The 36 stratagems, profound in their simplicity, represent thousands of years of experience in dealing with internal and external enemies and are expressed in a mere 138 Chinese characters. Part 1 examined the first three topical areas: Advantageous, Opportunistic, and Offensive. Part 2 addresses the last three topics: Confusion, Deception and Desperation.  As stated before, not all of the 36 stratagems have application to cyber warfare and many are redundant in being various permutations of deceptive strategies. We will look at the applicable stratagems as either offensive or defensive in nature.  

Confusion Stratagems

The Confusion Stratagems are designed to “confuse” the enemy in some fashion so that escape or other evasive action is possible.

Pulling out the firewood from beneath the cauldron” – This defensive strategy is best exemplified as “stealing one’s thunder.” In the cyber security realm, how many times has an exploit been publicly announced (e.g., Poodle attack, Heartbleed, etc.) and your systems and networks have almost immediately been scanned by attackers looking for vulnerable systems? You can “pull out the firewood” by patching the systems as soon as practicable and eliminate the exposure. A prime example is the infamous Equifax security breach where the personal data of 143 Million consumers was compromised and “was due to (Equifax's) failure to install the security updates provided in a timely manner." A 2015 InfoSecurity Magazine article found that “Despite the best intentions, most companies take an average of 100-120 days to patch vulnerabilities. And, many companies have critical vulnerabilities that go unpatched altogether.” In some cases, the fire under the cauldron is blazing and more firewood is piled on due to the lack of an effective and timely patching program.

 Slough off the cicada's golden shell” – This defensive strategy is essentially to disguise oneself and masquerade as something or someone else. Alternatively, one can employ this strategy by abandoning routines and traits and thus become inconspicuous. In cyber security, this strategy can be employed a number of ways. A network security product I came across a couple of years ago would change out internal IP addresses on a frequent basis. I am not sure if this company is still in business, but it is an innovative approach to confusing attackers. Another network security product designed to mask operations is one that deploys specialized switches and routers to essentially create an encrypted “network within a network.” This is similar to a VLAN solution and is especially attractive for isolating critical systems such as industrial control systems from corporate networks.

Deception Stratagems

Deceptive Stratagems are used to create an advantage and obstruct the enemy.  There are a series of deceptive strategies that are applicable to a “honeypot” approach. As discussed in Part 1, a honeypot is typically either an Internet-facing system or an internally-networked system that by-design is exploitable. In addition to obvious vulnerabilities, honeypots can also contain bogus files or documents of a seemingly “secret” nature in an effort to entice attackers to spend time attacking the system under the observation of the security team. Deceptive strategies are as follows:

Make a Feint to the East While Attacking in the West” – This is an offensive strategy whereby the attacker distracts the victim on one front while attacking on another less obvious front. This was a really popular attack methodology a few years ago where the distraction was a denial of service attack (DOS) and distributed denial of service attacks (DDOS) designed to occupy defenders while the attackers exploited the real, desired target. While DOS and DDOS attacks may not be a favored arrow in today’s quiver of attack methods, they were successful and may be used again when we least expect it.

 Decorate the Tree with Fake Blossoms” -  In this defensive strategy, the attackers are attracted to the tree by virtue of fake blossoms.  This is textbook “honeypot,” whereby attackers are attracted to the “exploitable” honeypot system as “decorated by fake blossoms.” The fake blossoms being both the obvious exploitability of the system and the bogus “secret” files and documents contained within the honeypot.

 Disturb the Waters to Catch a Fish” – This defensive strategy is also textbook “honeypot” where the attacker has been confused by his fascination with the honeypot and thus is captured as the security team gathers evidence. This can also be an offensive strategy much like “Make a Feint to the East While Attacking in the West.” Attackers create a distraction (i.e., disturbs the waters) on one front in order to “catch the fish” on the other front.

Desperate Stratagems

 The Desperate Stratagems are to be used when everything else has failed.

Double Agent Ploy” – Or said another way: “Let the enemy's own spy sow discord in the enemy camp.” This is an offensive strategy that, in effect, uses internal agents against their own organizations in order to cause chaos and general mayhem. In today’s cyber realm, this strategy is best left to law enforcement (LE) professionals whereby the LE agent infiltrates the enemies camp through deception in order to “sow discord” within the enemy camp and cause distractions. We have seen dramatic examples where LE agents pose as minors in various on-line forums in an effort to expose, capture and prosecute child predators. Another extraordinary example of this strategy can be seen in the book: “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground” by Kevin Poulsen. Integral to the real-life story is the subplot of Pittsburgh-based FBI, then Supervisory Special Agent, now Unit Chief J. Keith Mularski. Under the guise of “Master Splyntr” and “Pavel Kaminski” took over as the system administrator of the “Dark Market” credit “carder” website (used to sell stolen credit card numbers to criminals). This is a truly remarkable story of Mr. Mularski’s activities as he was accepted into the inner circle of these criminals and ultimately brought them to justice.  

 Beauty Scheme” – The gist of this offensive stratagem is to send the enemy beautiful women to cause distraction and general discord within the enemy’s camp. This is similar to a “Trojan Horse” approach where the gift of the wooden horse (in which warriors were hidden) was used to gain entrance to the enemy camp and, under the cover of darkness, successfully vanquished the enemy. This strategy uses computer code as an offensive weapon as we had with the “Stuxnet” worm. “Experts believe that Stuxnet required the largest and costliest development effort in malware history.  Developing its many capabilities would have required a team of highly capable programmers, in-depth knowledge of industrial processes, and an interest in attacking industrial infrastructure.” Stuxnet primarily targeted Iranian Supervisory Control and Data Acquisition (SCADA) systems used in uranium enrichment programs and caused significant damage to Iranian systems. 

 A series of interconnected ploys” -- This defensive strategy is something all CISOs can relate to – the concept of “defense in depth.” This stratagem suggests that one should use several stratagems applied simultaneously as in a chain of appropriately applied stratagems. In protecting our networks, systems, users and data we employ various methods and technologies.   

The last stratagem states “If All Else Fails – Retreat.” Unfortunately, we as defenders of our network and systems do not have the option to retreat from the onslaught of attacks. No truer words have been written than “there is nothing new under the sun” Ecclesiastes 1:9. While the 36 Chinese Stratagems are ancient, it is interesting to take a critical examination of these strategies and see how they might apply to today’s theater of cyber security and warfare.   

Rest easier knowing you're using software with a certified, intelligence agency-grade operating system and application security with CISOBox. Schedule a demo today to see how CISOBox can work for you. 

Share This Article


CISOBox Demo

See how CISOBox can help you with incident response handling, including graphs, analytics, and communication coordination.

Higher Education Case Study

Wondering if CISOBox is right for your organization? Read about Case Western University and the impact CISOBox had for them.