Cybersecurity and Swords

Cybersecurity and Swords

Cybersecurity Lessons from a 17th-century Belgian Fencing Master

Jori VanAntwerp, CEO SynSaber
Jori VanAntwerp
CEO, SynSaber

Swords and cybersecurity may seem like very different topics, but there are some valuable lessons we security practitioners can learn from sword fighting techniques. Here at SynSaber, we’re inspired by legendary fencing master Gerard Thibault, author of Academie de l’Espée (The Academy of the Sword). As mentioned on our Company page, many elements of our organization, from our name and logo to our product architecture, draw inspiration from Thibault’s writings and the illustrations within his tome. Let’s go through some of the lessons about cybersecurity that we can glean from Thibault and other masters.

The Mysterious Circle

The Mysterious Circle, depicted below, represents the geometric relationship between opposing duellists and their reach, range, and natural proportions. I’m sure most readers are familiar with the quote from Sun Tzu about knowing thyself and thy enemy, and the Mysterious Circle is a representation of what that might look like if displayed in the form of a geometric drawing. Thibault placed so much importance on the Mysterious Circle that he dedicated several chapters of his book to describing in extreme detail “the manner of laying out the circle on the ground, with all its appurtenances.”

Gerard Thibault Mysterious Circle
Table 1 from The Academy of the Sword

The sections detailing the Mysterious Circle are not what you’d call page-turners by any stretch of the imagination. That is unless you get excited by a quote like “The figure that contains within itself three-fourths of each quadrangle, with two equal parallelograms going out to each side to the circumference, will be called the quadrate,” in which case, more power to ya. In comparing the Mysterious Circle to cybersecurity practices, we can think of it as comprehending our capabilities and potential weaknesses and understanding our entire landscape. While this isn’t the most glamorous or thrilling part of our jobs, it is fundamental, and all other steps depend upon our ability to grasp what’s in our environment.

Closing the Straight Line

The practice of “closing the straight line” involves positioning the sword in such a manner that your opponent cannot enter your area without having to deal with your blade. In cybersecurity, this could take the form of a firewall, network segmentation, zero trust, or other methods of hardening your infrastructure.

Threat actors are often looking for easy prey, so if a network or system gives them an abundance of barriers to push through, only the most motivated attackers will persist. In other words, don’t make it easy for them! “Alexander perceives the imbrocade that his opponent has begun against him. All at the same time, he forestalls the opposing sword by turning the left side of his body outwards, and puts his point against Zachary’s eyes.” Brutal.

Gerard Thibault Sword Technique Table 8
Table 8 from The Academy of the Sword (Look out, Zachary)

Obliging the Blade

“Of all the previous chapters there is not one that demonstrates more clearly the excellence of the true practice of swordsmanship than that which follows.” — Now THAT’S what I call an opening sentence. 👏 In chapter 19 of The Academy of the Sword, Thibault covers this practice of bringing your sword beneath an opponent’s and pushing up on their blade, partly controlling its movements.

While we can’t control an adversary’s movements, we can limit their access and restrict their actions through solid cybersecurity practices. Reduce (or remove entirely if possible) remote access, have substantial documentation regarding mobile devices or BYOD, deny by default whenever feasible.

Attack of First Intention

In writing about the “Attack of First Intention,” Thibault describes the practice as an attack that is launched the moment an opponent comes into the “First Instance,” or outermost point of the circle. From chapter 21: “… the first intention is that which comes before all others; and therefore, we call the attack of first intention that which is made against the enemy from the First Instance, without trying to subject the sword first.”

In this industry, we’re often guilty of falling victim to “shiny object syndrome” or jumping on the next piece of tech that hits every trending buzzword. This is akin to a fencer focusing on a sword or a hand rather than taking in their opponent as a whole. It’s essential to have solid foundational cybersecurity practices in place before adding levels of complexity or additional tools, even the ones with fancy bells and whistles.

Or as our friendly quartermaster Gerard Thibault would say, “If they wish to learn these, they must learn the others first, for if it is impossible for them to do one thing alone and by itself, that is, subjecting the sword without making the attack, it will be even more difficult for them to do both in the same time.”

~Jori 🤘 ⚔️

(PS – if you get the itch to create your very own Mysterious Circle, check out this excellent step-by-step aid from the Historic Combat website: