10
Bridges and Ladders
There will be no wall or moat that you cannot pass, no matter how high or steep it is, particularly if you use a ninja ladder.

A castle gatehouse is usually most strictly guarded, but the roof is the most convenient place for you to attach a hooked ladder.

—Bansenshūkai, “In-nin II” 1

The shinobi could move, quietly and unseen, over an enemy’s walls and gates, using ninki infiltration tools—tools described in both Bansenshūkai 2 and Gunpo Jiyoshu.3 Multifaceted ladders and portable bridges like the spiked ladder, cloud ladder, or tool transportation wire4 enabled shinobi to cross moats, scale walls, and deliver tools to other shinobi safely and stealthily. Sometimes these ladders were “proper,” or made by shinobi in advance of a mission, and sometimes they were “temporary,” or constructed in the field.5 These were valuable tools, as they provided access to sensitive locations often left unguarded out of overconfidence that they were inaccessible.

The scrolls also explain how to infiltrate an enemy camp by manipulating the enemy’s own security measures. Shōninki instructs shinobi to imagine how a bird or fish might access a castle6—in other words, to realize the unique advantages that being up high or down low provide. For example, scaling a wall affords the opportunity to bridge across other walls and rooftops with great speed, providing better access to the interior of the castle than passing through a gate might. Swimming across a moat could provide underwater access to a common waterway—one that leads into a castle. The Bansenshūkai even recommends purposefully attempting to bridge over the guardhouse gate, where the most guards would logically be stationed, because the defenders might assume that attackers would avoid trying to penetrate at this point.7

In this chapter, we will discuss how bridging network domains is similar to bridging castle wall perimeters. Just like castle walls, networks are engineered with barriers and segmentations that assume one must pass through a controlled gateway. Bridges allow threats to bypass these gateways, circumventing the security controls established at gateway egress points. What may seem like a straightforward measure to take, like instructing guards to confront anyone building a bridge across the castle moat, can become futile when, say, the castle architect opted to connect the moat’s concentric rings for water management reasons. Connected, three moats are no longer three discrete boundaries that an adversary must pass. Instead, they’re a bridge of water to be swum straight into the heart of the castle. Learning how to think like a shinobi and seeing barriers as potential ladder-hooking points can help you reassess your own network and preemptively cut off bridging opportunities.

Network Boundary Bridging

To cybersecurity professionals, a bridge is a virtual or physical network device that operates at both the physical and data link layers—layers 1 and 2 of the OSI model—to connect two segments of a network so they form a single aggregate network. The term also refers to any device, tool, or method that enables information to cross a “gap,” such as an air-gapped network or segmentation boundary. Bridges typically bypass security controls and safeguards, allowing for data exfiltration from the network or the delivery of unauthorized or malicious data to the network. These potentially dire consequences have pushed cybersecurity professionals to develop detection and mitigation methods to prevent bridging, including:

Despite evolving security controls, unauthorized bridging still happens—and some advanced infiltration techniques, while proven only in academic or laboratory environments, demonstrate great potential for harm. The most recent examples include taking control of system LEDs to blink bits to an optical receiver in a different room or building, using FM frequency signals to communicate with nearby phones (as with the AirHopper and GSMem exploits), controlling and pulsing fans to send bits through acoustics, and artificially overheating and cooling CPUs to slowly send data (as with the BitWhisper exploit). Threat actors may even be able to bridge networks through a system’s power cords via the Ethernet over power technique (EOP, not to be confused with power over Ethernet, POE). In other cases, an organization’s VoIP phones could have their microphones and speakers activated remotely, allowing adversaries to transfer sound data or spy on conversations.

