22
Zero-Days
A secret will work if it is kept; you will lose if words are given away.

You should be aware that you shouldn’t use any of the ancient ways that are known to people because you will lose the edge of surprise.

—Shōninki, “Takaki wo Koe Hikuki ni Hairu no Narai” ¹

One of the shinobi’s key tactical advantages was secrecy. The scrolls repeatedly warn shinobi to prevent others from learning the details of their capabilities, since if knowledge of a technique leaked to the public, the consequences could be disastrous. Not only could the techniques be invalidated for generations, but the lives of shinobi using a leaked technique could be in danger. Both Shōninki and the Ninpiden describe the hazards of exposing secret ninja tradecraft to outsiders, with some scrolls going so far as to advise killing targets who discover tradecraft secrets or bystanders who observe a shinobi in action.²

Both Shōninki and the Ninpiden cite ancient techniques that were spoiled due to public exposure. For instance, when ancient ninjas (yato)³ conducted reconnaissance, they sometimes traveled across farm fields; they avoided detection by, among other means, dressing like a scarecrow and snapping into a convincing pose when people approached.⁴ Once this technique was discovered, however, locals regularly tested scarecrows by rushing them or even stabbing them. No matter how convincing the shinobi’s disguise or how skillful their pantomime, the technique became too risky, and shinobi had to either develop new ways to hide in plain sight or avoid fields altogether. The skill was lost.

Similarly, some shinobi became master imitators of cat and dog sounds, so that if they accidentally alerted people to their presence during a mission, they could bark or mew to convince the target that the disturbance was just a passing animal and there was no need for further inspection. This technique was also discovered eventually. Guards were trained to investigate unfamiliar animal noises, putting shinobi at risk of discovery.⁵

The scrolls also describe situations in which a fortification was protected by dogs that shinobi could not kill, kidnap, or befriend without rousing suspicion from security guards. In this situation, the scrolls tell shinobi to wear the scent of whale oil and then either wait for the dog to stray away from the guards or lure the dog away. They then beat the dog, and they do this several nights in a row. With its pungency and rarity, the scent of whale oil conditions the dog to associate pain and punishment with the odor, and the dog is then too afraid to attack shinobi wearing the distinctive scent. When this technique was disclosed, guards were trained to notice the unique scent of whale oil or when their dog’s behavior suddenly changed.⁶

Of course, most shinobi secrets went unexposed until the formal publication of the scrolls many years after the shinobi were effectively a historical relic. Therefore, defenders of the era had to create techniques to thwart attacks of which they had no details—potentially even attacks that the attackers themselves had not yet considered.

For shinobi acting as defenders, the scrolls offer some baseline advice. Bansenshūkai’s “Guideline for Commanders”⁷ volumes recommend various security best practices, including passwords, certification stamps, identifying marks, and secret signs and signals. The scroll also advises commanders to contemplate the reasoning behind these security stratagems; pair them with other standard protocols, such as night watches and guards; take advanced precautions, such as setting traps; and develop their own secret, custom, dynamic security implementations. Together, these techniques defended against attackers of low or moderate skill but not against the most sophisticated shinobi.⁸

To that end, Bansenshūkai’s most pragmatic security advice is that defenders will never be perfectly secure, constantly alert, or impeccably disciplined. There will always be gaps that shinobi can exploit. Instead, the scroll emphasizes the importance of understanding the philosophy, mindset, and thought processes of one’s enemies, and it implores shinobi to be open to trying new techniques, sometimes on the fly: “It is hard to tell exactly how to act according to the situation and the time and the place. If you have a set of fixed ways or use a constant form, how could even the greatest general obtain a victory?”⁹

Shinobi defenders used creative mental modeling, such as by imagining reversed scenarios and exploring potential gaps. They drew inspiration from nature, imagining how a fish, bird, or monkey would infiltrate a castle and how they could mimic the animal’s abilities.¹⁰ They derived new techniques by studying common thieves (nusubito). Above all, they trusted the creativity of the human mind and exercised continuous learning, logical analysis, problem solving, and metacognitive flexibility:

Although there are millions of lessons for the shinobi, that are both subtle and ever changing, you can’t teach them in their entirety by tradition or passing them on. One of the most important things for you to do is always try to know everything you can of every place or province that is possible to know. . . . If your mind is in total accordance with the way of things and it is working with perfect reason and logic, then you can pass through “the gateless gate.” . . . The human mind is marvelous and flexible. It’s amazing. As time goes by, clearly or mysteriously, you will realize the essence of things and understanding will appear to you from nowhere. . . . On [the path of the shinobi] you should master everything and all that you can . . . you should use your imagination and insight to realize and grasp the way of all matters. ¹¹

A forward-thinking shinobi with a keen mind and a diligent work ethic could build defenses strong enough to withstand unknown attacks, forcing enemies to spend time and resources developing new attack plans, testing for security gaps, and battling hidden defenses—only to be thwarted once again when the whole security system dynamically changed.

