21
Circumstances of Infiltration
You should infiltrate at the exact moment that the enemy moves and not try when they do not move—this is a way of principled people.

In heavy rainfall, when the rain is at its most, you should take advantage of it for your shinobi activities and night attacks.

—Yoshimori Hyakushu #1

The Ninpiden and Bansenshūkai both advise that when moving against a target, shinobi should use cover to go undetected. They may wait for circumstances in which cover exists or, if necessary, create those circumstances themselves. The scrolls provide a wide range of situations that can aid infiltration, from natural occurrences (strong winds and rain) to social gatherings (festivals, weddings, and religious services) to shinobi-initiated activity (releasing horses, causing fights, and setting fire to buildings).¹ Regardless of their source, a canny shinobi should be able to capitalize on distractions, excitement, confusion, and other conditions that divert the target’s focus.

Shinobi were able to turn inclement weather into favorable infiltration circumstances. For instance, heavy rainstorms meant empty streets, poor visibility, and torrents to muffle any sounds the shinobi made.² Of course, bad weather is bad for everyone, and the second poem of the Yoshimori Hyakushu notes that too strong a storm can overpower a shinobi, making it difficult to execute tactics and techniques: “In the dead of night, when the wind and rain are raging, the streets are so dark that shinobi cannot deliver a night attack easily.”³

Shinobi also capitalized on other, more personal circumstances, such as a tragic death in the target’s family. The scrolls point out that while a target is in mourning, they may not sleep well for two or three nights, meaning the shinobi may approach unnoticed during the funeral or bereavement disguised as a mourner, or wait to infiltrate until the target finally sleeps deeply on night three or four.⁴

Of course, a shinobi’s mission did not always coincide with providence. In some cases, shinobi took it upon themselves to cause severe illness at the target fortification. Sick people were ineffective defenders, and their worried caregivers were preoccupied and denied themselves sleep to tend to the ill. When the afflicted began to recover, the relieved caregivers slept heavily, at which point shinobi infiltrated. Alternatively, shinobi could destroy critical infrastructure, such as a bridge, and then wait for the target to undertake the large and difficult reconstruction project in the summer heat before infiltrating an exhausted opponent.⁵

Effective distractions could also be more directly confrontational. Bansenshūkai describes a technique called kyonin (“creating a gap by surprise”) that employs the assistance of military forces or other shinobi. These allies make the target think an attack is underway, perhaps by firing shots, beating war drums, or shouting, and the shinobi can slip in during the confusion. When the shinobi wanted to exit safely, this technique was simply repeated.⁶

In this chapter, we will review how using situational factors to aid in infiltration as described in the shinobi scrolls apply to the digital era. The use of situational factors depends on defenders, security systems, and organizations having finite amounts of attention. Overloading, confusing, and misdirecting that limited attention creates opportunities a threat actor can exploit. We will identify various opportunities that can be found in modern networked environments and explain how they parallel the circumstances described in the shinobi scrolls. Finally, we will review how organizations can incorporate safeguards and resiliency to prepare for circumstances that may weaken their defenses.

Adversarial Opportunity

Cybersecurity adversaries may distract their targets and create conditions that make detecting infiltration as widely—and wisely—as shinobi once did. For example, when cyberdefenders detect a sudden distributed denial of service (DDoS) attack, standard operating procedures require evaluating the strength and duration of the DDoS and creating a security incident ticket to log the activity. Defenders may not immediately suspect a DDoS as cover for a threat actor’s attack on the network. So when the attack overwhelms the target’s security sensors and packet capture (pcap) and intrusion detection or prevention systems (IDS/IPS) fail to open—in other words, when there is too much communication to inspect—defensive systems might naturally rush the packet along without searching it for malicious content. When the DDoS ceases, the defenders will note that there was no significant downtime and return their status to normal, not realizing that, while the DDoS lasted only 10 minutes, the packet flood gave the adversary enough time and cover to compromise the system and establish a foothold in the network. (As in Yoshimori Hyakushu 2, which warned that a strong storm could hinder both target and attacker, the adversary is unlikely to deploy an overly intense DDoS. Doing so could cause networking gear to drop packets and lose communication data—including their own attacks. Instead, an attacker will likely throttle target systems to overwhelm security without disrupting communication.)

