I recently finished reading “Shoninki: The Secret Teachings of the Ninja” by Master Natori Masazumi – “The 17th-Century manual on the Art of Concealment”. This book is an absolute must for anyone into hacking, penetration testing or any other form of offensive security.

It’s a very short and quick read, only 140 ‘small’ pages of large type. It’s also a very interesting style of very short and succinct chapters (similar to The Art of War), most chapters are only about 2 or 3 pages long.

It was great how the author started out with actually defining ninja’s and ninjutsu. Many people tend to lump Ninjas, Samurais and other eastern warriors together but the Ninjas served a very specific purpose. Ninjas were used for espionage as spies and were thus much more dependent on stealth and concealment than on combat.

I also loved the writing style, it was an excellent way to try and truly convey understanding using written word. I’d like to try and emulate it some day in another book. It gave philosophical foundational information, strategic information and then very nitty gritty tactical information for specific tasks (such as hiding, disguising oneself, sneaking into buildings, manipulating people, etc).

I definitely plan on reading this again and will most likely create a dedicated page for detailing some of the specific points that really ring true for info sec. Some of the points that stood out the most include:

Social Engineering – Ninja Style
Social Engineering for a ninja was beyond a necessary skill. If you’re caught trying to SE someone during a penetration test, you simply might not succeed. If you’re caught trying to social engineer someone in 17th century Japan, you get killed. One of the most resounding points from the book is that to be a successful ninja you must have zero ego. This excerpt sums it up:

We also can find more specifically Buddhist and even Zen teachings in this book. For example, in the eighth chapter of the middle scroll, it is explained that it is necessary to be "empty", in other words impartial and freed from the ego, with complete absence of self-attachment. As a ninja was adept at worming information from an adversary by flattering his vanity and stroking his ego, if he was himself liberated from this weakness he would be that much more effective: "This is why it is so important to be able to leave your ego to the side."

This fact still rings true today for the most effective social engineers and hackers. Letting go of your ego and taking the path that is necessary will lead to success.

Found In Translation
Often times when reading books like this I wonder how much of the actual content is being lost in translation. Many people forget that languages do not inherently have a one to one mapping of words, thus some phrases used may seem odd. If however you try to understand the thoughts they are trying to convey you stand to learn a lot. One of the best examples of this in the book is the term they called ‘Sounding your enemies heart’.
Sounding your enemies heart essentially means understanding your targets true MO, feelings, wants, fears, ambitions, intentions, etc. To fully understand them so that you can manipulate them to meet your espionage needs. Using the term sounding rather than simply saying ‘understanding’ is a little more complex than I can explain here. For me the key difference in using the word ‘sounding’ is that you approach an individual to quietly and surreptitiously ‘observe’ them without applying preconceived ideas onto them.
The manual goes into further detail on the importance of understanding yourself and your heart.

Principle vs Knowledge
The manual also explained the difference between what the Ninja called Principle and Knowledge.  A quote from the book will explain it nicely;

What we call principle is permanent.  It is immutable essence.  Growing knowledge is certainly of value, but knowledge is subject to ceaseless change.  The fundamental principle, to the contrary, is quantifiable, and when studied attentively, makes everything clear.  It is more important than knowledge, which can cast a shadow on clarity.

Later in the chapter it says
Consequently, it should be realized that principle leads to authentic understanding while knowledge is an illusion. When you instill calm in your heart, the words you speak will be wonderful. When feelings pop up suddenly and disrupt reason, knowledge will become confused first of all, then the principle will become distorted, making the essence of things even harder to discern. This is a snare that you must therefore elude.

Conclusion
Ironically, but maybe not surprisingly, there are so many parallels between cyber security and 17th century stealth tactics. This book was so fascinating, enlightening, and poetic; it’s an absolute must read for anyone in Information Security.