In this chapter, we will explore the modern threat landscape of zero-days and understand what of the philosophy and tradecraft described in the shinobi scrolls we can apply to cybersecurity. In addition, we will explore various proposed defenses against zero-days. The castle thought exercise in this chapter presents the challenge of addressing unknown and potential zero-days hidden in modern computing hardware, software, clouds, and networks—all in the hope of provoking new insights.

Zero-Day

Few terms in the cybersecurity lexicon strike fear into the hearts of defenders and knowledgeable business stakeholders like zero-day (or 0-day), an exploit or attack that was previously unknown and that defenders may not know how to fight. The term comes from the fact that the public has known about the attack or vulnerability for zero days. Because victims and defenders have not had the opportunity to study the threat, a threat actor with access to a zero-day that targets a common technology almost always succeeds. For example, STUXNET used four zero-day exploits to sabotage an air-gapped nuclear enrichment facility in Iran, demonstrating the power of zero-days to attack even the most secure and obscure targets.¹²

A zero-day attack derives its value from the fact that it is unknown. As soon as a threat actor uses a zero-day, the victim has the chance to capture evidence of the attack via sensors and monitoring systems, forensically examine that evidence, and reverse engineer the attack. After the zero-day appears in the wild, security professionals can quickly develop mitigations, detection signatures, and patches, and they will publish CVE numbers to alert the community. Not everyone pays attention to such advisories or patches their systems, but the 0-day is increasingly less likely to succeed as it becomes a 1-day, 2-day, and so on.

Zero-days are deployed in different ways depending on the attacker’s motivations. Cybercriminals interested in a quick, lucrative score might immediately burn a zero-day in a massive and highly visible attack that maximizes their immediate return. More advanced threat actors establish procedures to delete artifacts, logs, and other observable evidence of a zero-day attack, extending its useful life. Truly sophisticated attackers reserve zero-days for hardened, valuable targets, as zero-days that target popular technologies can sell for thousands of dollars to cybercriminals on the black market—or more than $1 million to governments eager to weaponize them or build a defense against them.

While some zero-days come from legitimate, good-faith security gaps in software code, threat actors can introduce zero-days into a software application’s source code maliciously through agreements or covert human plants. Targeted attacks can also compromise software libraries, hardware, or compilers to introduce bugs, backdoors, and other hidden vulnerabilities for future exploitation, in much the same way a ninja joining a castle construction team might compromise the design by creating secret entrances that only the ninja knows about (the scrolls tell us this happened).¹³

Traditionally, zero-day discoveries have come from security researchers with deep expertise studying code, threat hunters thinking creatively about vulnerabilities, or analysts accidentally discovering the exploit being used against them in the wild. While these methods still work, recent technologies such as “fuzzing” have helped automate zero-day detection. Fuzzers and similar tools automatically try various inputs—random, invalid, and unexpected—in an attempt to discover previously unknown system vulnerabilities. The advent of AI-powered fuzzers and AI defenders signals a new paradigm. Not unlike the way that the invention of the cannon, which could pierce castle walls, led to new defense strategies, AI offers the possibility that defenses may someday evolve almost as quickly as the threats themselves. Of course, attack systems may also learn how to overwhelm any defensive capability, altering not just how the industry detects and fights zero-days but how the world looks at cybersecurity as a whole.

For now, though, the pattern of exploit and discovery is cyclical. Threat actors become familiar with a subset of exploits and vulnerabilities, such as SQL injection, XSS, or memory leaks. As defenders become familiar with combatting those threats, attackers move to exploiting different techniques and technologies, and the cycle continues. As time goes by and these defenders and attackers leave the workforce, we will likely observe a new generation of threat actors rediscovering the same common weaknesses in new software and technologies, resulting in the reemergence of old zero-days—the cycle will begin anew.

Zero-Day Defense

Zero-day detection and protection are often the go-to claim for new entrants to the cybersecurity market, as they like to promise big results from their solution. That isn’t to say none of them work. However, this topic can easily fall into snake-oil territory. Rest assured that I am not trying to sell you anything but practical guidance on the threat, as detailed below.

