Ninja, Samurai, Shogun, and Ronin
I cannot count the amount of times that someone has called this or that person a “Ninja” in the INFOSEC/Red Team community that we all inhabit. One cannot go to a hacker conference without seeing Ninja imagery in the artwork surrounding the business of digital security today and this allusion to the Ninja has been problematic for me for some time. I think my feelings on this are akin to the feelings of some who grind their teeth on hearing about another presentation on security that contains Sun Tzu quotes from the Art of War. Recently though I have had some insights due to some reading as well as a series of incidents involving the Target story that got me thinking. My conclusion is this; “If we are going to use the imagery and call ourselves Ninja then we had better also look at the Samurai who defend their domains and their Shogun as well as the odd Ronin out there we run into”
To this end I am writing this post on the parallels today for those who wish to consider themselves Ninja as well as perhaps reach those defenders or “blue team” folks to understand the landscape here from a historical perspective as well as a tactical one. Given the nature of the threats today and the increasing use of unconventional warfare tactics in everyday compromises it is my opinion that we all must be much more versed with warfare as well as espionage in order to deal with the everyday job of compromising a network as well as defending it. This too also follows through to the idea that you must be able to deal with your particular “Shogun” and take their orders as well as advise them on the battles that you are waging.
So, if you want to consider yourself a Ninja Mr. pen-test red team-er then so shall I consider myself a Samurai. However, I will understand their meanings in the context of history, not Hollywood, and apply their traditions and capabilities to today’s battle on my Shogun’s network.
The history of the Ninja is shrouded in mystery for many but the truth of the matter is that they were primarily two clans from Iga and Koga during the 14th century that are the wellspring of the story of Ninja. These were mountain ascetics at first and then commoner families or clans who passed down their teachings within the family for security’s sake. These Ninja were not bound by the Bushido as completely as the Samurai were but did have their core ideals emanate from the same code. The Ninja were specialists in unconventional warfare using common tools as weapons but their primary aegis was to not have to fight in the first place. A Ninja you see was in fact a spy more than anything else and their first tool in their arsenal was stealth. The use of disguises and psychological warfare were the first tenets outside of a command of their bodies as weapons and this made them a force to be dealt with that the Samurai often failed to do well.
The reason that the Samurai often failed to win against a Ninja was that the Samurai’s main goals were to die in battle honourably and to use no artifice in battle. The Ninja on the other hand used trickery and deception as their primary tools and this extended to individual fighting between the two which often times was not on a field of battle but instead at a gate to the castle or elsewhere where they were not prepared to fight. This is of course if the Ninja was forced into a battle in the first place. As one master put it; “The best ninja has no smell, leaves no name, and makes everybody wonder whether he existed.” so the first priority was never to be seen at all.
For more on Ninja go HERE
Given the quick primer above we then have to look at the dialectic today when these people are calling themselves Ninjas in our community. If we are to consider a Ninja then to be a warrior or adversary who uses unconventional warfare tactics and espionage techniques in the digital sphere many within the Red Teaming and Pen-Testing field “might” qualify. One has to ask though just how many of these red teams are using unconventional tactics like 0day to carry out their attacks as well as recruiting spies or physically infiltrating targets. This all depends on whether or not you are in fact allowed to take the gloves off and actually do things that an actual adversary would do. All too often I have seen penetration tests that would be called red teaming that had very limited scopes and ground rules that no self respecting Ninja would allow or abide by. So is this really a Ninja? One who follows the rules of engagement set forth by the target? Are they in fact then more of a Ronin or Samurai posing as a Ninja performing their task?
What I am trying to get at here is this;
- Does following the rules of engagement on an assessment allow you to be called a Ninja?
- Did you get in and get out without being seen or heard?
- Did you use unconventional means or did you just use Metasploit?
