16
Live Capture
Use good judgment to determine whether the target is actually inattentive or whether they are employing a ruse to lure ninjas and capture them.

If you find a suspicious individual while you are on night patrol, you should capture him alive by calling on all your resources.

—Yoshimori Hyakushu #74

Though shinobi encountered deadly violence as an everyday part of the job, Bansenshūkai recommends that enemies, especially suspected ninjas, be captured alive rather than immediately killed. Searching and interrogating a captured ninja allows shinobi to discover what the attacker has done or is planning to do, determine who the intruder’s employer is, and learn valuable secrets and tradecraft, all of which could greatly help guards defend against ninja attacks and help lords to understand strategic threats. In addition, the captured enemy might turn out to be a comrade in disguise, a fact that would not be clear until deep interrogation.1 The Ninpiden calls for the suspected ninja to be bound hand and foot and placed on a leash. The Ninpiden also recommends using tools, such as a spiked gag, to prevent the captive from talking, as a skillful ninja could alert allies, persuade their captor to release them, or even bite off their own tongue to commit suicide.2

The scrolls acknowledge that capturing an enemy ninja alive is no easy task. One of Bansenshūkai’s more direct techniques involves loading a musket with a chili powder–infused cotton ball—a sort of ancient tear gas or pepper spray. When fired at close range, this projectile would create debilitating irritation in the target’s eyes and nose, rendering them more susceptible to capture. The scrolls also describe more oblique tactics, such as fushi-kamari ambushes and traps. For example, the tiger fall trap (mogari or koraku) described in Bansenshūkai Gunyo-hiki was originally designed to capture tigers (as the name suggests) but was later modified to capture ninjas. In it, barriers funnel an intruder through a maze of hidden traps. While allies would know a trusted path, a ninja infiltrating alone at night would not, making it likely they would fall into the trap. Other trap methods used tsuiritei, or “fake suspended wall sections,” which are veneers that look like real walls but are built with wedges and false posts. When a ninja would attempt to scale these fake walls, the walls would collapse, surprising and likely injuring the ninja and thus permitting their easy capture.3

Bansenshūkai also suggests defensive measures to guard against capture, suggesting ways to detect and avoid fushi-kamari ambushes. Shinobi were advised to scout forests, fields, valleys, trenches, and other settings for unnatural behavior from birds, other animals, and even the grass, all of which could indicate a trap. Dummies and unusual smells also tip the hand of a potential ambush.4 In enemy territory, shinobi could deploy a number of evasive tactics, including:

  1. Quail hiding (uzura-gakure) A shinobi would curl into a ball on the ground and concentrate on being blind, unaware, and unresponsive so the enemy would be unlikely to find them. Even when prodded by a guard with a spear or sword, they would not react.
  2. Raccoon dog retreat (tanuki-noki) While fleeing on foot, a shinobi would decide to be “caught” by a faster pursuer. When the gap between them narrowed, the shinobi would drop to the ground without warning and aim their sword at the pursuer’s waist, impaling the pursuer before they could react.
  3. Retreat by 100 firecrackers (hyakurai-ju) A shinobi would place firecrackers near the target, either setting them on a delayed fuse or arranging for allies to light them. The sound would distract the enemy pursuers.
  4. Fox hiding (kitsune-gakure) A shinobi would escape by moving vertically. Instead of trying to flee enemy territory by moving from point A to point B, the shinobi would climb a tall tree or hide in a moat, changing the dimensions of the chase. This tactic often stumped the enemy, who was unlikely to think to look up or down for the target.5

Other methods of escape included imitation—mimicking a dog or other animal to deceive pursuers—and false conversation—language that would mislead the enemy, allowing the shinobi to flee.6 For example, a shinobi who knew they were being followed might pretend not to hear the pursuers and whisper to an imaginary ally so the alert guards would overhear them. If the shinobi said, “Let’s quietly move to the lord’s bedroom so we may kill him in his sleep,” the guards would likely send forces to the lord’s bedroom, allowing the shinobi to escape in another direction.

Of course, the best way for shinobi to avoid being captured was to leave behind no evidence that could lead investigators to suspect a breach in the first place. The scrolls stress the importance of conducting missions without trace so that the target has no cause to suspect a shinobi on the premises. Guidance on operating covertly abounds in the scrolls; the writing is artfully vivid in places. Yoshimori Hyakushu #53 states, “If you have to steal in as a shinobi when it is snowing, the first thing you must be careful about is your footsteps.”7

Capturing threats alive is, unfortunately, not always top of mind for many organizations. When some organizations detect a threat on a system, they do the opposite of what is recommended in the shinobi scrolls: they immediately unplug the machine, wipe all data, reformat the drive, and install a fresh version of the operating system. While this wipe-and-forget response eradicates the threat, it also eliminates any opportunity to capture the threat, let alone investigate it or analyze its goals, what it has already accomplished, and how.

