12
Moon on the Water
After making an agreement with your lord, you should lure the enemy out with bait to infiltrate their defenses.

In this technique, you should lure the enemy with tempting bait, like fishing in the sea or a river, so as to make an enemy who will not normally come out in fact leave its defenses.

—Bansenshūkai, Yo-nin II ¹

With an image straight out of a haiku, Bansenshūkai calls an open-disguise infiltration technique suigetsu no jutsu—the art of the “moon on the water.”² While the technique had many uses, shinobi used it primarily to target heavily fortified enemy camps—the kind that restricted people from leaving, entering, or even approaching. Instead of penetrating the camp’s defenses by force, shinobi would lure out their target, effectively tricking them into giving away ingress protocols such as insignias and other identifying marks, passwords, code words, and challenge-response signals. This technique also let shinobi tail targets as they returned to camp, lure defenders from their guard posts and infiltrate without resistance, or interact directly with targets and infiltrate through deception or offensive measures.

For targets especially reluctant to leave their heavily fortified defenses, the scroll instructs shinobi to seek help from their commanders to conduct advanced deceptions.³ For example, a commander could move forces into vulnerable positions, enticing the enemy to attack and thereby depleting the enemy’s defenses enough for shinobi to infiltrate. Alternatively, the shinobi would overpower the enemy when they returned, battle weary. The commander might even stage something more elaborate, like the beginning of a full-on, long-term castle siege. Then, shinobi might send a soldier posing as an allied general’s messenger to convince the enemy to leave their castle, join in a counteroffensive, and break the siege. To complete the ruse, the shinobi commander would send a small force to masquerade as allied reinforcements, both luring the target from their encampment and allowing shinobi to infiltrate while the gates were open.

According to the scroll, after shinobi successfully infiltrated the target using suigetsu no jutsu, they had to keep these thoughts in mind:

• Remain calm. Do not appear lost.
• Mimic the people in the castle.
• Prioritize collecting code words, passwords, challenge responses, and insignias.
• Signal to allies as soon as possible.⁴

In this chapter, we will explore the ways this ancient technique could be deployed by a cyber threat actor and compare it to commonly used social engineering tactics. We’ll introduce a way to think abstractly about network communication signals as entering and/or leaving perimeters—despite the computer system’s not physically moving—and detail concepts for countering the moon on the water technique and social engineering attacks in general. Lastly, we’ll attempt a thought exercise scenario that mimics the conundrum ancient Japanese generals must have faced when targeted by moon on the water.

Social Engineering

The shinobi moon on the water attack bears a striking similarity to today’s social engineering attacks, which exploit a human target’s decision-making processes and cognitive biases to manipulate them into revealing sensitive information or performing self-defeating actions. In cybersecurity, most social engineering tactics are used by adversaries operating inside enemy territory to exploit the target’s trust. Examples of typical social engineering attacks include:

1. Phishing The adversary sends an email that convinces its recipients to open a dangerous document or visit a malicious hyperlink, resulting in malware infection, ransomware execution, data theft, or other attacks.
2. Pretexting The adversary calls or emails with invented scenarios designed to convince a target to reveal sensitive information or perform malicious actions.
3. Baiting The adversary strategically plants malicious portable media, such as a USB drive, in a physical location to entice the target to pick it up and connect it to internal systems, creating an opening for system compromise.

Social engineering is a particularly challenging security problem because it exploits human nature in ways that technological controls cannot always defend against. As targets and victims become more aware of social engineering threats, many organizations lean on focused technical controls, security protocols, and user education to protect their valuable assets. Employees are trained in how to properly handle and care for sensitive information and systems, while security teams document procedures to verify the identity of unknown or unsolicited visitors and require physical escorts for non-employees on company grounds. Red teams conduct internal phishing and tailgating tests, among other exercises, to gauge employee awareness of and instill resistance to social engineering tactics. Administrators implement technical controls to block malicious documents and hyperlinks, employ data loss prevention (DLP) software, prevent unauthorized system changes, blacklist unregistered systems and external media, and use caller ID.

While these are all good and necessary security measures, the way people work has changed. And thinking around social engineering attacks has not yet evolved to fully consider defending against moon on the water–style attacks—the kind that attempt to lure the target outside its own defenses.

Today, things like bring your own device (BYOD) policies, full-time remote work, and multitenant clouds make workers and organizations more flexible. However, they also weaken traditionally strong perimeter security architectures and expose employees to new social engineering threats. For example, in most cases, stateful firewall rules do not permit external (internet) communication to pass through the firewall to an internal host. Instead, the firewall requires the internal (intranet) system to initiate contact before it allows responses from the external system to pass through to the internal host. So, while the internal host does not physically leave the organization’s defenses, doing so virtually—say, by visiting a malicious website—could allow threat actors to infiltrate within the responding communications. Essentially, this is digital tailgating.

