This is a reprint of a talk given by our CISO Dean Macris at BlackHat 2024.
Since the beginning of information security, the industry has used military parallels to organize defense, learning from the experience of traditional warfare. With that, it is helpful to look back at the classical Western military theorist Carl Von Clausewitz to help foster both operational technology cyber defense and national defense against an evolving threat landscape.
Defense-in-depth and the OODA loop are two military parallels often cited in information security. Defense-in-depth can be described with a castle analogy. A castle has multiple layers of defense and limited, controlled methods of entry and exit. As you pass the moats, walls, and towers, you travel from low-trust areas to high-trust areas where the most valuable resources are layered. We can imagine that this model breaks down with distributed workforces, hybrid cloud environments, and the need to always have resources available. The problem is less how to secure a castle in London than how to secure the city of London.
The OODA loop was coined by John Boyd after the Korean War to explain why some pilots with the same training and physical attributes ended up winning the majority of encounters. He theorized that the winning pilots were faster at moving through the process of:
Observing the situation.
Orienting to the scenario based on previous experience and current observation.
Deciding on the best course of action.
Acting.
The "Observe - Orient - Decide - Act" (OODA) loop has been adopted in diverse industries, from finance to power plants. In information security, it describes the ability to see each security incident as novel and needing investigation while also drawing from experience to help guide response.
Needless to say, countless other parallels can be drawn, some of which come from more historical sources. Classical Military theorist Carl von Clausewitz was a Prussian general during the Napoleonic Wars. His wife, Marie von Clausewitz, compiled his works into a 10-volume book, "On War" that has become the Western standard for military theory. There are hundreds of tactics, strategies, and ideas about warfare, and three are especially relevant to defending Operational Technology infrastructure: mobility, deception, and hardening. The original text of "On War" is available on Project Gutenberg.
Mobility
"The defending party, both in tactics and in strategy, is supposed to be waiting in expectation, therefore standing, whilst the assailant is imagined to be in movement, and in movement expressly directed against that standing adversary." (CvC -- Volume 5 Chapter 4)
von Clausewitz did not consider that a defensive position could be mobile but did consider that movement and maneuver are core tenants of success in military actions. Most of the major battles suring World War II in the Pacific proved that movement, maneuver, and mobility were decisive in achieving positive outcomes in battle. When defensive tactics include the ability to move resources, they are more difficult to target and more difficult to attack.
Deception
"Stratagem implies a concealed intention, and therefore is opposed to straightforward dealing, in the same way as wit is the opposite of direct proof. It has, therefore, nothing in common with means of persuasion, of self-interest, of force, but a great deal to do with deceit, because that likewise conceals its object" (CvC -- Volume 3 Chapter 10)
"The deceiver by stratagem leaves it to the person himself whom he is deceiving to commit the errors of understanding which at last, flowing into _one_ result, suddenly change the nature of things in his eyes." (CvC -- Volume 3 Chapter 10)
In information security, you can outwit intruders by keeping your network moving and changing. Then you can layer in more active defense; many of us know this as a honeypot or honeynet. Black Security did a great job in their free course on Active Defense, stating that you can leave poison on a network, allowing intruders to take it freely. In reality, there is no better way to gain the upper hand on an adversary than to do the basics excellently and then layering (defense in depth of the modern age) active defense with infrastructure that is always moving and changing and leaving poison. It is the moment when the hunter becomes the hunted, and there is no more powerful defense technique than fear.
Hardening
The first type of hardening is traditional fortification.
"Therefore, amongst a number of great roads leading from the enemy's country into ours, we should first of all fortify that which leads most directly to the heart of our dominions, or that which, traversing fertile provinces, or running parallel to navigable rivers, facilitates the enemy's undertaking, and then we may rest secure." (CvC -- Volume 6 Chapter 11)
In information security, traditional hardening means basic cyber hygiene and doing the basics excellently. Hardening endpoints is one of the most potent defenses. Few establishments outside of massive organizations and the government do an adequate job with that. The "roads" that Clausewitz mentions are what we need to consider when hardening our resources and networks. As basic as it is, this is a challenging task. In an OT setting, this is more important because our management endpoints do "lead ... directly to the heart of our dominions," so the primary measure of assuring a fully hardened system is an essential starting point for good network security.
The second type of hardening is reducing the ability to live off the land.
"Wellington, in his entrenched camp at Torres Vedras, waited till hunger, and the severity of the weather, had reduced Massena's army to such extremities that they commenced to retreat of themselves, the sword of the defensive party had no share in the weakening of the enemy's army." (CvC -- Volume 6 Chapter 8)
As reported by CISA regarding the persistence achieved by Volt Typhoon in IT networks related to critical infrastructure, it is clear that the more attackers have to live off the land, the less they need to do to maintain persistence. This is related to the idea of hardening but also minimizing what is available in the environment. If you scan monthly for vulnerabilities, why do networks have scanners up and running all the time? How are those scanners authenticated to central management, and do you have the same insight as you would into a regular workstation? We give attackers far too many places to hide. It could be legacy hardware or some outdated monitoring software. Consider salting the earth of your network and looking at how an attacker could use every tool if they get access.
Conclusion
When taking a cross-functional look at our cybersecurity problem, we can learn a lot. One lens is through the military and defensive tactics and strategies. Having Operational Technology networks that align with Carl von Clausewitz on the fronts of Mobility, Deception, and Hardening can only add a few conceptional tools to a toolbox that is usually full of vendor solutions.
