First and foremost: I am not a ninja. Nor am I a ninja historian, a sensei, or even Japanese.
However, I did perform cyber warfare for the US Army, where my fellow soldiers often described our mission as “high-speed ninja shit.” That’s when I really started noticing the odd prevalence of “ninja” references in cybersecurity. I wanted to see if there was anything substantive behind the term’s use. I started researching ninjas in 2012, and that’s when I found recent English translations of Japanese scrolls written more than 400 years ago (more on those in the “About This Book” section that follows). These scrolls were the training manuals that ninjas used to learn their craft—not historical reports but the actual playbooks. One of these, Bansenshūkai, was declassified by the Japanese government and made available to the public on a limited basis only after World War II, as the information had been considered too dangerous to disseminate for almost 300 years. In medieval times, non-ninjas were never supposed to see these documents. Bold warnings in the scrolls inform readers to protect the information with their lives. At one time, simply possessing such a scroll was enough to merit execution in Japan. The taboo nature of the material added an undeniable mystique to the reading experience. I was hooked.
After reading more than 1,000 pages of translated source material, it became clear that the instructions and secret techniques meant for ninjas were essentially on-the-ground training in information assurance, security, infiltration, espionage, and destructive attacks that relied on covert access to heavily fortified organizations—many of the same concepts I dealt with every day of my career in cybersecurity. These 400-year-old manuals were filled with insights about defensive and offensive security for which I could not find equivalents in modern information assurance practices. And because they were field guides that laid bare the tactics, techniques, and procedures (TTPs) of secret warfare, they were truly unique. In our business, nation-state cyber espionage units and other malicious actors do not hold webinars or publish playbooks that describe their TTPs. Thus, these ninja scrolls are singular and invaluable.
Cyberjutsu aims to turn the tactics, techniques, strategies, and mentalities of ancient ninjas into a practical cybersecurity field guide. Cybersecurity is relatively young and still highly reactionary. Industry professionals often spend their days defusing imminent threats or forecasting future attacks based on what just happened. I wrote this book because I believe we have much to learn by taking a long view offered in these scrolls of information security’s first advanced persistent threat (APT). The information warfare TTPs practiced by ancient ninjas were perfected over hundreds of years. The TTPs worked in their time—and they could be the key to leapfrogging today’s cybersecurity prevailing models, best practices, and concepts to implement more mature and time-tested ideas.
Each chapter examines one ninja-related topic in detail, moving from a broad grounding in history and philosophy to analysis to actionable cybersecurity recommendations. For ease of use, each chapter is organized as follows:
This book does not seek to provide a comprehensive catalogue of ninja terminology or an extended discourse on ninja philosophy. For that, seek out the work of Antony Cummins and Yoshie Minami, who edited and translated Japan’s ancient ninja scrolls for a contemporary audience. This book references the following Cummins and Minami titles (for more details on each, see the section “A Ninja Primer” on page xxiv):
Cummins and Minami’s work is extensive, and I highly recommend reading it in full. These collections serve not only as inspiration but as the primary sources for this book’s analysis of ninjutsu, from military tactics to how to think like a ninja. Their translations contain fascinating wisdom and knowledge beyond what I could touch on in this book, and they are a thrilling window into a lost way of life. Cyberjutsu is greatly indebted to Cummins and Minami and their tireless efforts to bring these medieval works to the contemporary world.
I believe that talking about issues in the cybersecurity industry comes with at least three baked-in problems. First, even at security organizations, nontechnical decision makers or other stakeholders are often excluded from, lied to about, or bullied out of cybersecurity conversations because they lack technical expertise. Second, many security problems are actually human problems. We already know how to implement technical solutions to many threats, but human beings get in the way with politics, ignorance, budget concerns, or other constraints. Lastly, the availability of security solutions and/or answers that can be purchased or easily discovered with internet searches has changed how people approach problems.
To address these issues, in each chapter, I have presented the central questions at the heart of the topic in the Castle Theory Thought Exercise—a mental puzzle (which you hopefully can’t google) in which you try to protect your castle (network) from the dangers posed by enemy ninjas (cyber threat actors). Framing security problems in terms of defending a castle removes the technical aspects of the conversation and allows for clearer communication on the crux of the issue and collaboration between teams. Everyone can grasp the scenario in which a ninja physically infiltrates a castle, whether or not they can speak fluently about enterprise networks and hackers. Pretending to be the ruler of a castle also means you can ignore any organizational bureaucracy or political problems that come with implementing your proposed solutions. After all, kings and queens do what they want.
