I believe infosec- particularly incident response- is a realization of competition through digital venues. Similarly, military thought is focused one of the most serious levels of competition: War. There’s a series of similarities here that goes beyond simple analogies but of mutual usefulness. A lot of lessons we, as security practitioners, can learn from. Earlier this year I read “Strategy” by B.H. Liddell Hart. The below are a smattering of quotes and quick observations I’d like to apply to infosec.
“… there are two forms of practical experience, direct and indirect - and that, of the two, indirect practical experience may be the more valuable because infinitely wider”
The field still lacks proper training and experience. One of the more valuable assets we have at our disposal is sharing and collaboration of information. Both vertically and laterally. Vertically learning practical experience in other fields and horizontally learning from peers’ experience in the information security space. Mudge made a good observation in his 2010 shmoocon keynote (summarized): the most common method of learning in infosec has historically been through mentor relationships. We need more and better mentors at an individual level and increased and honest information sharing and collaboration at an organizational and industry level.
“[Belisarius] was a master of the art of converting his weakness into strength; and the opponent’s strength into a weakness. His tactics […] had the characteristic […] of getting the opponent off balance”
Various bad guys use and lack of permenence/infrastructure against our immobile and lethargic infrastructure. They take advantage of our lack of information sharing of attack data. We’re not just slow but we’re also stupid by comparison. Their fewer resources make them more mobile; their ambiguity more powerful. (Also, this quote is a simplistic precursor to Boyd’s OODA loop construct which I find pretty hip.)
“[…] to cut an army’s lines of communication is to paralyze it’s physical organization […] to cut an army’s lines of intercommunication is to paralyze it’s sensory organization”.
To clarify the context of the quote: Lines of communication are external to the army. emails, newspapers, radio, TV, Internet, etc (a nation’s C2, if you will). Lines of intercommunication are reports from the field and orders to the field (the military’s own C2).
Indeed, the theme of controlling an opponents communication and command structure is repeated throughout not just this book but others. Information Security is as much about securing information as it is about securing external and internal command and control. At both strategic and tactical levels, this requires careful consideration.
“[…] it is wise in war not to underrate your opponents. it is equally important to understand his methods, and how his mind works.”
Compare that with platitudes which constantly deflate the attacker: “script kiddie”, “miscreant”, “kid living in his mom’s basement”, etc. We can hurt our sense of mission by underrating the opponents. The honeynet project got this right over 10 years ago with their “Know Your Enemy” papers .
“natural obstacles are inherently less formidable than human resistance in strong defenses” (emphasis mine).
Skilled humans are more adaptable and key to security operations thanautomated defenses or ‘obstacles’.
“the weaker the defending side, the more essential it becomes to adopt mobile defense” (emphasis mine)
The abstraction of technology through wireless, clouds, and mobile devices just may have a positive affect against targeted attacks. To get there, we also need mobile defenses (visibility and C2).
“deprive the enemy of his freedom of action”.
Laws are historically what civic society uses against criminals. International laws simply don’t exist or extend far enough to deprive attackers their freedom of action. Defenders also have a habit of constraining our own freedom of actions through not understanding organizational hurdles, modifying one’s mission to that of compliance, or otherwise.
“… in war every problem and every principle is a duality”.
Too much infosec thought is on the assumption that there isn’t an intelligent attacker on the other end but some sort of inorganic and stagnant thing that needs discovered and mitigated. Duality of attacker and defender is much closer to the truth.
And finally, Bourcots axium:
“every plan of campaign out to have several branches and to have been so well thought out that one or other of the said branches cannot fail of success”.
Defense in Depth was designed to achieve this. The classic DiD tactic is to create backup defenses through several layers to filter out an attack before it reaches it’s target. We’re now seeing attacks where, if the target isn’t acheived, the offense will leverage what it did achieve and then use that as a base to continue the campaign or mission. Perhaps, more presisely, currently DiD tactics do not take in account campaign level attacks, Liddell Hart’s thoughts on rapidity nor especially indirectness, nor Clausewitz’s concept of friction. It doesn’t help the large (aka lethargic) infrastructures we secure simply can’t meet a holistic DiD solution due to over-complexity and constant changes within said infrastructure.