In addition to directly compromising traditional security architectures, threat actors could use a number of moon on the water–style techniques to infiltrate heavily fortified organizations. Consider the following scenarios:

• An adversary triggers a fire alarm within a secure facility, causing employees to exit en masse. While firefighters clear the building, the adversary blends into the crowd of employees to steal or document badges, keys, tokens, faces, fingerprints, and more. To ease the flow of employees returning to work, the facility temporarily turns off badge readers, turnstiles, or other physical access controls, or security is so overwhelmed by the flood of people that they don’t notice tailgating.
• An adversary uses a food truck to lure employees from a secure facility. Then they leverage their own status as a non-initiator to perform quid pro quo social engineering on a target, eventually developing a rapport and convincing the target to perform actions they would not in a traditional social engineering scenario.
• An adversary compromises the Wi-Fi network at a café across the street from a business conference to steal the credentials of a target organization’s employees. By entering the café with their devices, those employees have left their organization’s defenses and unknowingly exposed themselves to an environment controlled by the adversary.
• An adversary conducts large-scale disruptive, denial, or destructive attacks against targeted people, systems, and data, prompting them to move to a less secure disaster recovery operation site that is easier to infiltrate than the organization’s permanent headquarters.

Note that while these attacks might not necessarily achieve an adversary’s end goal, they could provide means or information that, in conjunction with other exploits, accomplishes malicious objectives.

Defenses Against Social Engineering

Most organizations perform social engineering awareness training and routinely phish test internal staff. While this strategy improves resiliency to such attacks, a significant percentage of personnel always fail. Unfortunately, most organizations leave staff vulnerable to social engineering. We need to do more to give employees the tools they need to guard against such deceptions.

1. Establish safeguards. Implement standard trust frameworks for employees to reduce the risk of compromise by social engineering. Identify high-value targets in your environment, and then establish security protocols, policies, and procedures for the appropriate control and handling of sensitive information on those systems (expand these to all systems over time). Conduct training, awareness, and test exercises within your organization to raise the level of employee awareness around social engineering, along with iterative threat modeling to review and improve related security controls.
2. Implement “slow thinking.” Distribute and discuss Daniel Kahneman’s book Thinking, Fast and Slow⁵ with your security team. The book describes two systems of thought: the quicker, more impulsive “System 1” and the slower, more logical “System 2.” Develop solutions that force your employees to slow down and think in System 2 terms, thereby avoiding the cognitive biases and shortcuts social engineers most often exploit. Possible examples include:
   • Configuring your phone-switching system to require an employee who receives an external call to punch in the even digits of the caller’s phone number before the system can connect.
   • Configuring your mail client so that employees must type the “from” email address backward before they can open external email attachments.
   • Requiring users visiting non-whitelisted URLs to correctly enter the number of characters in the domain before the browser performs a DNS query.

   All these measures will slow down business operations, but they also help mitigate social engineering attacks.

   ---

   Castle Theory Thought Exercise

   Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. Your castle has been besieged, and you aren’t sure whether you have enough food to keep your people fed. You receive a letter from an allied general who says he will send you food and other provisions if you can divert the attention of the enemy troops surrounding your castle at a specific date and time. The letter asks that you send your second-in-command to the allied general’s camp nearby to help plan a counteroffensive against the siege.

   How do you determine whether the letter is a ruse sent by the enemy? Can you independently verify the letter’s authenticity? Assuming the letter is legitimate, how would you lure away the attacking army? Finally, what precautions would you take to receive the supplies while preventing infiltration of your own castle during the exchange?

   ---

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of moon on the water in mind.

1. Because security systems and controls can protect information only within established boundaries, implement safeguards that stop information and systems from passing beyond those boundaries and falling into the hands of social engineers. [AC-3: Access Enforcement | (9) Controlled Release; PE-3: Physical Access Control | (2) Facility/Information System Boundaries; SC-7: Boundary Protection]
2. Control your information flow so that even when data goes beyond the normal protective boundaries, it is not allowed to travel to or between unauthorized information systems. [AC-4: Information Flow Enforcement; PL-8: Information Security Architecture; SC-8: Transmission Confidentiality and Integrity]
3. For all non-local (that is, through a network) system maintenance, establish approval protocols, require strong authenticators and documented policies, and implement monitoring. [MA-4: Nonlocal Maintenance]
4. Establish protections for data outside controlled areas and restrict data-handling activities to authorized persons. [MP-5: Media Transport | (1) Protection Outside Controlled Areas]

Debrief

In this chapter, we described the advanced shinobi technique of moon on the water. We looked at various scenarios in which the moon on the water technique could be modernized to target businesses. We explored the challenges that social engineering presents and the various forms it can take. We reviewed existing security practices designed to handle social engineering and examined new defense concepts. And we lifted a thought exercise from the shinobi scrolls to demonstrate how fragile our trust model is and how hard it can be to safeguard against social engineering.

In the next chapter, we will discuss insider threats—one of the most fascinating topics in security. The shinobi scrolls provide detailed instructions on how to identify people who could be recruited as insiders with the help of some social engineering techniques—and they suggest a way to defend against insider threats that is contrary to modern best practices.