Information Security: Seeking Sun Tzu's Guidance

There is a raging war in cyberspace. Hackers launch attacks for various objectives: hacktivism, extortion, fraud, or espionage. Targets may be random or targeted. It's only a matter of when one will fall victim to an attack

Concern has been rising as global cyber criminal activities rake in hundreds of millions of dollars annually and could cost more as systems operations are disrupted, intellectual property stolen, and organizations face legal consequences.

As malevolent actors take advantage of the cloak of anonymity and operate in the formless expanse of cyberspace, we can look to Sun Tzu's Art of War for guidance on how we can establish our cyber security posture.

Know the Enemy

Sun Tzu says, "If you know your enemies and know yourself, you will not be imperiled in a hundred battles... if you do not know your enemies nor yourself, you will be imperiled in every single battle."

Kelly Jackson Higgins, classifies hackers into (1) hackers who "operate more as big-box, thrifty enterprises with bargain-basement mini-botnets and commodity malware" who "hide in plain sight, but try to maintain a foothold in their victims' organizations" and (2) hackers who "stage camouflaged, commando-type raids to grab and run off with valuable financial information." (Profiling The Cybercriminal And The Cyberspy,

"When a general, unable to estimate the enemy's strength, allows an inferior force to engage a larger one, or hurls a weak detachment against a powerful one, and neglects to place picked soldiers in the front rank, the result must be a rout."

Available in the cyber crime underworld are tools such as anonymizers, botnets, malware, and exploits, among others, freely downloadable, for sale, or rent. Advanced hackers develop custom-built malware. Indeed, an assortment of attack tools is available to hackers in the open cyber crime market. Attacks may even be outsourced. Absent a concrete measure of the adversaries' capabilities, it is best to assume that hackers will harness available resources to build up strength."

"Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness."

Hackers seem to follow Sun Tzu's treatises. Battles are fought with deception. Social engineering is one. This and anonymity in cyber space are the friends of hackers, allowing them to achieve formlessness and soundlessness. And so should we learn from it.

Knowing Oneself

Organizations, increasingly becoming aware of the dangers in cyberspace, have, to varying degrees, adopted security measures like installing firewalls to protect their networks and implementing anti-virus solutions. These actions may not be enough. Cyber criminal activities are well organized and so potential targets should likewise get organized. Best practice dictates an assessment of the organization's security posture through the conduct of a gap or SWOT analysis. Typically, the assessment will look into people -- knowledge and skills present or absent, processes -- the existence or absence of policies, standards, procedures, and/or guidelines that will dictate how we operate, and technology -- the solutions, hardware and/or software, that are already in place or that may be required to enhance protection of the ICT infrastructure.

Cyberspace is Formless

"We may distinguish six kinds of terrain, to wit: (1) accessible ground; (2) entangling ground; (3) temporizing ground; (4) narrow passes; (5) precipitous heights; (6) positions at a great distance from the enemy."

Sun Tzu admonishes us to know and understand each type of terrain to gain advantage. But what do we have in cyberspace? We all know that cyberspace is a network of networks, dispersed anywhere and everywhere the world over and all devices connected to it have assigned IP addresses, static or dynamic. The telecommunications network is the physical infrastructure that provides easy connectivity to cyberspace but its security is beyond the control of any user. While cyberspace may be an "accessible ground," we don't know if we are at "positions at a great distance from the enemy" or if the enemy is just around the corner from where we sit. And even if IP addresses provide us with endpoints that enable us to identify sources of attacks, such attack sources may not be the true source as IP addresses may be spoofed or botnets used. Hackers gain an advantage in this manner. They operate in the formless expanse of cyberspace. Thus, we should learn how to operate in it too.


Considering what we understand of the enemy's capabilities and methodologies, cyberspace, and our own capabilities, it would appear that defending the organization's ICT infrastructure is a daunting task. And indeed it is. Planning to develop a security posture is a good starting point.

"The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand."

How do we enhance our strengths? How do we correct our weaknesses? How do we take advantage of opportunities? How do we deal with threats? Answers to these questions may be found in what we understand of the cyber enemy, of cyberspace, and of ourselves. Sun Tzu says:

"The enlightened ruler lays his plans well ahead; the good general cultivates his resources."

Resources that we have lie in people, processes, and technology. If lacking in knowledge and skills, awareness, education, and training will help enhance existing knowledge and skills and develop new ones. If lacking in processes, adopting best practices and standards and developing policies, procedures, and guidelines will point us to the right direction. If lacking in technology, we can evaluate and acquire appropriate technology solutions that will help us establish a desired security posture. This is the appropriate response to Sun Tzu's admonition for us to cultivate our resources.

"By altering his arrangements and changing his plans, he keeps the enemy without definite knowledge. By shifting his camp and taking circuitous routes, he prevents the enemy from anticipating his purpose."

But an end-state security posture is not the end-all. Our security posture must also evolve as cyberspace, hackers, and attack strategies and methodologies evolve. We have seen how technology has developed at a fast clip in the last decade and it will continue to do so in the long haul. During the same period, we also observed that cyber attacks have increased in volume, velocity, and sophistication. A plan is a living document. Following its implementation, the end-state must be monitored, tested, and evaluated, thereafter improved and vulnerabilities corrected, and the plan adjusted. It is a continuous process that will help us refine our security posture and respond to new and evolving threats.

Threat Intelligence

Key to improving our security posture is knowledge.

"Now the reason the enlightened prince and the wise general conquer the enemy whenever they move and their achievements surpass those of ordinary men is foreknowledge."

Mike Rothman pretty much sums it up, "In the Introduction to the Early Warning System series, we talked about the increasing importance of threat intelligence for combating advanced attackers by understanding the tactics they are using right now against our defenses. With this intelligence, combined with information about what's happening in your environment, you can more effectively prioritize your efforts and make better, more efficient use of your limited security resources." (

Situational Awareness

"In respect of military method, we have, firstly, measurement; secondly, estimation of quantity; thirdly, calculation; fourthly, balancing of chances; fifthly, victory. Measurement owes its existence to Earth; estimation of quantity to measurement; calculation to estimation of quantity; balancing of chances to calculation; and victory to balancing of chances."

"Hence in the wise leader's plans, considerations of advantage and of disadvantage will be blended together."

The chief information security officer must be situationally aware of his environment, of resources available at his disposal, of events occurring, and of tactics employed by hackers in order devise the appropriate response to an attack. A continuing flow of threat intelligence information will provide agility and flexibility in adjusting and reconfiguring his team's response.

Cooperation, Collaboration, and Coordination

Global and borderless as cyberspace is, we cannot live in silos as we exert efforts to defend our ICT infrastructure. Sun Tzu suggests:

"In a country where high roads intersect, join hands with your allies."

To further strengthen our security posture, we must work in close partnership with experts outside our organization and with local and international bodies to learn from them. In the face of attacks we or our allies experience, we must respond in the spirit of cooperation, coordination, and collaboration.


"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."

We are all likely targets of an attack in cyberspace. But we need not fall victim to it. Our basic stance should be that of readiness. Our security posture objective must be the protection of our ICT infrastructure and the data that resides in it.

Angel S. Averia Jr. is the president of the Philippine Computer Emergency Response Team (PHCERT), a non-profit organization that aims to provide reliable and trusted points of contact for computers, the Internet and other information technology-related emergencies.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags data protectionTargetKno

More about Computer Emergency Response Team

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Angel S. Averia Jr.

Latest Videos

More videos

Blog Posts