Security Experts:

Cybersecurity Lessons From Kung Fu

I remember my first Kung Fu lesson. It left me almost sick from exhaustion. It also taught me a valuable lesson that proved to be very applicable to information security. In the midst of the all the blocking of his punches and kicks, my instructor mentioned that this was the worst way to deal with an attack, rather, I should focus on not being there when the hit lands.

At first that seemed like bad martial arts movie philosophy, but I came to realize the profound truth of the concept. Blocking an attack has several drawbacks. If you miss, you get hit and even if you succeed, the attack might make it though anyway. Worse still, if the attacker is strong you could get hurt by the act of blocking. This last possibility was literally brought home to me when my father broke his arm trying to block my mother's roundhouse kick. In this game of rock-paper-scissors shin bone beats arm bone.

In place of blocking, there are three ways to “not be there” when the strike arrives: you can dodge the attack, you can stay out of range of the attack, or you can avoid the fight in the first place. The last is obviously the best choice since it prevents all of the strikes. Each of these strategies has a counterpart in cybersecurity.

Blocking is very much like conventional security approaches where we try to detect the attack and prevent it from causing damage. It is common to fail at detecting incoming attacks or malware. When we fail, we miss the block. Like bruising your arms in a block, detection also imposes a false positive cost. When legitimate content and activities are prevented as a side effect of the security control it damages productivity. It also takes up our time and attention reacting to alerts of events that might have been avoided.

Dodging an attack means that we prevent an attack from impacting our infrastructure. If the exploit coming at you cannot execute, it cannot cause damage or establish a foothold.

For now, the vast majority of malware and exploits launched at endpoints target Windows and MacOS desktop operating systems and the software running on them. By running a different operating system, a less common application or software, the attacks will fail. For example, weaponized PDF files have been a very common attack vector for years. In almost all cases the attack exploits a vulnerability in Adobe Acrobat. However, if the file is read in almost any other PDF reader the attack is ineffective. There is no easy way to avoid using the major browsers, all of which are highly vulnerable, but changing the operating system can provide similar protection. Even if your browser is exploited, the payload designed for Windows would not work on your iPad or your Linux machine. This need not require the user to run an alternative OS as their primary desktop. The vulnerable application can be run inside a virtual machine with a less frequently attacked OS. When done this way, the user still benefits from the well-known and risky OS as their primary interface.

Dodging is not a perfect strategy. The attacker may adapt, or you might not succeed in avoiding the impact. Keeping out of range is more effective.

In kung fu, an attacker is limited by the length of their limbs and the speed with which they can advance. As long as you are far enough away you cannot be hit. Similarly, we can move our vulnerable attack surfaces farther from our valuable data and infrastructure. If the thing the attacker can touch is out of reach of the things you want to safeguard they are protected from any immediate risk. Isolation through virtualization either on the endpoint or on a remote server can provide this distance. The virtual environment needs to be compromised before the attacker can try to reach the user's actual desktop. Because this virtualization approach can be naturally combined with the dodging approach the cumulative protection is even stronger. We can keep stepping back as the attacker advances by destroying and re-creating the virtual machine. This forces the attacker back to a safe distance. And we can do that automatically even if we have not detected the attack. I could probably make a comparison to fighting ninjas but that might be taking the analogy too far. 

Avoiding the attack completely can be as tricky on-line as it is on the streets. Many of the most damaging cyber attacks are highly targeted. The attackers have selected their target based on a combination of value and apparent vulnerability. They try to reach out and hit their identified target while avoiding bystanders. They do this not because they care about collateral damage but because they don't want to be discovered. If they can avoid detection they will be able to stay in the compromised organization longer and their tools will not be fingerprinted and added to our detection systems. This targeting cuts both ways. If the intended victim cannot be identified, then the attack won’t take place. While many targeted attacks are sent directly through email, others wait for their intended prey to pass by. A website or WiFi access point is configured to launch its malware only at devices that match very specific criteria. If you don't have the information they are looking for (IP address, cookies, browser fingerprint, account name, or personal information), nothing happens. This is exactly what we want. While it will not avoid every attack, preventing identification by random websites and devices can prevent many of the most potentially damaging events before any hostile action is taken.

Whether in a bar or in public, on the dark-web or a major news site, the lesson my Kung Fu instructor taught me on that first day can go a long way to keeping you safe. Avoid the attack completely if possible. Prevent targeted attacks by not looking like a victim. Keep your distance by moving the available attack surface away from your data and infrastructure. Dodge the attack by presenting an attack surface that is not vulnerable to the malware, exploits and other attacks that you will encounter. Only if all this fails will you need to rely on those blocks I practiced until I was a quivering blob on the floor. Detection and malware blocking / removing tools can be your last line of defense, needed only if all the other strategies fail.

view counter
Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.