13 Oct 2016

Russia, Reflexive Control, and the Subtle Art of Red Teaming

“To understand the Russian approach to strategy and conflict, we must first understand something about the concept of reflexive control. Initially developed and championed by Vladimir Lefebvre, it’s a uniquely Russian view on stratagem and deception that repackages and reframes much of what we usually associate with Sun Tzu. If we expect deception and stratagem from China but not from Russia, we’ve set yourself up to be surprised. We’d be foolish to assume that the Russians are not currently employing reflexive control against the West.       By definition, reflexive control is ‘a means of conveying to a partner or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.’1 In other words, when employing the theory of reflexive control, you paint a picture of the world, that, if successful, your opponent accepts. This false picture compels your opponent to act in your favor. A close term in the U.S. lexicon is ‘perception management,’2 although the tone of reflexive control is arguably broader and more Machiavellian. “ Source: Russia, Reflexive Control, and the Subtle Art of Red Teaming | RED TEAM JOURNAL

Read More
16 Jun 2015

The Cybersecurity Infantry, Part II: “Underground” Operations

In the first post in this series, I highlighted the broad utility of the sensible and timely tactical retreat. In this post, I explore the power of operating “underground.” Once again, I turn to H. John Poole’s Phantom Soldier, where he describes the challenge of fighting an adversary who operates on a different plane. His description of the assault on Iwo Jima is well worth reviewing. Drawing from a variety of sources, he sketches a picture of a not just an island under assault but of a highly engineered defensive warren, most of it underground (a situation Clint Eastwood portrayed with visceral power in both Flags of Our Fathers and, more particularly, Letters from Iwo Jima). When the Americans landed on Iwo Jima, they did so confident that the preparatory bombing and shelling had routed the defenders. As one observer noted, “1,500 Marines of the first wave were now ashore on Iwo Jima moving inland to secure their objectives. Very few Japanese appeared to have survived the pre-invasion bombardment.” (Christ, p. 20.) Unfortunately for the Marines, “the Japanese knew they were coming, and they [the Japanese] had been preparing for over a year.” (Christ, p. 4.) The Japanese sprung the trap once the first wave of Americans moved off the beach. From well-concealed positions the Japanese unleashed a hellish tsunami of artillery, mortar, and machine gun fire. The Americans couldn’t even hit back effectively; there was little shelter, and the enemy remained hidden. According to Christ, the Japanese “… had months to perfect their accuracy and had preplaced markers and aiming sticks all over the island. As the Americans moved inland by the thousands, [they passed] hundreds of hidden positions. Kuribayashi’s men were the best in the world at the art of camouflage, and the Americans walked unknowingly past almost all of them; bunkers covered in volcanic ash with firing slits only inches above ground; sand hummocks that looked like wind-blown mounds of dirt; buried pillboxes with fields of fire covering areas of likely movement; spider traps with lone snipers; concealed caves with rocks piled in front; and rapid-firing anti-aircraft guns dug in with only their barrels showing, aimed horizontally to rake landing craft on the beach. (Christ, p. 30.)” This lyrical citation from Poole captures the radical nature of the situation: Marine spotters in Maytag Messerschmitts watched the attack come to life in brilliant, chilly sunlight. Theirs was a familiar spectacle on Iwo, but totally foreign to anything else in military history. Below them was a battlefield where one army fought above ground and the other fought almost totally beneath it; where thousands of troops moved in the area at the same time. (Poole, Phantom Soldier, p. 77, quoting a 6 march 1945 Marine intelligence report.) What does this have to do with cybersecurity? The cyber plane is—much like the underground emplacements, barracks, and strongpoints on Iwo Jima—invisible to the untrained, unsuspecting, or overconfident observer. Unless detected and countered, it offers a secure position for observation and attack. A clever adversary embedded on the cyber plane can operate “below” the metaphorical ground while the defender moves about “in the area at the same time.” The ultimate effects of this are similar to those the Americans initially experienced on Iwo Jima (and recall that the Americans enjoyed unchallenged air superiority and a massive advantage in firepower). Drawing on the analogy, here are four ways that “underground” operations on both the physical and cyber planes can negate and undermine the traditional American way of war, which—by the way—informs and infects the Western culture of commercial cybersecurity. (And lest you think I

