An Information Security Community
Humans are great at detecting patterns and abstracting knowledge and in successfully applying these patterns and principles to very disparate fields. This can happen for all kinds of small tasks that we have to fulfill on a daily basis.
It can also lead to some of mankind's greatest philosophical models like Taoism, Confucianism and Buddhism.
I could also mention some other religions and philosophies but I want to stick with those three, because those three are all woven into the chinese martial arts or wushu.
We can apply many principles of Kung Fu (and the underlying philosophies) to defending information and information infrastructure.
And we should apply those principles to IT defense because many folks think only the offensive side is sexy.
Well I think the defensive side is very sexy, too! Think of it as a form of Kung Fu. Who would argue that Kung Fu isn't sexy?
And later on you will also notice that both are two sides of the same coin and that you have to know both to some extent in order to be successful in any of them.
I am learning Wing Tsun Kung Fu (or Wing Chun) for only over a year now and I can't tell you how awesome it is.
Each and every lesson is a revelation to me because you learn the most astonishing things. And you get a better feeling for your body - which is a good thing for a computer person like me who never was very athletic, nor very agile.
Now let's apply some of what I've learned in that short time to IT defense.
In the philosophy of WingTsun Kung Fu and other martial arts and styles, you often find the principle of three levels, of which the first level is the level of physical self defense.
You strengthen your body and mind. You excercise techniques and learn how to apply them.
You learn also how to prevent a fight and how to de-escalate a situation in the first place.
You learn to accept your opponent as a living and breathing human being and respect him or her as that.
You only hurt your opponent as much as he tries to hurt you. When he is incapacitated, it's over. You don't take revenge.
You learn to be gracious and forgiving. Who knows why the opponent wanted to attack you. Maybe he just had a bad day. Maybe he had the wrong friends or none at all.
When you have mastered that level, the second level is about applying the same principles and excercises to all other aspects of life. This is the strategic and tactical level where it is not about physical combat but about finding your place in life and earn respect and appreciation. But this is only a stepping stone on the way to realizing that all of this is ephemeral and that the root of all evil is the ego.
The last and third level is that of self fulfillment. On that level you don't fight others any more. You realize that you don't need to.
It's the fight within, the struggle with your inner self against bad thoughts and emotions. The struggle against the dark side of our selves. You learn how to live your life peaceful and in harmony with others and with yourself.
In information security we only need to deal with the first level - at least for now - since this is the level we are at in the infosec industry although we have a long way before us until we can claim to have mastered it.
Wing Tsun Kung Fu and Blitz Defense for Beginners
Some of the more traditional approaches to teaching Kung Fu to new students had to be adapted to modern law and society. This is why GM Kernspecht of the European Wing Tsun Organisation (EWTO) has created the "Blitz Defense" programme.
In this programme new students learn some basic skills and principles. The first and often most important step is to learn how to not be prey. I cannot stress enough how important that is - and many organisations suck at it in information security.
There are folks out there looking for prey. If you behave like prey, they will pick you out first.
In the Blitz Defense programme you learn that when you are threatened by somebody to raise your arms in front of you with the palms of you hands facing the opponent. It is a variation of the classic Man-Sao/Wu-Sao (seeking hand, protecting arm) posture of Wing Tsun.
You raise your voice, look him into the eye and tell them in a firm and authoritative manner to leave you alone.
Quite often this is enough to discourage the offender. Remember, he does not look for an even fight, he is looking for prey.
How does that apply to IT defense? Well the military have a good tradition in discouraging folks from attacking their infrastructure. They let everybody know that unauthorized access will be prosecuted with all legal force.
It does not work always but when you log into a .mil system you will not be able to ignore the banners telling you the get the hell out of there unless you're authorized to be there.
The Open Source Security Testing Methodology Manual (OSSTMM) calls this an "indemnification control".
It could have some value in case of a legal dispute, too. The offender could otherwise argue that he just looked around and did not know it was illegal to log into your system. How could he if you did not tell him?