There are many cybersecurity ideas in this book. Some are lifted from the original scrolls and adapted for modern information applications. Others are proposed solutions to gaps I have identified in commercial products or services. Still other ideas are more novel or aspirational. I am not sure how the implementations would work on a technical level, but perhaps someone with better perspective and insight can develop and patent them.
If, by chance, you do patent an idea that stems from this book, please consider adding my name as a co-inventor—not for financial purposes but simply to document the origins of the idea. If you have questions about this book or would like to discuss the ideas for practical application, email me at ben.mccarty0@gmail.com.
This brief primer is meant to help shift your notion of what a “ninja” is to the reality depicted in historical evidence. Try to put aside what you know about ninjas from movies and fiction. It’s natural to experience some confusion, disbelief, and cognitive discomfort when confronting evidence that contradicts long-held ideas and beliefs—especially for those of us who grew up wanting to be a ninja.
Ninja went by many names. The one we know in the 21st-century West is ninja, but they were also called shinobi, yato, ninpei, suppa, kanja, rappa, and ukami.2,3 The many labels speak to their reputation for being elusive and mysterious, but really the profession is not hard to understand: shinobi were elite spies and warriors for hire in ancient Japan. Recruited from both the peasantry4 and the samurai class—notable examples include Natori Masatake5 and Hattori Hanzō6—they likely existed in some form for as long as Japan itself, but they don’t appear much in the historical record until the 12th-century Genpei War.7 For centuries after, Japan was beset by strife and bloodshed, during which feudal lords (daimyō8) employed shinobi to conduct espionage, sabotage, assassination, and warfare.9 Even the fifth-century bce Chinese military strategist Sun Tzu’s seminal treatise, The Art of War, stresses the necessity of using these covert agents to achieve victory.10
The ninja were fiercely proficient in information espionage, infiltration of enemy encampments, and destructive attacks; shinobi were perhaps history’s first advanced persistent threat (APT0, if you will). During a time of constant conflict, they opportunistically honed and matured their techniques, tactics, tools, tradecraft, and procedures, along with their theory of practice, ninjutsu. The Bansenshūkai scroll notes, “The deepest principle of ninjutsu is to avoid where the enemy is attentive and strike where he is negligent.”11 So, operating as covert agents, they traveled in disguise or by stealth to the target (such as a castle or village); collected information; assessed gaps in the target’s defense; and infiltrated to perform espionage, sabotage, arson, or assassination.12
With the long, peaceful Edo period of the 17th century, the demand for shinobi tradecraft dwindled, driving ninjas into obscurity.13 Though their way of life became untenable and they took up other lines of work, their methods were so impactful that even today, shinobi are mythologized as some of history’s greatest warriors and information warfare specialists, even being attributed fabulous abilities such as invisibility.
Shinobi knowledge was most likely passed from teacher to student, between peers, and through a number of handbooks written by practicing shinobi before and during the 17th century. These are the ninja scrolls. It’s likely that families descended from shinobi possess other, undisclosed scrolls that could reveal additional secret methods, but their contents have either not been verified by historians or have not been made available to the public. The historical texts we do have are key to our understanding of shinobi, and reviewing these sources to derive evidence-based knowledge helps avoid the mythology, unverified folklore, and pop culture stereotypes that can quickly pollute the discourse around ninjas.
Among the most significant ninja scrolls are:
It is important to develop intellectual empathy with the values and mindset of the ninja, without delving into mysticism or spiritualism. I consider the ninja philosophy to border on hacker-metacognition with undertones of the yin-yang of Shinto-Buddhism enlightenment influence. While familiarity with the underlying philosophy is not necessary for understanding ninja tactics and techniques, learning from the wisdom that informs ninja applications is certainly helpful.
The Japanese word shinobi (忍) is made up of the kanji characters for blade (刃) and heart (心). There are various ways to interpret its meaning.
One is that shinobi should have the heart of a blade, or make their heart into a blade. A sword blade is sharp and strong, yet flexible—a tool designed to kill humans while also acting as an extension of the user’s spirit and will. This dovetails with the Japanese concept of kokoro, a combination of one’s heart, spirit, and mind into one central essence. In this context, the iconography provides insight into the balanced mindset necessary for someone to assume the role of a ninja.