1. Follow best practices. Just because zero-days are maddeningly difficult to defend against does not mean that you should give up on security. Follow industry best practices. While they may not fully neutralize zero-days, they do make it harder for threat actors to conduct activities against your environment, and they give your organization a better chance to detect and respond to zero-day attacks. Rather than idly worrying about potential zero-days, patch and mitigate 1-days, 2-days, 3-days, and so on, to minimize the time your organization remains vulnerable to known attacks.
2. Use hunt teams and blue teams. Form or contract a hunt team and a blue team to work on zero-day defense strategies.

   The hunt team comprises specialized defenders who do not rely on standard signature-based defenses. Instead, they constantly develop hypotheses about how adversaries could use zero-days or other methods to infiltrate networks. Based on those hypotheses, they hunt using honeypots, behavioral and statistical analysis, predictive threat intelligence, and other customized techniques.

   The blue team comprises specialized defenders who design, test, and implement real defenses. First, they document the information flow of a system or network, and then they build threat models describing real and imagined attacks that could succeed against the current design. Unlike with the hunt team, it is not the blue team’s job to find zero-days. Instead, they evaluate their information and threat models in terms of zero-days to determine how they could effectively mitigate, safeguard, harden, and protect their systems. The blue team exists apart from normal security, operations, and incident response personnel, though the team should review existing incident response reports to determine how defenses failed and how to build proactive defenses against similar future attacks.

3. Implement dynamic defenses . . . with caution. In recent years, security professionals have made concerted efforts to introduce complex and dynamic defense measures that:
   • Attempt to make a network a moving target—for example, nightly updates
   • Introduce randomization—for example, address space layout randomization (ASLR)
   • Dynamically change on interaction—for example, quantum cryptography
   • Initiate erratic defense conditions or immune response systems

   Some of these dynamic defenses were quite successful initially, but then adversaries developed ways to beat them, rendering them effectively static from a strategic perspective.

   Talk to cybersecurity vendors and practitioners and explore the literature on state-of-the-art dynamic defenses to determine what would work for your organization. Proceed with caution, however, as today’s dynamic defense can become tomorrow’s standard-issue, easily circumvented security layer.

4. Build a more boring defense. Consider utilizing “boring” systems, coding practices, and implementations in your environment where possible. Started by Google’s BoringSSL open source project,¹⁴ the boring defense proposes that simplifying and reducing your code’s attack surface, size, dependency, and complexity—making it boring—will likely eliminate high-value or critical vulnerabilities. Under this practice—which can be effective on a code, application, or system level—code is not elaborate or artful but rather tediously secured and unvaried in structure, with dull and simple implementations. In theory, making code easier for humans and machines to read, test, and interpret makes it less likely that unexpected inputs or events will unearth zero-day vulnerabilities.
5. Practice denial and deception (D&D). D&D prevents adversaries from obtaining information about your environment, systems, network, people, data, and other observables, and it can deceive them into taking actions that are advantageous to you. Making adversaries’ reconnaissance, weaponization, and exploit delivery harder forces them to spend more time testing, exploring, and verifying that the gap they perceive in your environment truly exists. For example, you could deceptively modify your systems to advertise themselves as running a different OS with different software, such as by changing a Solaris instance to look like a different SELinux OS. (Ideally, you would actually migrate to SELinux, but the logistics of legacy IT systems may keep your organization reliant on old software for longer than desired.) If your deception is effective, adversaries may try to develop and deliver weaponized attacks against your SELinux instance—which will, of course, fail because you’re not actually running SELinux.

   Note that D&D should be applied on top of good security practices to enhance them rather than leveraged on its own to achieve security through obscurity. D&D is a security endgame for extremely mature organizations looking for additional ways to defend systems from persistent threat actors, similar to the “hush-hush tactics” described in Bansenshūkai.¹⁵

6. Disconnect to protect. In its discussion of the disconnect defense, Shōninki teaches you to disconnect from the enemy mentally, strategically, physically, and in every other way.¹⁶ In cybersecurity, this means creating a self-exiled blue team that turns completely inward, working in isolation from the world and ignoring all security news, threat intelligence, patches, exploits, malware variations, new signatures, cutting-edge products—anything that could influence their reason, alter their state of mind, or provide a connection with the enemy. If undertaken correctly, the disconnect skill forks the defenders’ thinking in a direction far from the industry standard. Adversaries have trouble thinking the same way as the disconnected defenders, and the defenders develop unique, secret defense strategies that the adversary has not encountered, making it exceedingly difficult for a zero-day attacks to work.