In this chapter, we will discuss the importance of being able to capture and interact with cyber threats while they are “alive.” We will review existing forensics/capture methods, along with ways threat actors may attempt to evade them. We’ll consider ways to capture cyber threats “alive” with tiger traps and honey ambushes—techniques inspired by the ancient shinobi. In addition, we will touch on modern implementations of shinobi evasion tactics (e.g., quail hiding and fox hiding) that have been used by persistent threats. Lastly, we’ll cover much of the capture and interrogation guidance from the shinobi scrolls—guidance around how to properly control a threat so it cannot alert its allies or self-destruct.

Live Analysis

In cybersecurity, computer forensic imaging provides necessary threat intelligence. Forensic images are typically made after a security incident (such as a malware infection) or a use violation (such as the download of child pornography onto a device), with imaging done in a way that preserves evidence without disrupting the integrity of the data on the system under investigation. Evidence from a forensic image can help security professionals learn what the threat was and how it exploited vulnerabilities. Then, in time, it can provide the information necessary to develop signatures, safeguards, and proactive blocking measures. For instance, determining that an attacker was after specific intellectual property on one critical system tells defenders to protect that system’s data. If forensics determines that the attack succeeded and sensitive data was compromised, the organization can use that knowledge to determine its strategic business response. If the threat failed, the organization can prepare for possible follow-up attacks. Forensic indicators might also provide an understanding of who was responsible for the threat, further dictating the response. An organization’s strategy should take into account the severity of the threat—for instance, whether the attacker was a foreign government, a disgruntled employee, or a kid performing harmless notoriety hacking.

Collecting a device’s data for analysis involves live capture (also known as live analysis or live acquisition) and imaging (also forensic imaging or mirroring). Organizations use honeypots and other deceptive virtual environments to live capture and even interact with attackers. Such systems are often configured to lure in hackers or be easily accessible to malware so that when the threat infiltrates the system, hidden logging and monitoring controls capture exactly what the threat does and how, along with other observables. Unfortunately, many attackers are aware of these honeypots and perform tests to determine whether they are inside a simulated environment meant to collect intelligence. If their suspicions are confirmed, attackers will behave differently or cease operations, undermining the security team’s efforts. Network access control (NAC) devices can also contain live threats by dynamically switching a system to an infected VLAN, where it remains online and “live” while defenders respond.

Forensics are not typically performed on a live capture. Rather, the forensic analyst looks at static, inert, or dead data, which may have lost certain information or the threat’s unique details. This is commonly seen in fileless malware, which resides in memory, or in specific malicious configurations or artifacts, such as those in routing table caches. Live analysis is not conducted more often for a number of reasons, including:

Perhaps most importantly, if live analysis is mishandled, the threat can become aware of the forensic imaging software on the system and decide to hide, delete itself, perform antiforensic countermeasures, or execute destructive attacks against the system.

To bypass forensic capture techniques, threats deploy in multiple stages. During the initial stage, reconnaissance, the threat looks for the presence of capturing technology, only loading malware and tools after it validates that it can operate safely within the environment. Such precautions are necessary for the threat actor. If a successful capture and forensic analysis occurs, the threat’s tools and techniques can be shared with other organizations and defenders, allowing them to learn from the attack, patch against it, or develop countermeasures. Law enforcement may even use forensic capture tactics to track down or provide evidence against threat actors.

Recently, sophisticated actors have moved laterally into computer and network areas that standard forensic imaging, capture, and analysis tools do not or cannot inspect. These actors’ innovations include installing hard drive firmware that creates a hidden, encoded filesystem; embedding malware in BIOS storage; leveraging local microchip storage to operate outside normal working memory; and changing low-level modules and code on networking gear such as routers, switches, smart printers, and other devices not traditionally inspected by or even practical for forensic imaging. Certain threats imitate core OS or trusted security components by infiltrating the original manufacturer, who is inherently trusted and not considered for forensic analysis. Others hide by deleting forensic evidence, moving to the memory of a system that does not reset often—such as a domain controller—and then waiting for forensic scrutiny on the systems of interest to subside before returning to the intended target.

Confronting Live Threats

Organizations too often find themselves dealing with an active security incident when the single person trained to use forensic imaging tools is out of the office. It sometimes takes days before the quarantined machine can be shipped to that person for examination, and by then, the attack is no longer a live representation of the current threat. This inability to operate at the same speed as the threat, or faster, leaves defenders relegated to the role of a forensic janitor—the person who collects evidence and cleans up infections after the threat actor has already achieved their objectives. Proactively establishing capabilities, traps, and ambushes to confront the threat is necessary to capture it alive and interrogate it thoroughly.