In Blitz Defense it is the same. You warn the offender, you tell him to leave you alone, you go back one step with each of his approaching steps. You step back three times. If he still approaches you, his fourth step will be a step right into your punch.
The act of warning, stepping back three times and then attacking before the opponent attacks you is what it's all about in "Blitz Defense".
However that part of attacking the attacker before he can hit you is something you can't do in IT defense.
It is already problematic in physical selfe defense but it is a complete no-go in IT defense.
You can't attack back. Well you can but it would be very problematic if not even illegal.
And then you can't know for sure if the attacking system isn't a victim that's only used by the offender as a launching pad.
So you cannot apply the attacking part of Blitz Defense. But we can apply a higher technique that in Wing Tsun is something you learn much later: anticipation and deflection. This is when you have advanced to a state where you don't need to attack first any more but you can let the attacker attack you and you just fully cooperate with whatever he's doing, only that you don't let yourself get hurt. You free yourself of your own force, you use the force of your opponent against him and you just add that little extra force needed to break his balance.
In the world of IT defense this can be achieved by countermeasures like they are being proposed by Paul Asadoorian and others.
One example would be using tools like spidertrap that defeat web-security-scanners and crawlers or to use honeypots and all kinds of tar pits and tools of deception. The goal of these is to give the opponent something to chew on thus diverting him away from the real targets. Another cool effect of this is that you can collect evidence, watch the attacker and maybe determine from his behavior what he's after.
Mastering the first Level
As stated above, the first level is all about physical self defense, training, exercise, health and agility.
How does this apply to information security?
Well it's quite obvious - nothing comes from nothing.
Kung Fu is about discipline, sweat and labor and building a strong will.
If you want to be successful in defending your IT as an organisation, you have to first become aware that you are a indeed a target. You then have to make the decision that you will not be prey. Build your IT security posture around that thought and philosophy. These two fundamental steps have to be made by the leaders of the organisation. Only then will it become part of the security culture of the whole organisation. Find out if your CEO or CIO performs a martial art.
If they do, you will have no problem explaining all of the above to them.
Then you will have to learn how to attack - because we have to know how to attack in order to be able to defend.
Attack as defense and defense as an attack - only that we don't attack the attacker but our own infrastructure.
By learning how to attack your own IT infrastructure you will learn about your own "anatomy" and your weak spots.
You can then build defenses around that weak spots, before you learn how to strengthen those weak spots.
The ultimate goal is to build up your strength within - to become resilient to attacks even if your defenses are down.
When we have a look a the industry from that perspective, we are still in the phase of building our defenses around the weak spots. We put up defenses like firewalls and antivirus. But the opponent is one step further with his Kung Fu skills.
He knows how to navigate around our defenses. We have put forward our Wu-Sao (protecting arm) but he just circles around that and hits us from the side.
As GGM Leung Ting said - each technique has its counter.
We implement Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) in order to protect our otherwise vulnerable software from being exploited. But the bad guys just move to another attack vector. The bad guys don't care what they attack technically. They are after data or money or simply after control over other computers in order to use them as launching pads, as storage devices for illegal stuff or to use their computing power (e.g. to crack passwords).
The industry today is slowly advancing to the next phase within the first level. We proactively think about how our own defenses could be circumvented, e.g. using return oriented programming to circumvent ASLR and DEP.
Some are looking for new ways to better resilience and greater inner strength. One first step is to prevent the introduction of well understood vulnerabilities during the development process.
Frameworks that separate data from executable code and programming languages that don't allow buffer overflows to happen can help a great deal in achieving that.
Other folks like Dancho Danchev apply the principle of "know your enemy" by analyzing the offender's methods, techniques, their culture and their goals and motivations. This is an important step for reaching the next phase within the first level, too.
So you see, there are many things you can learn from martial arts and apply to the art of IT defense and I am thrilled to learn more, each day. Whether or not you are working in information security, I recommend you to learn a martial art, because it's good for your health, it's fun and you learn many things that you can apply in everyday life.
Neo: "You mean I could dodge bullets...?"
Morpheus: "No! When you are ready, you won't have to."