20
Light, Noise, and Litter Discipline
The traditions of the ancient shinobi say you should lock the doors before you have a look at the enemy with fire.

If you have to steal in as a shinobi when it is snowing, the first thing you must be careful about is your footsteps.

—Yoshimori Hyakushu #53

Avoiding unwanted attention was a core discipline of their trade, and shinobi trained diligently on being stealthy. If lanterns emitted light that disturbed animals, footsteps echoed and woke a sleeping target, or food waste alerted a guard to the presence of an intruder, then a shinobi put their mission—if not their life—in jeopardy. As such, the scrolls provide substantial guidance around moving and operating tactically while maintaining light, noise, and litter discipline.

Light discipline includes general tactics. For example, the scrolls recommend that infiltrating shinobi lock a door from the inside before igniting a torch to prevent the light (and any people in the room) from escaping.¹ It also includes specific techniques. Bansenshūkai details a number of clever tools for light management, such as the torinoko fire egg. This is a bundle of special flammable material with an ember at the center, compressed to the shape and size of an egg. The egg rests in the shinobi’s palm such that opening or closing the hand controls the amount of oxygen that reaches the ember, brightening or dimming the light and allowing the carrier to direct the light in specific, narrow directions.² With this tool, a shinobi could quickly open their hand to see who was sleeping inside a room, then instantly extinguish the light by making a tight fist. Thus, the fire egg has the same on-demand directional and on/off light control as a modern tactical flashlight.

Silence was critical for shinobi, and the scrolls describe an array of techniques to remain quiet while infiltrating a target. The Ninpiden suggests biting down on a strip of paper to dampen the sound of breathing. Similarly, some shinobi moved through close quarters by grabbing the soles of their feet with the palms of their hands, then walking on their hands to mute the sound of footsteps. This technique must have required considerable practice and conditioning to execute successfully. It was also common for shinobi to carry oil or other viscous substances to grease creaky gate hinges or wooden sliding doors—anything that might squeak and alert people to their presence. The scrolls also warn against applying these liquids too liberally, as they could visibly pool, tipping off a guard to the fact that someone had trespassed.³

Not all shinobi noise discipline techniques minimized noise. The scrolls also provide guidance for creating a purposeful ruckus. Shōninki describes a noise discipline technique called kutsukae, or “changing your footwear,” which actually involves varying your footsteps rather than putting on different shoes. An infiltrating shinobi can shuffle, skip, fake a limp, take choppy steps, or make audible but distinct footstep noises to deceive anyone listening. Then, when they change to their natural gait, listeners assume they’re hearing a different person or erroneously believe that the person they’re tracking suddenly stopped.⁴ The Ninpiden describes clapping wooden blocks together or yelling “Thief!” or “Help!” to simulate an alarm, testing the guards’ reaction to noise.⁵ Bansenshūkai describes a more controlled noise test, in which a shinobi near a target or guard whispers progressively more loudly to determine the target’s noise detection threshold. Noise tests help shinobi make specific observations about how the target responds, including:

How quickly did the target react?
Was there debate between guards about hearing a noise?
Did guards emerge quickly and alertly, with weapons in hand?
Did the noise seem to catch the target off guard?
Was the target completely oblivious?

These observations not only tell the shinobi how keen the target’s awareness and hearing are but also reveal the target’s skill and preparation in responding to events—information the shinobi can use to tailor the infiltration.⁶

In terms of physical evidence, shinobi used “leave no trace” long before it was an environmental mantra. A tool called nagabukuro (or “long bag”) helps with both sound and litter containment. When shinobi scaled a high wall and needed to cut a hole to crawl through, they hung the large, thick, leather nagabukuro bag lined with fur or felt beneath them to catch debris falling from the wall and muffle the sound. The shinobi could then lower the scraps quietly to a discreet place on the ground below. This was much better option than letting debris crash to the ground or splash into a moat.⁷

In this chapter, we abstract the light, noise, and litter of shinobi infiltrators into their cyber threat equivalents. We will review some tools and techniques that threat groups have used to minimize the evidence they leave behind, as well as some procedural tradecraft disciplines. We’ll discuss the topic of detecting “low and slow” threats, along with modifying your environment so it works to your advantage. The thought exercise will look at a technique used by shinobi to mask their footsteps that could in theory be applied to modern digital systems. At the end of the chapter, we’ll cover detection discipline as a way to counter a sophisticated adversary—one who is mindful of the observables they may leave (or not leave) in your network.

Cyber Light, Noise, and Litter

The digital world does not always behave in the same ways as the physical world. It can be challenging to understand and continuously hunt for the cyber equivalents of light, noise, and litter. Because defenders lack the time, resources, and capability to monitor and hunt within digital systems under their control, an adversary’s light, noise, and/or litter trail too often goes undocumented. As a result, threat actors may have an easier time performing cyber infiltration than physical infiltration.

