby the “target” is aware of the attack and observes the attacker (hopefully with law enforcement assistance) in order to gather evidence and methods used by the attacker. The Avalanche example identified above took over 4 years of investigation and exemplifies the strategy of not immediately capturing attackers, but observing them to build a solid case for prosecutorial efforts.

In Part 2, we will continue to look at the offensive and defensive aspects of some of the remaining 36 Chinese stratagems outlined in the Confusion, Deception and Desperation categories that have cyber warfare implications.

Rest easier knowing you're using software with a certified, intelligence agency-grade operating system and application security with CISOBox. Schedule a demo today to see how CISOBox can work for you.

Share This Article


CISOBox Demo

See how CISOBox can help you with incident response handling, including graphs, analytics, and communication coordination.

Higher Education Case Study

Wondering if CISOBox is right for your organization? Read about Case Western University and the impact CISOBox had for them.