   Like D&D, this method is recommended only if you already possess elite cybersecurity skills. Otherwise, it can be counterproductive to alienate yourself from the enemy and operate in the dark.

   ---

   Castle Theory Thought Exercise

   Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. You hear rumors that a shinobi infiltrated the construction crew when it was building your castle and installed one or more backdoors or other gaps in the castle’s security. Shinobi who know the locations and mechanisms of these vulnerabilities can slip in and out of your castle freely, bypassing the guards and security controls. You have sent guards, architects, and even mercenary shinobi to inspect your castle for these hidden vulnerabilities, but they have found nothing. You do not have the money, time, or resources to build a new, backdoor-free castle.

   How would you continue castle operations knowing that there is a hidden flaw a shinobi could exploit at any time? How will you safeguard the treasure, people, and information inside your castle? How can you hunt for or defend against a hidden weakness without knowing what it looks like, where it is located, or how it is used? How else could you manage the risk of this unknown vulnerability?

   ---

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of zero-days in mind.

1. Create custom, dynamic, and adaptive security protections for your organization to fortify security best practices. [AC-2: Account Management | (6) Dynamic Privilege Management; AC-4: Information Flow Enforcement | (3) Dynamic Information Flow Control; AC-16: Security and Privacy Attributes | (1) Dynamic Attribute Association; IA-10: Adaptive Authentication; IR-4: Incident Handling | (2) Dynamic Reconfiguration; IR-10: Integrated Information Security Analysis Team; PL-8: Security and Privacy Architectures | (1) Defense-in-Depth; SA-20: Customized Development of Critical Components; SC-7: Boundary Protection | (20) Dynamic Isolation and Segregation; SI-14: Non-persistence]
2. Keep records of zero-days, including when and how they are discovered, what technology they target, vulnerability scan results, and their correlation with predicted future zero-days. [AU-6: Audit Review, Analysis, and Reporting | (5) Integrated Analysis of Audit Records; SA-15: Development Process, Standard, and Tools | (8) Reuse of Threat and Vulnerability Information]
3. Conduct specialized vulnerability scanning, validation, and system testing to assess zero-day security. [CA-2: Assessments | (2) Specialized Assessments]
4. Contract specialized penetration testers to find zero-days in your software, systems, and other technologies so you can proactively defend against these exploits. [CA-8: Penetration Testing; RA-6: Technical Surveillance Countermeasures Survey]
5. Threat-model your systems and software to evaluate potential zero-days and assess how you can proactively redesign to mitigate them. Consider implementing “boring” code. [SA-11: Developer Testing and Evaluation | (2) Threat Modeling and Vulnerabilities Analyses; SA-15: Development Process, Standard, and Tools | (5) Attack Surface Reduction; SI-10: Information Input Validation | (3) Predictable Behavior]
6. Implement custom, diverse, and unique security defenses to mitigate a zero-day’s ability to exploit your systems. [SC-29: Heterogeneity]
7. Deploy denial and deception campaigns to reduce adversaries’ ability to perform reconnaissance or weaponize and deliver zero-day attacks against your organization. [SC-30: Concealment and Misdirection]
8. Establish hunt teams and security teams to search for indicators of zero-day attacks and exploits. [SI-4: System Monitoring | (24) Indicators of Compromise]
9. Conduct regular automated vulnerability scanning to check for 1-days, 2-days, 3-days, and so on. Patch, mitigate, or remediate the vulnerabilities as appropriate. [RA-5: Vulnerability Scanning; SI-2: Flaw Remediation]

Debrief

In this chapter, we reviewed shinobi tradecraft and the secrecy surrounding the exploit techniques they cultivated over centuries. We explored how many of these secret shinobi techniques closely parallel the zero-day exploits and vulnerabilities we observe today. We reviewed the current state of the art and the potential future of zero-day attacks in terms of cybersecurity, cyberwar, and information dominance. This chapter touched on how talking about zero-days can feel pointless but is actually critical to confronting the threat.

In the next chapter, we will discuss hiring the right kind of talent to combat zero-days and threat actors of all kinds. We will review the guidelines the shinobi scrolls offer for recruiting shinobi and explore how we can apply that guidance to attracting cybersecurity talent. There are persistent claims that the cybersecurity industry has a talent shortage problem, and I suspect there was a similar shinobi shortage problem during periods of strife in medieval Japan. The shinobi scrolls explain how to identify who could be trained to be a shinobi operative, a role that was much higher stakes than the office jobs of today. A poor recruitment choice would likely soon die, thus wasting the investment in training while jeopardizing missions and team members’ lives.