Many scanning and exploitation tools and frameworks, such as Nmap,⁸ have throttling modes or other “low-and-slow” methods that attempt to exercise discipline on the size of packets or payloads, packet frequency, and bandwidth usage on a target network. Adversaries have developed extremely small malicious files (for instance, the China Chopper can be less than 4KB⁹) that exploit defenders’ assumption that a file with such a slight footprint won’t cause harm. Malware can be configured to minimize the amount of noise it makes by beaconing command and control (C2) posts infrequently, or it can minimize the noise in process logs or memory by purposefully going to sleep or executing a no-operation (NOP) for long periods. To avoid leaving digital litter that could reveal its presence, certain malware does not drop any files to disk. Adversaries and malware on neighboring network infrastructure can choose to passively collect information, leading to a slow but fruitful understanding of the environment inside the target. Notably, many of these threats also choose to accept the risk of cyber light, noise, and/or litter that results from running their campaigns.

It is reasonable to assume that sufficiently advanced adversaries have procedures to limit cyber light, noise, and litter, such as:

Limiting communication with a target to less than 100MB per day
Ensuring that malware artifacts, files, and strings are not easily identified as litter that could reveal their own presence or be attributed to the malware
“Silencing” logs, alerts, tripwires, and other sensors so security is not alerted to the intruder's presence

It seems that most current security devices and systems are designed to trigger in response to the exact signature of a known threat, such as a specific IP, event log, or byte pattern. Even with specialized software that shows analysts threat activity in real time, such as Wireshark,¹⁰ it takes significant effort to collect, process, and study this information. Contrast this workflow with that of hearing footsteps and reacting. Because humans cannot perceive the digital realm with our senses in the same way that we perceive the physical environment, security measures are basically guards with visual and hearing impairments waiting for a prompt to take action against a threat across the room.

Detection Discipline

Unfortunately, there is no ideal solution for catching someone skilled in the ways of not being caught. Some threat actors have such an advantage over defenders in this realm that they can gain unauthorized access to the security team’s incident ticket tool and monitor it for any new investigations that reference their own threat activity. However, there are improvements to be made, training to be had, countermeasures to deploy, and tricks defenders can try to trip up or catch the threat in a tradecraft error.

Practice awareness. As part of training for threat hunting, incident response, and security analysis, teach your security team to look for indications of an adversary’s light, noise, or litter.
Install squeaky gates. Consider implementing deceptive attack sensing and warning (AS&W) indicators, such as security events that go off every minute on domain controllers or other sensitive systems or networking devices. For example, you might implement a warning that says “[Security Event Log Alert]: Windows failed to activate Windows Defender/Verify this version of Windows.” This may deceive an infiltrating adversary into thinking you’re not paying attention to your alerts, prompting the adversary to “turn off” or “redirect” security logs away from your sensors or analysts. The sudden absence of the false alert will inform your defenders of the adversary’s presence (or, in the case of a legitimate crash, of the need to reboot the system or have IT investigate the outage).
Break out the wooden clappers. Consider how an advanced adversary could purposefully trigger alerts or cause noticeable network noise from a protected or hidden location in your environment (that is, attacking known honeypots) to observe your security team’s ability to detect and respond. This is the cyber equivalent of a ninja running through your house at night slamming two pieces of wood together to test your response. It’s reasonable to assume that some adversaries may assess your security in this way so they can determine whether they can use zero days or other covert techniques without fear of discovery.

Castle Theory Thought Exercise

Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. As it is not feasible to have eyes everywhere, you have positioned your guards where they can listen for odd sounds in key egress pathways. You have also trained your guards to notice anomalous noises. You are told that shinobi have specially made sandals with soft, fabric-stuffed soles so they can walk on tile or stone without making noise.

How could you use this information to detect a ninja in your castle? What evidence might these special sandals leave behind? What countermeasures could you deploy to mitigate the threat these sandals pose? How would you train your guards to react when they see a person in the castle walking suspiciously quietly?

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated in terms of the light, noise, and litter that might accompany an attack.

Determine your organization’s detection capabilities by simulating network infiltration by both loud-and-fast and low-and-slow adversaries. Document which logs are associated with which observable activity and where you may have sensory dead spots. [AU-2: Audit Events; CA-8: Penetration Testing; SC-42: Sensor Capability and Data]
Correlate incident logs, alerts, and observables with documented threat actions to better educate your staff and test your perception of how threats will “sound” on the network. [IR-4: Incident Handling | (4) Information Correlation]
Tune your sandboxes and detonation chambers to look for indicators of a threat actor who is attempting to exercise the cyber equivalent of light, noise, and litter discipline. [SC-44: Detonation Chambers]
Use non-signature-based detection methods to look for covert disciplined activity designed to avoid signature identification. [SI-3: Malicious Code Protection | (7) Nonsignature-Based Detection]
Deploy information system monitoring to detect stealth activity. Avoid placing oversensitive sensors in high-activity areas. [SI-4: Information System Monitoring]

Debrief

In this chapter, we reviewed the precautions shinobi took and the tools they used to hide evidence of their activity—for example, measuring how much noise they could make before alerting the guards and learning what the target was likely to do if shinobi activity were discovered. We discussed several cyber tools that adversaries have used and how they might be understood as the equivalent of light and noise—evidence that can be detected by defenders. Lastly, we reviewed potential countermeasures that defenders can take.

In the next chapter, we will discuss circumstances that assist shinobi in infiltration because they mitigate the problems of light, noise, and litter. For example, a strong rainstorm would mask noise, obscure visibility, and clear away evidence of their presence. A cyber defender can consider analogous circumstances to protect their systems.