Usually attributed to the ancient treatise The Art of War by Sun Tzu, the phrase “Know your enemy” is often repeated in military and security environments and is given as guidance to junior level staff in these environments. While it is good guidance, this article will explore why it is incomplete and why this is important.
One reference gives the full quotation, rendered in modern Chinese script as “故曰：知彼知己，百戰不殆；不知彼而知己，一勝一負；不知彼，不知己，每戰必殆” complete with the English translation:
“So it is said that if you know your enemies and know yourself,
you can win a hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.”
The full quotation provides much fuller and richer guidance and it is important to consider the meaning and impact of the full text. Below I will examine each sentence from the English translation.
“If you know neither yourself nor your enemy, you will always endanger yourself.”
The third sentence reminds us that lack of knowledge is dangerous. If you do not know your own capabilities, structures, processes, strengths and weaknesses it is unlikely that you will be able to use your resources effectively, or be able to resist your own weaknesses being exploited. A lack of knowledge about your enemy could lead you into a false sense of security—or to overestimate the abilities of your enemy—perhaps leading you to direct defences where the attacker is weakest and the attack least likely to succeed even without your efforts. For example, you would not want to concentrate all your defences on a Windows exploit being run against a Linux server. In short, you are totally unprepared for the battle and you may well contribute to your own defeat by making incorrect decisions!
“If you only know yourself, but not your opponent, you may win or may lose.”
The second sentence reminds us that it is only slightly better to know your own strengths and weaknesses. While you will know what you have to work with, and how best to engage your resources, you will not be prepared for the actions of your opponent so it is unlikely that you will be able to effectively direct them to the best effect against the threat. Your opponent will be able to surprise you and you will thus battle to take the initiative. As you will be unlikely to be able to anticipate the actions of your enemy they will find it easier to exploit your weaknesses. Put another way, you will likely be ‘behind the game’ for much of the time and the enemy will dictate the battle.
“…know your enemies and know yourself…”
The first sentence brings this together and essentially advises that you must know yourself and your enemy. This allows you to predict the strategy and attacks of your enemy and counter them with your defences quickly and effectively. While doing this you should also be able to start active defences. For example, you can implement a honeypot to direct them away from your real assets. You may even be able to counter-attack, directing your strengths at the weak areas of your attacker. For example, you can initiate civil action against the ISP that your attacker is using to launch the attack. At the very least you will keep them guessing and they will have to divert resources from attacking you to try to predict or interpret your actions. At its most effective, this will allow you to deflect or counter most attacks quickly and effectively.
Many organisations expend time and effort conducting threat identification and analysis. This is important but only helps you understand your enemies. Technical vulnerability analysis is slightly better in that it helps you understand your weaknesses. It is equally important but less common for organisations to spend time studying themselves. Your own strengths, weaknesses and vulnerabilities contribute as much to the outcome of any battle as do those of your enemy—but you have far greater ability to know yourself—use the opportunity before an attacker does!
To help you start your journey of discovery, I have listed some recommended activities to help you “Know your enemy” and “Know yourself:”
Know your enemy
- Threat identification and analysis
- Future threats and trends intelligence gathering
- Research hacking and attack tools
- Install detection and warning systems (e.g., intrusion detection/prevention systems)
- Consider implementing honeypots or honeynets
- Conduct vulnerability scans and penetration tests.
- Review and test incident process, including staff contact details.
- Ensure that asset register and Configuration Management Data Base (CMDB) are current and complete.
- Create baselines for normal conditions (e.g. network utilisation, normal traffic flows).
- Review patching and anti-malware update process to identify any weaknesses.
- Engage specialist incident management/forensic support (on retainer or pre-paid to ensure quick response when needed).
Richard Norman, CGEIT, CISA, CISM, CRISC
Head of Information Security, Risk and Compliance for the British Council