Fighting Horses, Castle Defenses, Population Unrest – Decimation, Intimidation, Psychology of Attack and Defense

I have often asked myself recently how Ghengis Khan and his generals would approach IT Security problems if they lived today? From the research I have done on these people, they were the most advanced fighting people of all time. Anyone who listens to Dan Carlin’s Hardcore History (4 parts 1.5 hours each) will be stunned, impressed, and frightened by these people. This is why I love them so much.

If they were actually in charge of defending our businesses and government from organized crime and nation-state threats what would they do? If they were attacking us how would they do it?

As I see it there are four main IT Sec pressure points today:

1. Organized Crime
2. Nationstate Heisting of corporate IP for competitive advantage.
3. Nationstate Cyberwarfare
4. NSA and Internet Marketing Intelligence companies theft of private and personal information without our/citizen permission.

The Mongols were nomads. Based on their lifestyle their battle approach was focused on movement, attack, deception, trickery, relentless offense, psychology and intimidation. Their aura was as frightening as their fighting prowess.

We (enterprise security teams) will continue to lose the IT Security war due if we don’t shift our approach as well to this new style of fighting. My opinion is that is as much a shift in psychology and leadership as tools and weapons of defense.

Mongol Strategy #1 – Fake a retreat and then demolish the enemy.

There are a couple of assumptions that we need to start making.

• The ease of getting behind our perimeter defenses and the lack of appropriate host protection from anti-virus vendors. This is an un-winnable battle. We can make it hard for attackers but will never win.
• The last bastion of trust being subverted – The Death of SSL (of which I have written about recently). We need to establish our own trust.

One of the ways Mongol generals attacked for example against the Russian Czars in 1240s was to fake a retreat. The Mongols were considered radical fighters and ruthless. The European armies of Eastern Europe and Russia were lulled into pursuing the Mongol Army which stretched the Russian Princes out for miles and miles in pursuit. The Mongols at a point where the Russian princes were most vulnerable circled around on horseback and decimated them.

The Mongols were superior warriors than the Europeans. The Europeans had never seen such savagery in battle. Yet the Mongols engaged them in trickery instead of face to face combat.

A Mongol might approach this Information Security war we are engaged in a similar fashion. What if you faked defeat and offered limited and light defense at the perimeter (firewall/proxy/ etc) and endpoint devices (laptops, phones, tablets) and focused all resources on core Data Governance. What if you offered standard defense in order to make it hard at the endpoint but really focused energy and effort in the belly of your network?

If you took this approach then you wouldn’t concede defeat at the edge, but you wouldn’t try to win the un-winnable battle at the ‘end point’ either.

Give the enemy some ‘flack at the end point edge’. If you have 2,000 laptops, phones, iPads deployed to people do your best, but this is not where you are going to win. EVER.

Give them some ‘flack at the network edge’. Firewalls, etc., but you won’t win the battle here either.

Focus and bare down at the core. Focus on data governance.

In my mind Faking a Retreat is no different than a Mongol general choosing to lull armies into a sense of confidence and then exploiting and demolishing them with Data Governance. Onto #2.

Mongol Strategy #2 – Fast moving horses were better than static castle defense.

• Are you thinking that a castle defense will work for you? I don’t think it will by itself.
• We are losing the siege conquest approach style. It is not working. It didn’t work for the Chinese against the Mongols. It didn’t work for the Europeans either.

The Mongols were great at siege conquests as well as their superior horse fighting tactics. They literally were the best warriors ever. Even though they were great at conquering castle defenses you never saw them build their own.

What does your Security Architecture and Security Design look like now? Is it built to be fast and agile like a Mongol battle horse or monolithic and static like a castle….circa 2005?

Regardless of your answer, security architecture and design needs to be re-examined to be ensure a swift and rapid response from technologies and processes.

Mongol Strategy #3 – Mongol Intelligence gathering using local populations

The Mongols used a massive intelligence gathering force before they attacked in order to understand the culture and discord of the people they wanted to conquer. They would always try to gauge the level of unrest within the population so that they could potentially conquer with limited or no force by turning local populations against themselves.

Focus on the belly – What areas will really get you in trouble if leaked from your business?

• Obvious – violation of laws and rules: HIPPA, FFIEC, NCUA, PCI, etc.
• Not so obvious ones (aka Sony)– that cause embarrassment and kick you in the teeth. – NDA documents, CEO memos, competitive spreadsheets, presentations, legal memos, HR – salary info, Intellectual Property, secret sauce, etc.

You can integrate systems that help identify unrest on your network in the following areas. I think the Mongols would have done this.

1. Folder permissions
2. Inappropriate use of admin passwords, service account passwords on your network.
3. Early resignation notices – When someone leaves sometimes there is unusual numbers of files that are copied ‘off-network’. What if this is not someone leaving but is theft of a compromised user account?
4. Crypto locker unrest – file bursts. You can see file burps on the network that would be indicators of compromise averting a security event becoming a DR event
5. Outbound application flow management. Infected systems leave clues because they talk out-bound to target systems.
6. Anti-phishing – Education training for users (non-technical)

The Mongols knew how to use weaknesses against their enemy.

The specific systems used for 1-6 will require a shift of strategy and focus perhaps.

These three Mongol Strategies I think are necessary moving forward:

1. Fake a retreat and then demolish the enemy.
2. Fast moving horses were better than static castle defense.
3. Mongol Intelligence gathering using local populations.

What are your thoughts?

Bill Murphy can be reached at billm@redzonetech.net if you are interested in contacting him to learn more about Enterprise IT Security solutions geared for your organization.

If you would like Bill’s RedZone podcast, CIO Masterminds, Newsletter, and Blog updates delivered to your in-box for ease and simplicity subscribe here http://forms.aweber.com/form/96/849387996.htm

Research – Mongol podcast called Wrath of Khans – 1-4 by Dan Carlin

Dan’s History podcasts are some of the best in the world.