Lots of people like to apply Sun Tzu’s Art of War to IT security so I thought I’d take a different attack (pun intended) and apply Clausewitz’s theories instead. In this post I’ll touch on three of his key ideas:

Methods of critical analysis

“Critical analysis is the tracing of effects back to their causes.”¹ One form of critical analysis is learning from one’s mistakes. After an incident organize an after action review (AAR) and get everyone together to build timelines, list hosts, etc. Use whiteboards to draw things so they are easily visualized. Generate a list of what worked and what didn’t so that you can save time in the future. Collect all one-off tools and scripts that were created for the incident in case they become useful for another incident. Also, generate ‘next steps’ lists with actionable items intended to prevent future compromises.

Also be sure to share all the results of your analysis with as many people and departments as possible/feasible.

The asymmetrical relationship between attack and defense

In a lot of ways, IT defense has to be much more accurate. For example, by missing just one host during patch management you can leave a significant vulnerability, whereas when attacking, you just need to locate a few of the unpatched systems and exploit them.

Another example would be the ability for attackers to gather direct intelligence on the target, but not vice versa. In the case of industrial espionage, this might be different, somewhat, but I really doubt there are many ways to discern how an attacker plans on attacking you in the realm of IT security.

For this reason, defensive posturing means a wide-range of defenses addressing a slew of different attack vectors. The attacker might have a large number of attacks planned but it won’t be the full gambit of potential vulnerabilities available. This is also why many shops need more than one security specialist with varying areas of expertise. A network security specialist isn’t the best man for the job of securing a web app.

The nature of ‘military genius’ (IT Security genius)

The definition of ‘genius’ often includes the word ‘creative’ as well as ‘intelligence’ and I strongly believe that creativity is a cornerstone of an effective practitioner. For example, lets say you work for a shop that doesn’t have a large security budget. Do you go without top-notch security or do you start looking at *nix solutions that are far less expensive but require more knowledge, time and effort up front?

Being creative also means looking for the elegant, accurate countermeasure rather than the clumsy, overly-restricive-yet-effective measure that blocks the attack but also restricts legitimate use. For example, we allow several different IM clients on our network, but none of them are allowed to transfer files. This way we are protected against IM-borne worms and viruses and our users are still able to use IM to chat.

IT Security is cyber-warfare these days, so its best to accept it, adapt to it and start digging trenches.

For more information about this topic

• IT Security Warfare, part deux
• Predator Drone Video Feeds Intercepted
• On Cyber War