If you are going to set fire to the enemy’s castle or camp, you need to prearrange the ignition time with your allies.
—Yoshimori Hyakushu #83
When shinobi were on a mission, particularly at night, one of their most crucial and complex duties was keeping track of time. If this task seems simple, remember that shinobi did not have watches or clocks. They didn’t even have sand hourglasses until the early 1600s.1 To send and receive signals at the proper time, coordinate attacks, know when the enemy would be vulnerable, and more, shinobi had to develop methods to tell time reliably.
Historically, one way to mark the hours involved lighting incense or candles known to burn at a constant rate, then ringing a bell at certain intervals to announce the time. Bansenshūkai recommends using environmental cues, such as the movement of the stars, or weight-based instruments to tell time.2 These weight-based instruments were likely water clocks, sometimes called clepsydras, that used balance and water flow/weight mechanisms to accurately signal time intervals. Other scrolls include more abstruse options, such as tracking the change in dilation of a cat’s iris throughout the day or the subtle thermal expansions of a dwelling during the night, as these align with particular hours.3 Shinobi were even taught to derive the hour by being mindful of which nostril they were more actively breathing through. The scrolls explain how breath comes prominently in and out of one nostril, then alternates to the other, in regular intervals that can be used to track time. While this idea might seem like pseudoscience, in 1895, German scientist Richard Kayser observed and documented that during the day, blood pools on different sides of a person’s nose, causing a noticeable reduction in airflow in one of the nostrils, before alternating to the other nostril.4 Not only did the shinobi’s acute observational skills identify this phenomenon more than 300 years before its scientific publication in the West, but they also developed a practical application for it. For example, they might need to lie down in the crawl space of a floor beneath their target, where they would be unable to light candles or incense, use instruments to track time, or even dare open their eyes should the glint from their eye catch the target’s attention through the cracks of the floor. Under these uncomfortable circumstances, they would lie still and pay attention to their nose breath until the time to attack came—a stellar example of the shinobi’s discipline, ingenuity, and creativity.
The multitude of references to time in the shinobi scrolls, combined with the arduous methods developed to track time, suggests that these techniques would not have been developed if keeping track of time were not crucial for a threat actor to operate effectively. The ubiquity of cheap, easy, and reliable ways of telling time in modern society has almost certainly conditioned us to take time and its measurement for granted.
In this chapter, we’ll reconsider the value and importance of time in digital systems while briefly reviewing how it is generated, used, and secured with existing best practices. Then we will ask: if accurate time is so important to an adversary, what might happen if we could keep time secret from them? Or deny the adversary access to time? Or even deceive them with an inaccurate time?
Time is necessary for the operation of almost every modern computer system. By synchronizing sequential logic and generating a clock signal that dictates intervals of function, computers establish finite pulses of time. These pulses are like the ticking of a clock in which systems perform operations on data in stable, reliable input/output environments. The vast, intricate networks and systems that run our governments, economies, businesses, and personal lives operate on these pulses, requesting the time continuously. They could not function without their clocks.
Numerous security controls exist to protect time data. Identity authentication on Network Time Protocol (NTP) servers verifies that an attacker is not spoofing a system’s trusted source of time. Encryption and checksums—encryption encodes the communication, and checksums serve to detect errors during transmission—on the NTP server’s time data verify its integrity and protect it from tampering. Nonce is an arbitrary randomized number added to the time communication to prevent repeated-transmission errors. Timestamps and time synchronization logging compare the system’s time to that reported by an authoritative time source. NTP stays available and fault tolerant by leveraging multiple time sources and alternate propagation methods, and if access to NTP is denied or unavailable, backup methods can accurately estimate time based on the last synchronization. Additional security best practices call for timestamping audit records, locking out sessions based on inactivity, restricting access to accounts based on the time of day, assessing the validity of security certificates and keys based on time and date information, establishing when to create backups, and measuring how long to keep cached records.
These controls protect the integrity and availability of time data, but rarely is enough consideration given to protecting time data’s confidentiality. Almost any modern application can request the time at any moment, and it is generally permitted access not only to the date and time but also to clock libraries and functions. While NTP can encrypt the time data it communicates to a system, there is a notable lack of controls around restricting access to the current system time. Identifying this control gap is important because time is a critical piece of information adversaries use to spread malware. The destructive Shamoon malware,5 for instance, was set to execute at the start of the Saudi Arabian weekend to inflict maximum damage; it was designed to wipe all infected systems before anyone would notice.
Other common attacks include disclosing confidential information, causing race conditions, forcing deadlocks, manipulating information states, and performing timing attacks to discover cryptography secrets. More sophisticated malware can use its access to time to:
If administrators could deny access to time (local, real, and linear), conducting operations within targeted information systems would be much more difficult—and possibly infeasible—for the adversary. However, it is important to note that haphazardly limiting time queries will likely result in cascading failures and errors. A precise approach is needed to deny access to time.
Keep in mind that, because confidentiality is not as entrenched as other forms of time security, applying such security controls will require special effort from your organization and the greater security community.
Identify the software, applications, systems, and administrative commands in your environment that require access to time. Implement function hooking (interception of function calls) and logging to determine who and what is requesting time. After establishing this baseline, use it to detect abnormal time queries and inform a time-based needs assessment that will tailor additional security controls (for example, Just in Time [JIT]).
Contact your hardware manufacturers and software vendors to determine what technical controls can be enabled to restrict access to time functions. If there are no such controls, request that new features be implemented to encourage the industry to develop solutions around time confidentiality.
Denying access to time is a nontraditional security control, but as with more customary controls, enforcement requires establishing strategic policy that details requirements—in this case, limiting access to time and monitoring attempts to access time. Wherever possible, incorporate the concept of time confidentiality in all change management decisions, procurement of new hardware and software, and SOC prioritization. Formally document new policies and ensure that your organization’s CISO approves them.
Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of time confidentiality in mind.
In this chapter, you learned about some of the tools shinobi used to tell time and what they did with their knowledge of time. We discussed how important time can be to cyber operations and security, noting that current security practices focus primarily on the availability and integrity of time in systems. You were also exposed to a thought exercise that explored how to mitigate a shinobi attack through time manipulation.
In the following chapter, we will discuss how shinobi could turn many things into tools to accomplish tasks. Understanding what the equivalent digital “tools” are may help you detect and safeguard against novel weaponization of such tools or at least hamper their use.