  1. Establish a forensic capability. Commit to and invest in establishing a dedicated team with the equipment, experience, certification, and authorization to perform computer forensics. Create forensic kits with write blockers, secure hard drives, and other specialized software and devices. Ensure that all systems used for capture and analysis have appropriate forensic agents so the team can immediately identify, locate, isolate, and perform collection. Ensure that all employees understand how they can help the forensic team identify and locate affected systems and preserve evidence. If it has been more than a month since they conducted a forensic investigation, run refresher training courses or exercises with the forensic team. Most importantly, when a forensic report is done, read it to discover root causes of security incidents and take proactive measures to remediate the vulnerabilities exploited.
  2. Conduct honey ambushes. Where appropriate, empower your team to ambush threat actors rather than simply following their trail or catching them in a honeypot. Aggressively trapping and ambushing threats requires close partnerships with cloud hosts, ISPs, registrars, VPN service providers, the Internet Crime Complaint Center (IC3), financial services, law enforcement organizations, private security companies, and commercial companies. Support the goal of creating network territory hostile to threat actors, where the combined forces of you and your partners can ambush threat actors, groups, or campaigns to capture evidence, malware, tools, and exploits themselves.
  3. Set tiger traps. Consider creating tiger fall traps in likely targets in your network, such as a domain controller. A market opportunity exists for a product that serves as an operational production system with honeypot capabilities that trigger if the wrong action is performed. Because threat actors attempting to bypass security controls typically pivot from one system to another or move laterally across systems and networks, it may be possible to establish false or booby-trapped jumpboxes that seem like routes to other networks but in fact trap the threat. Deploy these traps in such a way that the wrong action causes a system to freeze, lock, or isolate the attack, in turn allowing defenders to examine, interact with, or forensically live capture the threat. Do this by freezing the CPU clock, causing the hard drive to operate in buffer mode only, or using a hypervisor to trap and log the activity. Provide training to ensure that system admins and other IT professionals can remotely traverse a legitimate path without falling into the trap.

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of live capture in mind.

  1. Restrict the use of external systems and components within your organization if you do not have the authorization or capability to perform forensic investigations on them. [AC-20: Use of External System | (3) Non-Organizationally Owned Systems and Components]
  2. Using external sensors and SIEMs that cannot be easily accessed, implement automated mechanisms to fully collect live data, PCAPs, syslog, and other data needed for forensic analysis. [AU-2: Audit Events; AU-5: Response to Audit Processing Failures | (2) Real-Time Alerts; IR-4: Incident Handling | (1) Automated Incident Handling Processes; SA-9: External System Services | (5) Processing, Storage, and Service Location; SC-7: Boundary Protection | (13) Isolation of Security Tools, Mechanisms, and Support Components]
  3. If you decide to implement non-persistence as a countermeasure against threats—such as by regularly reimaging or rebuilding all your systems to destroy any unauthorized access—consider performing a forensic capture before reimaging or teardown to preserve evidence of threats. [AU-11: Audit Record Retention | (1) Long-Term Retrieval Capability; MP-6: Media Sanitization | (8) Remote Purging or Wiping of Information; SI-14: Non-Persistence; SI-18: Information Disposal]
  4. Implement, document, and enforce baseline system configurations in your organization so forensic analysts can more easily determine what information could have been altered by a threat. [CM-2: Baseline Configuration | (7) Configure Systems and Components for High-Risk Areas; SC-34: Non-Modifiable Executable Programs]
  5. Provide training and simulated exercises for your forensic staff to facilitate effective responses in the event of a security incident. [IR-2: Incident Response Training | (1) Simulated Events]
  6. Establish a forensic analysis team with the capability and authorization to conduct real-time forensic collection and investigation. [IR-10: Integrated Information Security Analysis Team]
  7. Use safeguards to validate that forensic systems, software, and hardware have not been tampered with. [SA-12: Supply Chain Risk Management | (10) Validate as Genuine and Not Altered | (14) Identity and Traceability]

Debrief

In this chapter, we reviewed the shinobi techniques of capturing and interrogating enemy shinobi, as well as tactics used to evade capture. We touched on how collecting more forensic evidence gives the threat actor more opportunities to feed investigators false data points—and why it can be better to interact with live threats. We discussed best practices around forensic capabilities to gain visibility into threats, along with advanced techniques, such as ambushes and traps, for confronting threats.

In the next chapter, we will discuss the most destructive mode of attack in the shinobi’s arsenal: attacking with fire.