Adversaries have many other ways to create favorable circumstances in the infiltration target; they are limited only by their ingenuity. It could be advantageous to attack service and infrastructure quality and reliability, such as by disrupting ISPs or interconnections. Patient attackers could wait for commercial vendors to release faulty updates or patches, after which the target’s security or IT staff temporarily creates “permit any-any” conditions or removes security controls to troubleshoot the problem. Threat actors might monitor a company’s asset acquisition process to determine when it moves new systems and servers to production or the cloud—and, hence, when these targets might be temporarily unguarded or not properly configured against attacks. Threat actors might also track a corporate merger and attempt to infiltrate gaps created when the different companies combine networks. Other adversaries might use special events hosted in the target’s building, such as large conferences, vendor expos, and third-party meetings, to mingle in the crowd of strangers and infiltrate the target. They might even pick up a swag bag in the process.

Adversarial Adversity

It is considered infeasible to guarantee 100 percent uptime of digital systems, and it should be considered even harder to guarantee 100 percent assurance of security at all times for those same digital systems. Furthermore, it is almost certainly impossible to prevent disasters, hazards, accidents, failures and unforeseen changes—many of which will create circumstances in which opportunistic threat actors can infiltrate. Being overly cautious to avoid these circumstances can hamper a business’s ability to be bold in strategy and execute on goals. A solution to this dilemma may be to redundantly layer systems to reduce infiltration opportunities. Security teams might put in place the equivalent of high-availability security—security that is layered redundantly where systems are weaker. Practice awareness and preparation. As part of security staff protocols for change management, events, incidents, crises, natural disasters, and other distracting or confusing circumstances, train your security team to look for indications that an event was created or is being used by adversaries to infiltrate the organization. Document role responsibilities in organizational policies and procedures. Use threat modeling, tabletop exercises, and risk management to identify potential distractions, then consider safeguards, countermeasures, and protections for handling them.

Castle Theory Thought Exercise

Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. You have noticed that during especially cold and windy ice storms, your gate guards hunker down in their posts, cover their faces, and keep themselves warm with small, unauthorized fires—fires that reduce their night vision and make their silhouette visible.

How might a shinobi take advantage of extreme conditions, such as a blizzard or ice storm, to infiltrate your castle? How would they dress? How would they approach? How freely could they operate with respect to your guards? What physical access restrictions and security protocols could your guards apply during a blizzard? Could you change the guard posts so your soldiers could effectively watch for activity during such conditions? Besides weather events, what other distracting circumstances can you imagine, and how would you handle them?

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. They should be evaluated with the concept of circumstances of infiltration in mind.

Identify and document how different security controls and protocols—for example, authentication—might be handled during emergencies or other extreme circumstances to mitigate adversary infiltration. [AC-14: Permitted Actions Without Identification or Authentication]
Establish controls and policies around the conditions for using external information systems, particularly during extenuating circumstances. [AC-20: Use of External Information Systems]
Launch penetration testing exercises during contingency training for simulated emergencies, such as fire drills, to test defensive and detection capabilities. [CA-8: Penetration Testing; CP-3: Contingency Training; IR-2: Incident Response Training]
Enforce physical access restrictions for visitors, as well as for circumstances in which it is not possible to escort a large number of uncontrolled persons—for example, firefighters responding to a fire—but unauthorized system ingress and egress must still be prevented. [PE-3: Physical Access Control]
Develop a capability to shut off information systems and networks in the event of an emergency, when it is suspected that an adversary has compromised your defenses. [PE-10: Emergency Shutoff]
Consider how your organization can incorporate adversary awareness and hunting into contingency planning. [CP-2: Contingency Plan]
Evaluate whether a sudden transfer or resumption of business operations at fallback sites will create opportune circumstances for adversary infiltration. Then consider appropriate defensive safeguards and mitigations. [CP-7: Alternate Processing Site]

Debrief

In this chapter, we reviewed the tactic of creating and/or waiting for circumstances that provide cover for infiltrating a target. We looked at several examples of how shinobi would create an opportunity when a target was well defended, and we explored how this tactic could play out in modern networked environments. We covered various methods for managing security during times of weakness, and through the thought exercise, we looked at preparing for circumstances where risk cannot be avoided, transferred, or countered.

In the next chapter, we will discuss the zero-day, or a means of infiltration so novel or secret that no one has yet thought about how to defend against it. Shinobi had exploits and techniques similar to zero-days; they were so secret, it was forbidden to write them down, and the scrolls only allude to them indirectly. We are left only with cryptic clues—clues provided to remind a shinobi of a secret technique they had learned, but not to teach it. Even so, the scrolls provide insight around how to create new zero-days, procedures to defend against them, and tradecraft in executing them. Furthermore, the scrolls describe several historical zero-day techniques that had been lost due to their disclosure, giving us insight into modern zero-day exploits and a potential forecast of zero-days of the future.