Many guys out there I know personally are doing great work and I would call them Ninjas if it weren’t for my dislike of the whole hype and silliness around this imagery personified by Hollywood and now the INFOSEC community without the benefit of real historical context or understanding. As I mentioned above though increasingly this field of information security both aggressive and defensive is becoming more and more a pawn in a greater geopolitical game as well as field of battle and we need to catch up. The points I made just a bit ago about just how you carried out your penetration tests comes to bear here with adversaries like China and others who have no rules of engagement. They use whatever they can to get in and take the data they want and no amount of compliance like PCI will stop them or the common carder like Rescator and his crew. Unless we as a community can get it across to our Shogun’s (aka corporate America) that there are no rules we will then always see more Target breaches because they only followed the rules of PCI compliance and did no more.
I have been thinking about this post after watching an episode of TMNT (yes I watch Nick) and how the story line is including April O’Niel as a Kunoichi. A Kunoichi is a female ninja and they were also commonplace before the comic book world got their hands on the idea. Of course today you think Kunoichi and you may see something like “Shi” in your head. This was not necessarily the case but indeed there were female Ninja and they were often times inserted into situations like Anna Chapman was as an illegal and a honeytrap but they were exceedingly skilled in the same techniques as the men and equals if not more efficient.
Today there are many women Ninja in our business and it was an oversight on my part not to mention this designation. I am correcting this now though. I would like to however make the distinction that today’s Kunoichi is not just a pretty girl but there are many highly technical women in this business that can hack and to not acknowledge this is a disservice. This designation is not to separate the sexes and skills but to be inclusive where I had been remiss before in not thinking about including the term.
The opposite side of the coin for this argument is that the Blue Team side is in fact the hapless Samurai. Why are they the Samurai? Well, take a look at your average defender and you will see the similarities. The primary thing though is that the Blue Team is bound by the rules of the system in place or the Shogun they report to. In the case of corporate America your Shogun is your CSO/CISO/CIO and your Emperor is of course the CEO. The blue team cannot go outsides the confines of the rules set forth by the Shogun and the Emperor no matter how much you try and all too often it seems that the C level execs are hard to reach and consider the blue team more of a check box than anything else in today’s culture. Thus I add the title of “Hapless” to the Samurai because no matter how good the Samurai is he is always defined by the Bushido of the lord he or she works for.
In a battle against the Ninja (i.e. APT/Criminals/Mal-Actors) who use the tactics of unconventional warfare there is little that can be done by the Hapless Samurai who wears the shackles of corporate Bushido rules. How many of you out there have been hamstrung by policy or lack thereof in trying to address the unconventional war that is being waged today on all our networks by various actors? Again what I am trying to say is this;
- How many times have you been told you cannot get a tool for prevention/detection because it costs too much and there is no budget?
- How many times have you attempted to get the word out on security and awareness let’s say only to get a half hearted or any response at all?
- How many times have you laid out the risks to your Shogun and been told that they would not fix the issues due to time/money/business continuity issues?
There are a host of questions I could ask but you get the gist here right? YOU are at the feet of your Shogun and your corporate emperor and you have little to no say in the direction of things. All you can do though is serve and serve with honor no matter the cost. Oh, and yeah, usually when the compromise happens who gets the blame and then is shuffled off to the unemployment line? Hey, at least it’s just that instead of being told to commit Seppuku right? Remember that you are the Infosec Samurai and learn to live with this because if you cannot, you will be very unhappy and your every day will be filled with angst and misery. If you take a real look at the Bushido code though or the Hagakure perhaps you can find meaning.
The Infosec Shogun is in fact the CSO or CISO in today’s corporate structure. These are the lords who, like the Shogun generals should be marshaling the troops and fighting the overall tactical battles. My experience to date has been that far too few of these Shogun’s had actual viable experience to be the Shogun and more often than not got their jobs by the fickle flying finger of fate. Of course this is changing now in more places but I would hasten to point you at the Target affair to show you otherwise. Given the information that has come out of Target so far there was no CISO or CSO Shogun but instead a CIO who had no real IT background to begin with. Unfortunately all too often this is the case with the CSO as well. What good is a general (Shogun/CSO/CISO) who has no experience in battle? How can one expect to win any battle with someone at the army’s head who has no idea what the conventions are never-mind the tactics to fight it?
