Former cyber capability developer with the National Security Agency (NSA) Ben McCarty offers the wisdom of Japanese ninjas as metaphors for building strong cyber defenses.
Ancient ninja techniques can help network security departments, says former cyber capability developer with the National Security Agency (NSA) Ben McCarty. He studied the ninjas of feudal Japan, who preserved their tradecraft in secret scrolls. Ninja methods of confusing the enemy and penetrating castles have much in common with the methods hackers utilize to breach cyber defenses.
Ninjas of Feudal Japan
Historical ninjas – shinobi – were professional spies and warriors in Japan from the 12th to the 17th century.
Shinobi, McCarty tells, produced detailed maps of the terrain around an enemy castle. Defenders of digital castles should do this as well. A worthy map shows the physical and logical architecture of the network, the building housing it and all authorized and unauthorized devices.
Defenders of a castle must understand where an attack might occur and the castle’s design should include countermeasures. Guarding weaknesses too obviously could alert attackers to a vulnerability.
Ancient security for castles and villages incorporated “xenophobic security” – suspicion of outsiders. Shinobi blended in with the population; every town and castle had its own customs and dialect. In the cyber world, McCarty advises, organizations featuring unique settings and policies better resist penetration.
A foreigner suspected of mischief (anti-privilege) could have less permission than a stray cat (unprivileged) and therefore would not be allowed to leave the village.Ben McCarty
Shinobi would sneak in with troops returning to a castle. In the digital world, strong authentication consists of multiple layers, such as passwords, SMS codes, biosignatures and hardware tokens.
Cyber defenders can apply a shinobi technique for two-step authentication. A subtle hint could tell the person logging in to change the confirmation code he or she received via SMS, or wait a certain time before typing it.
Shinobi tried to attack when the enemy was sleepy, tired or distracted. Network defenders should log and analyze traffic patterns of different periods of the day and night to spot unauthorized incursions.
Computer systems use the time for encryption and logging. Restrict access to time information in your networks. Tools that hackers use depend on knowing the time, the author points out.
Guarding the Gates
Scouts outside castle walls would listen for the enemy, use dogs to smell them or roam to encounter them. They built detection systems. A sandy surface with a special pattern, for example, would indicate if someone walked over it.
Cyber defenders often place monitoring devices at egress points of a network. This leaves them blind to attackers who get inside. Block all encrypted traffic you cannot inspect, says McCarty.
To get into a castle, shinobi used improvised ladders. Hackers use bridges – devices that connect networks. Hackers uses sound, the heat of microprocessors, the blinking of LED lights and cell phones connected to USB ports to exfiltrate information.
Attack as Diversion
Shinobi would penetrate a well-guarded castle by slipping inside with defenders – a technique called “moon on the water.”
A significant percentage of personnel always fail [with phishing attacks].Ben McCarty
The cyber equivalent is social engineering. Traditional methods include phishing – sending an email with a malicious attachment; pretexting – convincing a target to access sensitive information; and baiting – leaving USB drives for people to insert into their computers.
The Nearby Enemy
Shinobi would recruit “worm agents,” people working for their enemies, by seeking people with grudges or stifled ambitions. Insiders can likewise endanger computer networks. Defense involves background checks, drug tests, annual surveys and privilege management.
An agent inside could help a shinobi execute a “ghost on the moon” tactic. This agent would be a sleeper, valuable to the castle, but in contact with the shinobi. The cybersecurity version of this is the supply chain attack. Hackers implant hardware or software in products a company buys. Companies must research manufacturers and shippers, inspect devices on delivery and secure them with technologies that detect tampering.
Most organizations cannot or should not attempt to catch or attack threat actors, learn their identities, or map their capabilities.Ben McCarty
Shinobi would plant evidence to make the enemy take a certain action. Using this “art of the fireflies” technique, cyber attackers leave misleading clues in their software. In many cases, recognizing and neutralizing their threat does more good than identifying perpetrators, McCarty says.
Trap and Study Intruders
Ninja scrolls recommend capturing, not killing enemy shinobi to learn their plans and methods. Castles lured shinobi into a maze of hidden traps. Try to catch hackers during an attack to assess any damage and improve defenses.
Netflix, for example, runs a continuous exercise called “Chaos Monkey” that lets systems fail randomly. Implement “firebreaks” or “kill switches” to separate networks whole or in part from outside threats.
After infiltrating a castle, a shinobi would send word to his general. Hackers send malware command and control messages. Firewalls and other measures try to block this.
The fact that the shinobi scrolls offer no guidance around how to stop covert communication suggests there may not be a good solution for it.Ben McCarty
Shinobi would leave other physical “call signs,” to provide directions or instructions. Cyber attackers leave similar messages. To detect call signs, monitor the memory of high-value systems.
Hire the Right People
Ancient ninja scrolls advise lords to hire as shinobi only the intelligent, patient, capable, loyal and eloquent.
Even if an organization hires an incredible professional worthy of the title ‘cyber ninja,’ there is no guarantee that the employer will use them effectively.Ben McCarty
Castle lords hired shinobi to teach guards how to defend against other shinobi. Use trustworthy hackers to discover threats, McCarty counsels.
Whether McCarty offers security ideas that sophisticated companies will race to implement is almost irrelevant: This is fun. McCarty conjures rich visions of ancient ninjas and their combat techniques. Desktop warriors will enjoy picturing themselves as wise combatants thwarting shinobi intruders. McCarty’s security suggestions seem pretty obvious, and he strains to hold onto his ninja metaphors. But he is a lively writer in love with his subject. McCarty’s passion makes up for any lack of new practical security solutions.
Other books featuring ninjas as business avatars include Ninja Innovation by Gary Shapiro; Sitting on a File Cabinet Naked with a Gun by Linda McFarland and Joanne Linden; and Business Ninjas by Stephanie Bulgarino-Weier.