Read More
27 May 2015

The Cybersecurity Infantry, Part I: Retreat for Advantage

Read retired Marine H. John Poole’s Phantom Soldier. It doesn’t matter if you’re not in the infantry; read it anyway. It will open your eyes to the Eastern way of small-unit tactics. And while you’re reading it, contemplate the manifold parallels to cybersecurity. It will open your eyes to the global and all-pervading way of modern conflict on the plane of computer and communication systems. While the squad leader and the cybersecurity professional might consider themselves residents of separate worlds, strong conceptual parallels exist between their domains. Before discussing specifics, it’s worth reviewing some of the core differences between the Eastern and Western perspectives. In Poole’s words, If one were to summarize the differences between Eastern- and Western-style armies, one might say that the former generally do a better job of harnessing the perceptions and common sense of the people in contact with the enemy. Deceptive and multifaceted, this alternative “style of war” is difficult for the Western, “top down” thinker to comprehend. At times, it employs massive firepower; but more often, it relies on surprise. Its essence lies not in established procedure, but rather in flexibility to change. It encourages its practitioners to shift rapidly between opposites—to alternatively use one maneuver as a deception and its reflection as a follow through. ((Poole, Phantom Soldier, p. 13.)) To put this in Western terms, the Eastern perspective intuitively embraces systems thinking and includes a strong bottom-up aspect. Throughout his discussion of the Eastern approach, Poole peppers his narrative with multiple examples of how the Eastern approach influenced infantry engagements during World War II and Vietnam. In several of the cases, it’s actually a bit disturbing to read just how obstinate Western tacticians and leaders remained in the face of a more fluid way of fighting. It reinforces the notion that you see precisely what you want to see. But how does this relate to cybersecurity? Several points of connection exist throughout the book. Here I introduce one with the intent of introducing more in follow-on posts. Prior to reading Phantom Soldier, I seriously underestimated the importance of the ancient stratagem “[When the situation is growing hopeless,] running away [in good time] is the best stratagem.” ((Harro von Senger, The 36 Stratagems for Business, p. 189.)) I considered this, the last of the 36 stratagems, to be the stratagem of desperation, pursued only when all options have failed. The examples in Phantom Soldier caused me to reconsider. In fact, as Poole notes, “Of the 36 ruses, the last—running away—is probably the most important [italics mine] and least understood. When continuing to fight holds no strategic import, the Easterner will secretly withdraw.” ((Poole, p. 29.)) In support of this point, Poole cites the preface of the version of the 36 stratagems published by the Foreign Languages Press in Beijing. In fact, the opening sentence of the preference is “‘Of the 36 strategies, running away is the best choice.’” ((The Wiles of War: 36 Military Strategies from Ancient China, p. i.)) It’s on my shelf, but I never caught that. I’m not sure how I missed it, but I don’t think it would have meant much without reading the examples in Poole’s book, where he cites several cases of infantry employing efficacious tactical withdrawals. In one case, for example, a Japanese patrol on Guadalcanal engages Evans Carlson’s 2nd Raider Battalion, only to retreat. Poole follows the example by noting once again, that “While considered less than manly in the West, running away has always been tactically valid in the East. It helps a valued resource to live to fight another day. It also helps

Read More
02 Apr 2015

The Red Teamer’s Top Ten Books

If might expect a red teamer’s top ten list of books to feature volumes on coding, hacking, and pentesting, you’re going to be surprised. In my view, the overarching principles of red teaming exist independent of any specific domain of application. Hence, my theme here is timeless patterns of cross-domain thinking, very much in line with the Red Team Journal Red Teaming Law #32 (“The Target”): “No matter what the nature of the game, the red team’s ultimate target should always be the opponent’s mind. Everything else is just technique.” Sleights of Mind: What the Neuroscience of Magic Reveals About Our Everyday Deceptions (2010) by Stephen Macknik and Susanna Martinez-Conde. This is an utterly fascinating look at the interaction of mind and magic rooted in real neuroscience. That said, it’s written at just the right level for us non-neuroscientists. The Timeless Way of Building (1979) by Christopher Alexander. Why a book on architecture? Don’t view it as a book on architecture but rather think of it as a book on patterns. Alexander’s notions on pattern languages heavily influenced how we design software; it should also influence how we go about red teaming. INCOSE System’s Engineering Handbook, 4th Edition (2015). While you might not want to be a systems engineer, the principles of systems engineering provide insight into many if not all red teaming challenges. Influence: Science and Practice, 5th Edition (2008) by Robert B. Cialdini. Can a relatively recent book be a classic? This one certainly is. You’ll learn how common human ways of thinking and interacting can be easily and predictably manipulated by advertisers and sales people, among others. The Deceivers: Allied Military Deception in the Second World War (2004) by Thaddeus Holt. Set aside the fact that the examples in this volume are now over 70 years old, this is your single-volume advanced course in deception. Holt does an excellent job of extracting the core principles of deception from the myriad stories and cases. Yes, it’s long, but by the time you’re finished, you’ll know more about how deception works than 99% of the red teamers and analysts out there. When you’re finished, turn to Barton Whaley’s volume Stratagem and Deception, based on his work in the 1960s and reprinted in 2007. The 36 Stratagems for Business: Achieve Your Objectives Through Hidden and Unconventional Strategies and Tactics (2005) by Harro von Senger. You’ve probably encountered the 36 Stratagems before, but it’s unlikely that you’ve read such an informed and usable study as this one from von Senger, a respected Swiss Sinologist. The introduction alone is worth the price of the book. Surprise Attack: The Victim’s Perspective, Updated Edition (2004) by Ephraim Kam. This is one of the most marked-up books on my shelf. Kam does much more than review cases of surprise attack, he deconstructs them and extracts the common lessons. Most Secret War (1978) by R. V. Jones. This the red teamer’s quintessential desert island book. Much like the Holt book on deception, the examples here are over 70 years old, but the thinking processes Jones employs and illustrates are timeless. Jones’ 1989 volume Reflections on Intelligence is also worthwhile but doesn’t come close to Most Secret War in terms of readability or application. The Failure of Risk Management: Why It’s Broken and How to Fix It (2009) by Douglas Hubbard. If you know just enough about risk analysis to be dangerous, this is the go-to book to raise your understanding to the next level. The author’s tone is a bit cutting at times, and he’s arguably better at framing the problem than solving it, but the

Read More