Alternatively you may have a Shogun who does have experience and can give you direction as well as take counsel to fight the war but they too may be hamstrung by their emperor who holds them back. The idea here is that like it or not, whether you are literally in ancient Japan or the corporate boardroom today you are always reporting to someone and taking their orders. This is the key here, that while the Ninja may have basic orders they also were given greater purview on tactics and mission parameters and we, the hapless Samurai are not. We are governed by our corporate masters and to go outside the rules is to be let go. Remember this Blue Team Samurai as you prosecute your daily battles against the adversary who laughs at rules.
The last designation I would have you consider is the Infosec Ronin. The Ronin are master-less Samurai who often became more NInja than anything else historically. Some of these Ronin were in reality still Samurai but using the tactics of the Ninja to win the day for their Shogun but this was not the norm. In today’s world I would consider the consultant to be a Ronin. A consultant goes from job to job and does the bidding of the master of the day and in fact may have the latitude to tell the master that they are wrong. A Ronin may in fact operate as a Ninja primarily because they have no set master and this is rather liberating.
For the sake of this argument I am going to just say that the Ronin, one who is established can walk away from any contract if they are unhappy with the responses from their “master Shogun” and move on. This is the key to perhaps actually being an effective Samurai in some cases. It really does depend though on the master who has hired you to perform a job. I personally have walked away from clients because after the first pass of a final report they had decided that certain things were not worth re-mediating. If I feel that the client is only going to perform “check box” security then I am no longer willing to help them if I am in fact a Ronin. I know that some will say that this is just stupid and you will not make your pay day but I personally would rather be benefiting the security of a place than just giving it lip service wouldn’t you? Of course not many of us out there are in the position to do this and I will admit that my consulting is a side business to my main income so for me it is a bit of a luxury having this code of ethics. The Ronin though has a place at the information security table specifically next to the Ninja because they are not bound solidly by the rules of the emperor at that particular shogunate.
Unconventional Warfare & INFOSEC:
Finally I would like to cover the idea of Unconventional Warfare and the state of INFOSEC today. As I have made statements about above, we are now in a place where information is power and all warfare with it is allowed. The advent of APT (Advanced Persistent Threats) and nation state actors has changed the paradigm of Information Security forever as much as networking has. We have seen the advent of many kinds of laws and rules being put in place to stop bad actors as well as force corporations to at least adhere to a modicum of security practices to protect their clients. Many of these, such as HIPAA or PCI-DSS have come out of Washington as toothless cudgels that corporations can just speak to as talking points and skate on actual practices. Alternatively many of these rules have little to no comprehension of actual technological issues nor address unconventional warfare tactics that are being used to attack systems and companies to steal data. On the whole nothing to date out there really will make a difference against a determined adversary and that knowledge needs to be common. Instead though it seems to be arcane and mysterious to many in power.
Until such time as ideas like Defense in Depth are more common and we have Shogun’s and emperors who understand not only how their business runs but their threatscape we will be doomed to failure. Of course one might also hasten to add that even with the best of the best we will always lose a battle or two and this is quite correct. The key though is to attempt to win the war itself and leave the battles to the day to day. Accept those we lose and learn from them to hopefully win the overall war later on. Unfortunately too many of the people that we the Samurai deal with are not at all aware and in many cases do not seem to care to understand the issues until they have been burned and burned badly (like Target)…
We, the Samurai face the battle today that no one has faced before. The threatscape is ever changing at the speed of light and the adversaries are many. Prepare for your daily battles knowing who you are and where you sit in the hierarchy. If you decide you want to be a Ninja understand that you too may be bound by the rules of the Shogun as your retainer. I want you all to think about the names we give ourselves and the perceptions we want others to have of us but most of all I want us all to be enlightened about our fight and who we are. Today it’s just a given that you must consider your networks are already compromised and that Ninja is in there stealthily stealing data and it more than likely isn’t one that you may be paying to test your security.