Of course, some bridging is less cutting-edge. An adversary could climb onto the roof of an office building, splice into accessible network wires, and install a small earth satellite station that provides robust bridge access to a network. Smartphones are routinely plugged into system USB ports to charge their batteries, but a charging phone also connects a computer to an external cellular network that is not inspected by firewalls, data loss prevention (DLP), or other security tools, completely bypassing an organization’s defenses and facilitating data theft or code injection on the host network. When bridging via a sneakernet, a user loads information onto portable media and walks it to another computer or network location, manually bypassing security controls. There are also concerns that threats could use the hidden management network—typically on the 10.0.0.0/8 net—that connects directly to consoles of routers, firewalls, and other security systems, using these as jump points to bridge different network VLANs and segments and effectively using the network to bypass its own security. In addition, split tunneling poses a risk, as information may be able to leak to and from different networks through a device connected to both networks simultaneously.

Mature organizations work under the assumption that adversaries are continually developing different bridging technologies to bypass defenses in new, unforeseen ways. Indeed, it appears possible that everything within the electromagnetic spectrum—including acoustic, light, seismic, magnetic, thermal, and radio frequencies—can be a viable means to bridge networks and airgaps.

Countering Bridges

Preventing bridging between systems designed to connect to other systems is a hard problem to solve. While there is no perfect solution, it is possible to reduce bridging opportunities and focus isolation efforts on the most important assets. In addition, countermeasures that negate the capability of bridging techniques can be layered to improve the effectiveness of these defenses.

  1. Identify your weaknesses. Identify the networks and information systems that hold your organization’s sensitive, critical, or high-value data. Create a data-flow diagram (DFD) to model how information is stored and moves in the system. Then identify areas where a covert, out-of-channel bridge attack could occur.
  2. Implement bridge countermeasures. Consider implementing TEMPEST8 controls, such as Faraday cages or shielded glass, to block air gap bridging through emissions or other signals. To block rogue bridges, ensure that you have identified and authenticated devices before allowing them to connect to your network or another device. Develop appropriate safeguards to mitigate potential bridging threats identified in your threat model.

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of bridges in mind.

  1. Implement boundary protections and information flow controls to prevent external devices, systems, and networks from exfiling data or transferring malicious code onto your network. [AC-4: Information Flow Enforcement | (21) Physical/Logical Separation of Information Flows; AC-19: Access Control for Mobile Devices; AC-20: Use of External Information Systems | (3) Non-Organizationally Owned Systems/Components/Devices; SC-7: Boundary Protection]
  2. Enforce wireless access protection controls to block or detect unauthorized wireless signals that bridge across your networks in microwave, UHF/VHF, Bluetooth, 802.11x, and other frequencies. [AC-18: Wireless Access; SC-40: Wireless Link Protection]
  3. Audit network access and interconnections to identify external networks or systems—such as remote network printers—that could bridge your network to transmit data. [CA-3 System Interconnections; CA-9 Internal System Connections]
  4. Establish strong portable media policies to prevent unauthorized bridging. Require identification and authentication of external media and devices before allowing anything to connect to your environment. [IA-3: Device Identification and Authentication; MP-1 Media Protection Policy and Procedures; MP-2: Media Access; MP-5: Media Transport]
  5. Test for TEMPEST leakage or other out-of-channel signals coming from your systems. Using the results, decide where to implement protections that inhibit a signal’s ability to be used as a bridge. [PE-19: Information Leakage; SC-37: Out-of-Band Channels]

Debrief

In this chapter, we talked about the philosophy of adversarial bridging, and we discussed bridging network segments and traditional best practices. We looked at multiple-bridging techniques—bridges that can cross gaps in ways you may not have thought of before. The thought exercise in this chapter was designed to prompt thinking about building physical safeguards between ladders and walls; in theory, these can be foundational to innovating modern defenses for the inputs/outputs of a system.

In the following chapter, we will discuss locks and the shinobi practice of lockpicking, which was based on a belief that any lock designed by a human can be picked by a human. We also get a glimpse of a shinobi’s approach to security when they must rely on a lock they themselves do not trust. We will discuss the application of locks in cybersecurity, as well as what we can learn from the shinobi to improve our approach to locks and lockpicking.