Another interpretation is of a “heart under a blade.” In this reading, the blade is an existential threat. It is also not only the physical threat that endangers a shinobi’s life but also a weapon that closely guards their beating heart. The onyomi (Chinese) reading of 忍 is “to persist,” which highlights the inner strength needed to work as a spy in enemy territory, under constant threat. The shinobi had to perform life-threatening missions that sometimes meant remaining in the enemy’s territory for extended periods before acting—that is, being an advanced persistent threat.
Bansenshūkai declares that shinobi must have “the correct mind” or face certain defeat. Achieving this rarified state means always being present, focused, and conscious of purpose—it is mindfulness as self-defense. Shinobi were expected to make decisions with “benevolence, righteousness, loyalty, and fidelity”14 in mind, even though the result of their craft was often conspiracy and deception. This philosophy had the benefit of calming and focusing shinobi during moments of intense pressure, such as combat or infiltration. “When you have inner peace,” Shōninki states, “you can fathom things that other people don’t realize.”15
“The correct mind” was also believed to make shinobi more dynamic strategists. While other warriors often rushed quickly and single-mindedly into battle, the shinobi’s focus on mental acuity made them patient and flexible. They were trained to think unconventionally, questioning everything; historian Antony Cummins compares this kind of thinking to contemporary entrepreneurial disrupters. If their weapons failed, they used their words. If speech failed, they put aside their own ideas and channeled their enemy’s thought processes.16 A clear mind was the gateway to mastering their enemies, their environment, and seemingly impossible physical tasks.
Shōninki puts it succinctly: “Nothing is as amazing as the human mind.”17
The infiltration techniques detailed in the ninja scrolls illustrate the astonishing effectiveness of the shinobi’s information-gathering processes. They practiced two primary modes of infiltration: in-nin (“ninjutsu of darkness”) refers to sneaking somewhere under cover of darkness or being otherwise hidden to avoid detection, while yo-nin (“ninjutsu of light”) refers to infiltration in plain sight, such as disguising oneself as a monk to avoid suspicion. Sometimes shinobi used one within the other—for instance, they might infiltrate a town in disguise, then slip away and hide in a castle’s moat until the time of attack.
Regardless of whether they used in-nin or yo-nin, shinobi set out to know everything possible about their targets, and they had time-honed methods for gathering the most detailed information available. They studied the physical terrain of their target, but they also studied the local people’s customs, attitudes, interests, and habits. Before attempting to infiltrate a castle, they first conducted reconnaissance to determine the size, location, and function of each room; the access points; the inhabitants and their routines; and even their pets’ feeding schedules. They memorized the names, titles, and job functions of enemy guards, then used enemy flags, crests, and uniforms to sneak in openly (yo-nin) while conversing with their unsuspecting targets. They collected seals from various lords so they could be used in forgeries, often to issue false orders to the enemy’s army. Before they engaged in battle, they researched the opposing army’s size, strength, and capabilities along with their tendencies in battle, their supply lines, and their morale. If their target was a powerful lord, they sought to learn that ruler’s moral code and deepest desires so that the target could be corrupted or played to.18
Shinobi were taught to think creatively via the “correct mind” philosophy. That training made them hyperaware of the world around them and spurred new ways of taking action in the field. For instance, the Shōninki taught shinobi to be more effective by observing the behavior of animals in nature. If a shinobi came to a roadblock or enemy checkpoint, they thought like a fox or a wolf: they did not go over or through it; they displayed patience and went around it, even if the bypass took many miles. Other times, it was appropriate to let themselves be led “like cattle and horses,”19 out in the open, perhaps posing as a messenger or emissary to get close to the enemy, who was likely to overlook people of lower classes. No matter how shinobi felt—even if they were white-hot with anger—they worked to appear serene on the outside, “just as waterfowl do on a calm lake.”20 If they needed to distract a guard from his post, they could impersonate dogs by barking, howling, or shaking their kimonos to imitate the sound of a dog’s shaking.21
Shinobi brought about battlefield innovations that armies and covert operatives still practice to this day, and those methods were successful because of how the shinobi’s tireless reconnaissance and impeccable knowledge of their targets weaponized information and deception.